Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

[Matt Palmer <mpalmer () hezmatt org>]

On Fri, Jul 17, 2015 at 07:14:17PM +0000, Michael O Holstein wrote:
> > making 99% of the web secure is better than keeping an old 1% working
>
> A fine idea, unless for $reason your application is among the 1% ..
> nevermind the arrogance of the "I'm sorry Dave" sort of attitude.

First they came for SSLv2, and I said nothing because...

> As an example .. we have a vendor who, in the current release (last 3
> months) still requires "weak" ciphers in authentication responses.  That
> was mostly okay until another vendor (with more sense) wanted to auth the
> same way but only permitted strong ciphers.

So get up your vendors to update their stuff, and *preferably* before a
super-critical hole is found in protocols that should have ideally died a
natural death years ago.  TLS 1.2, AES, and SHA-256 aren't exactly "OMFG
new!" at this stage of the game.

Also, take this as a learning experience: next time, make sure RFPs and
contracts include an undertaking to maintain compatibility with reasonably
recent standards, and financial penalties for the vendor if their failure to
do so results in operational problems for you.

- Matt

-- 
aren't they getting rarer than amigas now?  just without all that fuzzy
"good times" nostalgia?
                -- Ron Lee, in #debian-devel, on Itanic