Re: [Bug-wget] please remove SSLv3 from being used until explicitly specified

[Christoph Anton Mitterer]

Hey.

On Thu, 2014-10-16 at 19:01 +0200, Tim Rühsen wrote: 
> Thanks for your input.
> 
> We are just discussing that issue (and of course anybody is invited to take 
> part here on the list).
Sorry, I've only saw that one afterwards :)


> While we (developers) could change the code in a few minutes, there might be 
> side effects that we (or others) don't want. At least we need an agreement 
> with 
> the maintainers on how the optimal strategy looks like.
Well I personally always think about that way:
If someone uses e.g. https on a product, he doesn't want data just to be
transferred and things-working™, he wants to have it secured.
Cause if he just wants things-working™, he could/should have used plain
e.g. http.

Now it seems that SSLv3 is basically broken now, which means that all
people that intentionally used e.g. https, because they wanted security,
don't get this anymore - and for them it's typically better that things
stop working immediately and they can react, instead of things going on
insecurely, just to please those users who actually misused https,
because they didn't care for the security and should have used http in
the first place.

That's why I think it's better to deactivate it without much
considerateness for those who shouldn't use TLS/SSL anyway... instead of
letting those suffer who intentionally chose it because security is more
important for them.


> If you are *really* in a hurry, patch the source yourself.
> But I guess the distribution maintainers will provide patches in the next few 
> days.
Regarding the maintainers: I've recently had a discussion about such
questions on Debian, and while I don't know the attitude of their wget
maintainers, it seemed that many people pressed for "distros should at
first do nothing and wait for what upstream does".


Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature