Legacy option for key length?

Michael Ströder michael at stroeder.com
Mon Jan 1 23:18:28 AEDT 2018


David Newall wrote:
> On 01/01/18 04:58, Emmanuel Deloget wrote:
>> The idea of removing weak ciphers from a widely used piece of software is
>> a good one - that way, you strengthen the whole ecosystem. Going the
>> reverse path would simply make less informed people be the weak link
>> of the
>> Internet, putting possibly many more at risk.
> 
> This doesn't make the Internet more secure because people aren't about
> to throw away expensive equipment just because the latest openssh throws
> a hissy fit.  They'll use an alternative.  Perhaps the alternative will
> be an older, less secure version of openssh. Perhaps it will be even
> less secure telnet.  They will continue to use their still-good
> equipment, and so they should.

Hmm, if the vendor does not provide updates to more recent cipher
strengths (already available for many years!) then it's very
questionable whether the equipment is "still-good".

Did you even try to ask the equipment's vendor for an update?
If yes, what was the outcome?

If there are no updates and being in your situation I would be really
concerned about other security issues buried in such unmaintained
systems. And most of my customers have a policy to sort out components
not maintained by the vendor anymore.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180101/c7fd3680/attachment-0001.p7s>


More information about the openssh-unix-dev mailing list