Skip to main content

in reply to daniel:// stenberg://

Lukas
Lukas
Is this the announcement that curl has been bought by Oracle? 😄
in reply to daniel:// stenberg://

Demiurg
Demiurg
Running on 8 billion devices on 2 planets 🥹 Congratulations... that is so crazy!
in reply to daniel:// stenberg://

ml
ml

Had same idea after reading "curl on 100 operating systems".
3 billion, 8 billion, to the moon and beyond 🚀

https://mas.to/@ml/111413766341684770


ml (@ml@mas.to)

Attached: 1 image https://daniel.haxx.se/blog/2023/11/14/curl-on-100-operating-systems/
mas.to
in reply to daniel:// stenberg://

words_number
words_number
That screenshot is from a time when windows was actually a half-decent OS. Long gone.
in reply to words_number

daniel:// stenberg://
daniel:// stenberg://
@words_number the listed products in the window also kind of hints of a time long gone...
@words_number
in reply to daniel:// stenberg://

SpaceLifeForm
SpaceLifeForm

So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?

#RhetoricalQuestion

#rhetoricalquestion
in reply to daniel:// stenberg://

SpaceLifeForm
SpaceLifeForm

It probably will not be a problem in practice because the machines will die at some point and have to replaced with more modern kit and software. Also, there is a lot of financial incentive to not replace if they are still working.

The scenario is that a server upgrades to use a new cipher-suite but the curl does not understand it. In theory, the server should allow a cipher-suite downgrade but there is no guarantee they will.

A vendor could force new sales.

"Sorry, but your machine is too old to patch, you need to replace. See our sales brochure"

There must be a lot of folk that are not in position to upgrade their linux kit too.

https://www.zdnet.com/article/linux-4-14s-long-term-support-will-live-on-after-all-thanks-to-this-alliance/


Linux 4.14's long-term support will live on after all, thanks to this alliance

The six-year-old Linux kernel seemed doomed until this alliance of CIQ, Oracle, and SUSE stepped up. But why go to all this trouble?
Steven Vaughan-Nichols (ZDNET)
in reply to SpaceLifeForm

daniel:// stenberg://
daniel:// stenberg://
@SpaceLifeForm lots of devices and services die all the time when they cannot be updated but the services they need to connect to, upgrade and require a more modern protocol, cipher or handshake. It's not new and it's not special for curl. Even things that actually *can* be upgraded will be abandoned because it is not financially beneficial. For example mobile phones.
@SpaceLifeForm
in reply to daniel:// stenberg://

klutzagon
klutzagon
curl however doesn't strictly honor cert chains; it only matches the first CA (not the root CA) in the trust store. i therefore think it's wildly insecure for applications requiring SSL
in reply to klutzagon

Proxfox Virtual Environment 🦊
Proxfox Virtual Environment 🦊
@klutzagon i mean, if there is a matching trusted CA, that should mean trust the cert, am i wrong?
@klutzagon
in reply to Proxfox Virtual Environment 🦊

klutzagon
klutzagon
@tay it should validate every CA up the chain up to and including root CA (trust anchor). Not just the issuing intermediate CA
@Proxfox Virtual Environment 🦊
in reply to klutzagon

daniel:// stenberg://
daniel:// stenberg://
@klutzagon @tay when you post your change proposal to the curl dev team about this, pleas remember to detail the attack surface you remove with this. Thanks.
@Proxfox Virtual Environment 🦊 @klutzagon