So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
It probably will not be a problem in practice because the machines will die at some point and have to replaced with more modern kit and software. Also, there is a lot of financial incentive to not replace if they are still working.
The scenario is that a server upgrades to use a new cipher-suite but the curl does not understand it. In theory, the server should allow a cipher-suite downgrade but there is no guarantee they will.
A vendor could force new sales.
"Sorry, but your machine is too old to patch, you need to replace. See our sales brochure"
There must be a lot of folk that are not in position to upgrade their linux kit too.
@SpaceLifeForm lots of devices and services die all the time when they cannot be updated but the services they need to connect to, upgrade and require a more modern protocol, cipher or handshake. It's not new and it's not special for curl. Even things that actually *can* be upgraded will be abandoned because it is not financially beneficial. For example mobile phones.
curl however doesn't strictly honor cert chains; it only matches the first CA (not the root CA) in the trust store. i therefore think it's wildly insecure for applications requiring SSL
@klutzagon @tay when you post your change proposal to the curl dev team about this, pleas remember to detail the attack surface you remove with this. Thanks.
Yaksh Bariya
in reply to daniel:// stenberg:// • • •Luca
in reply to Yaksh Bariya • • •Exactly what I thought. 8 billion… just? 🤔
daniel:// stenberg://
in reply to Luca • • •Luca
in reply to daniel:// stenberg:// • • •🤣👍
Lukas
in reply to daniel:// stenberg:// • • •Stefan Eissing
in reply to daniel:// stenberg:// • • •CgX :oh_no:
in reply to daniel:// stenberg:// • • •Brad Martin
in reply to daniel:// stenberg:// • • •Fuji
in reply to daniel:// stenberg:// • • •cool :)
what #software is in the 2nd place?
Peter Bindels
in reply to daniel:// stenberg:// • • •Erik Ableson
in reply to daniel:// stenberg:// • • •Martin Hamilton
in reply to daniel:// stenberg:// • • •daniel_ferradal_marquez
in reply to daniel:// stenberg:// • • •Demiurg
in reply to daniel:// stenberg:// • • •Cegorach
in reply to daniel:// stenberg:// • • •ml
in reply to daniel:// stenberg:// • • •Had same idea after reading "curl on 100 operating systems".
3 billion, 8 billion, to the moon and beyond 🚀
https://mas.to/@ml/111413766341684770
ml (@ml@mas.to)
mas.towords_number
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to words_number • • •Jima :Compromise_bi_flag:
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Jima :Compromise_bi_flag: • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
#RhetoricalQuestion
daniel:// stenberg://
in reply to SpaceLifeForm • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •It probably will not be a problem in practice because the machines will die at some point and have to replaced with more modern kit and software. Also, there is a lot of financial incentive to not replace if they are still working.
The scenario is that a server upgrades to use a new cipher-suite but the curl does not understand it. In theory, the server should allow a cipher-suite downgrade but there is no guarantee they will.
A vendor could force new sales.
"Sorry, but your machine is too old to patch, you need to replace. See our sales brochure"
There must be a lot of folk that are not in position to upgrade their linux kit too.
https://www.zdnet.com/article/linux-4-14s-long-term-support-will-live-on-after-all-thanks-to-this-alliance/
Linux 4.14's long-term support will live on after all, thanks to this alliance
Steven Vaughan-Nichols (ZDNET)daniel:// stenberg://
in reply to SpaceLifeForm • • •klutzagon
in reply to daniel:// stenberg:// • • •Proxfox Virtual Environment 🦊
in reply to klutzagon • • •klutzagon
in reply to Proxfox Virtual Environment 🦊 • • •daniel:// stenberg://
in reply to klutzagon • • •Latt Hsiang
in reply to daniel:// stenberg:// • • •