- From: Chris Palmer <palmer@google.com>
- Date: Wed, 22 Oct 2014 11:01:32 -0700
- To: David Rogers <david.rogers@copperhorse.co.uk>
- Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Oct 22, 2014 at 2:30 AM, David Rogers <david.rogers@copperhorse.co.uk> wrote: > ...ok. Back in the real world - what you really need is to be able to have a mechanism to reliably identify the device and therefore be able to take a decision on whether it is insecure for whatever reason. Abandonment is going to happen anyway (I've seen plenty of open source projects abandoned too!). If it is critically insecure there are effective mechanisms that have worked in the browser world (for example blocking IE6 on websites) to stop it accessing the internet and that change user behaviour in a good way. Yeah, about IE 6 (and Windows XP < SP3)... those are great examples of things that should have gone away a long time ago, and support the argument in favor of device self-euthanasia. Precisely because we are saddled with them, we can't move forward: no SNI, no SHA-256 for certificate signatures... Not that it matters, since Microsoft has not been patching (or even able to patch) many, many vulnerabilities in a product that old. (Many patches make it into >= 7, or even >=8, only. And I don't blame MS one bit for that.) Even just dropping all support for SSL v3 (now fully, entirely dead) and RC4 is not a decision that a sane person takes lightly. And those things are older than IE6! > Having some sort of suicide pill for a device is dangerous from a security perspective and isn't acceptable for purchasers. Enjoy your RC4 in 2025, then. :) Look, we all agree that self-euthanasia (or, less drastically, self-capability-reduction) is not ideal. But the alternative is a commitment to fully support devices for 10+ years. I'd love it if everyone did that.
Received on Wednesday, 22 October 2014 18:01:59 UTC