So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
It probably will not be a problem in practice because the machines will die at some point and have to replaced with more modern kit and software. Also, there is a lot of financial incentive to not replace if they are still working.
The scenario is that a server upgrades to use a new cipher-suite but the curl does not understand it. In theory, the server should allow a cipher-suite downgrade but there is no guarantee they will.
A vendor could force new sales.
"Sorry, but your machine is too old to patch, you need to replace. See our sales brochure"
There must be a lot of folk that are not in position to upgrade their linux kit too.
@SpaceLifeForm lots of devices and services die all the time when they cannot be updated but the services they need to connect to, upgrade and require a more modern protocol, cipher or handshake. It's not new and it's not special for curl. Even things that actually *can* be upgraded will be abandoned because it is not financially beneficial. For example mobile phones.
@klutzagon @tay when you post your change proposal to the curl dev team about this, pleas remember to detail the attack surface you remove with this. Thanks.
Yaksh Bariya
in reply to daniel:// stenberg:// • • •Luca
in reply to Yaksh Bariya • • •Exactly what I thought. 8 billion… just? 🤔
daniel:// stenberg://
in reply to Luca • • •Lukas
in reply to daniel:// stenberg:// • • •Stefan Eissing
in reply to daniel:// stenberg:// • • •CgX
in reply to daniel:// stenberg:// • • •Brad Martin
in reply to daniel:// stenberg:// • • •Peter Bindels
in reply to daniel:// stenberg:// • • •Erik Ableson
in reply to daniel:// stenberg:// • • •Martin Hamilton ☎️9668@39C3
in reply to daniel:// stenberg:// • • •daniel_ferradal_marquez
in reply to daniel:// stenberg:// • • •Demiurg
in reply to daniel:// stenberg:// • • •Cegorach
in reply to daniel:// stenberg:// • • •ml
in reply to daniel:// stenberg:// • • •Had same idea after reading "curl on 100 operating systems".
3 billion, 8 billion, to the moon and beyond 🚀
mas.to/@ml/111413766341684770
ml (@ml@mas.to)
mas.towords_number
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to words_number • • •Jima
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Jima • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •So, if the machines can not auto-update to a newer curl that supports new cipher-suites, and the platform is 32-bit windows, what do you think will happen?
#RhetoricalQuestion
daniel:// stenberg://
in reply to SpaceLifeForm • • •SpaceLifeForm
in reply to daniel:// stenberg:// • • •It probably will not be a problem in practice because the machines will die at some point and have to replaced with more modern kit and software. Also, there is a lot of financial incentive to not replace if they are still working.
The scenario is that a server upgrades to use a new cipher-suite but the curl does not understand it. In theory, the server should allow a cipher-suite downgrade but there is no guarantee they will.
A vendor could force new sales.
"Sorry, but your machine is too old to patch, you need to replace. See our sales brochure"
There must be a lot of folk that are not in position to upgrade their linux kit too.
zdnet.com/article/linux-4-14s-…
Linux 4.14's long-term support will live on after all, thanks to this alliance
Steven Vaughan-Nichols (ZDNET)daniel:// stenberg://
in reply to SpaceLifeForm • • •daniel:// stenberg://
Unknown parent • • •taylor
Unknown parent • • •Latt Hsiang
in reply to daniel:// stenberg:// • • •