Announcement

Collapse
No announcement yet.

Fedora 29 To Further Strengthen Crypto Settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 29 To Further Strengthen Crypto Settings

    Phoronix: Fedora 29 To Further Strengthen Crypto Settings

    One of the latest planned features for Fedora 29 is to update the system-wide cryptography policy...

    http://www.phoronix.com/scan.php?pag...tronger-Crypto

  • #2
    I can see an immutable "Old Vender" VM window thing - where they just have old versions of browsers with java and flash installed.

    Why?

    Old IT Gear. Old vender gear that used to have state of the art out of band management. that requires a given version of java 5 or flash.

    this will be the legacy of vender lockin

    Comment


    • #3
      The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

      Unless the old algorithms are available in a "compat" package.

      Comment


      • #4
        Originally posted by boxie View Post
        I can see an immutable "Old Vender" VM window thing - where they just have old versions of browsers with java and flash installed.

        Why?

        Old IT Gear. Old vender gear that used to have state of the art out of band management. that requires a given version of java 5 or flash.

        this will be the legacy of vender lockin
        It's already like this for industrial automation, everyone has a VM with the old software running in an old Windows version they use to communicate with 10yo or older industrial equipment.

        I would not call out of band management using flash or java "state of the art", it was a piece of shit even when it was new, breaking left and right at any update of java/flash or the OS or whatever and requiring hacks or workarounds. Many people used VMs or dedicated PCs (that would NOT be updated) even when they were "supported".

        Also "vender" --> "vendor"

        Comment


        • #5
          Originally posted by Creak View Post
          The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

          Unless the old algorithms are available in a "compat" package.
          Fedora isn't targeting this kind of userbase. There is RHEL for that.

          Comment


          • #6
            Yeah, as good as it is to disable older versions of protocols, it does come with problems. About a year ago, we did a major upgrade for a piece of enterprise software for a client... and it turned out that part of the upgrade included the webserver disabling TLS 1.1 by default. Not a problem for the human users, but it turned out the client was running a bunch of adapter code that was old enough to not support TLS 1.2... and which suddenly was unable to talk to the upgraded servers.

            It was apparently quite an argument, over whether the old code should be fixed for modern compatibility, or whether the server should be configured to re-enable the less-secure protocols... I *think* security won in the end...

            Comment


            • #7
              Originally posted by Creak View Post
              The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

              Unless the old algorithms are available in a "compat" package.
              From the wiki page, it looks like the user can easily reenable the legacy crypto algorithms with:

              Code:
              update-crypto-policies --set LEGACY
              https://fedoraproject.org/wiki/Chang...ryptoSettings2

              Comment


              • #8
                Originally posted by starshipeleven View Post
                It's already like this for industrial automation, everyone has a VM with the old software running in an old Windows version they use to communicate with 10yo or older industrial equipment.

                I would not call out of band management using flash or java "state of the art", it was a piece of shit even when it was new, breaking left and right at any update of java/flash or the OS or whatever and requiring hacks or workarounds. Many people used VMs or dedicated PCs (that would NOT be updated) even when they were "supported".

                Also "vender" --> "vendor"
                That's why i was thinking there is going to be a ready made "virtual" - it would certainly be helpful instead of hunting around for old install disks and old versions when you find yourself needing one.

                as for vender vs vendor - yes, I should have used vendor.

                Comment

                Working...
                X