Re: CUPS is now linked against OpenSSL
On Tue, 14 Jan 2014, Jakub Wilk wrote:
> * Daniel Kahn Gillmor <email@example.com>, 2014-01-13, 23:03:
> >if the only axis we're measuring along is cryptographic security,
> >then protecting against passive attackers (eavesdroppers) is
> >clearly better than not doing so.
> >but if people think that CUPS' TLS protects them against active
> >attackers, and they use that to do things like send confidential
> >information over the link, they have been lulled into a false
> >sense of security.
> Hear, hear.
> So, how would people feel about the following policy:
> TLS clients must either:
> - validate server certificates;
> - or prominently document that they don't do that?
As in log "unsafe TLS connection to <foo>"?
Because anything less than that would not be effective at all.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot