Re: bacula and TLS

To: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Subject: Re: bacula and TLS
From: Fredrik Pettai <pettai%nordu.net@localhost>
Date: Fri, 10 Oct 2014 23:47:13 +0200

On Oct 9, 2014, at 18:38 , J. Lewis Muir <jlmuir%imca-cat.org@localhost> wrote:
> On 10/9/14 11:14 AM, Havard Eidnes wrote:
>> Is there a particular reason SSL encryption isn't turned on by default
>> where it can? 

>  Another
> reason might be that it increases the dependencies for the package.

Generally, OpenSSL is included in base on most OSes.

> Another reason might be to avoid linking with OpenSSL since it has had a
> difficult security track record, and linking against it could be seen as
> a security liability.

I find this argumentation a bit weird? 

It sounds like are you arguing that using no encryption whatsoever "might" be safer for the user, because the way encryption is provided is thru using a library that has had some serious vulnerabilities (which btw. because of that, already got more traction and both more funding and resources to shape up the project [1])

Even other "high profile" security software like OpenSSH doesn't have a close-to-zero security track record [2] (well, nothing in there as bad as the "heartbleed" bug), but I would never suggest or argue that could be safer to go back to non encrypted Telnet just because there has been 30+ security issues in OpenSSH. 

[1] 24-Jun-2014: Team status changes including six new development team members
    (https://www.openssl.org/about/)
    30-Jun-2014: Project roadmap released
    (https://www.openssl.org/about/roadmap.html)

[2] http://www.openssh.com/security.html

Follow-Ups:
- Re: bacula and TLS
  - From: J. Lewis Muir

Prev by Date: Treści Wielojęzyczne
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Treści Wielojęzyczne
Next by Thread: Re: bacula and TLS
Indexes:

Home | Main Index | Thread Index | Old Index