Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

[Perry E. Metzger]

On Thu, 23 Oct 2014 20:59:56 +0200 Florian Weimer <address@hidden>
wrote:
> * Perry E. Metzger:
> 
> > On Thu, 23 Oct 2014 20:43:32 +0200 Florian Weimer
> > <address@hidden>
> >> Keep in mind that TLS 1.0 basically has the same problem as SSL
> >> 3.0, and support for protocols beyond TLS 1.0 is not actually
> >> widespread.
> >
> > Connections to most of the top sites are TLS 1.2 at this point.
> > Google is TLS 1.2. Facebook is TLS 1.2. Amazon is TLS 1.2. Apple
> > is TLS 1.2. I could go on and on.
> 
> Many IMAP servers running on free software still use OpenSSL 1.0.0
> or even OpenSSL 0.9.8, which do not support TLS 1.2.
> Interoperability with those should be our priority, not the
> proprietary services you listed.

Free software has supported TLS 1.2 for a long time. What you're
claiming is that you know of loads of people who have failed to
upgrade their software -- but it is of course easy to upgrade if
you run free software, because nothing prevents you from getting
updated packages. Yes, the OLD versions of the packages don't support
TLS 1.2, but the new packages are readily available.

Anyway, this attitude is why the NSA has such an easy time spying on
the world. "We can't afford to have security, people might get
inconvenienced for the length of time needed to upgrade their
systems."

The intelligence agencies thank you for your inadvertent assistance
in assuring that various kinds of downgrade, padding and other attacks
will remain feasible for years to come.

Perry
-- 
Perry E. Metzger                address@hidden