Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Time to deprecate TLS 1.0 and 1.1 ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Demi Marie Obenour <demiobenour_at_gmail.com>
Date: Sat, 12 Jul 2025 13:50:19 -0400
On 7/11/25 06:16, Jeffrey Walton via curl-library wrote:
> On Fri, Jul 11, 2025 at 6:10 AM Daniel Stenberg via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>>
>> On Fri, 11 Jul 2025, Timothe Litt via curl-library wrote:
>>
>>> bricking hardware by making it impossible to access them will not make you
>>> any friends....
>>
>> First, if this change would *brick* a device that would be entirely because of
>> stupid engineering and not because of curl.
>
> It has been my experience that US DoD, US Federal and US Medical could
> encounter problems. That's because of the cost associated with
> certifying devices. It does not have anything to do with bad
> engineering.
I actually disagree. If the firmware on a device can never be updated,
there should be a formal proof that nothing can access the device without
authentication. Moving the network stack to a separate chip and using
a formally verified implementation of the cryptographic protocols is one
way to do that.
Received on 2025-07-12
Date: Sat, 12 Jul 2025 13:50:19 -0400
On 7/11/25 06:16, Jeffrey Walton via curl-library wrote:
> On Fri, Jul 11, 2025 at 6:10 AM Daniel Stenberg via curl-library
> <curl-library_at_lists.haxx.se> wrote:
>>
>> On Fri, 11 Jul 2025, Timothe Litt via curl-library wrote:
>>
>>> bricking hardware by making it impossible to access them will not make you
>>> any friends....
>>
>> First, if this change would *brick* a device that would be entirely because of
>> stupid engineering and not because of curl.
>
> It has been my experience that US DoD, US Federal and US Medical could
> encounter problems. That's because of the cost associated with
> certifying devices. It does not have anything to do with bad
> engineering.
I actually disagree. If the firmware on a device can never be updated,
there should be a formal proof that nothing can access the device without
authentication. Moving the network stack to a separate chip and using
a formally verified implementation of the cryptographic protocols is one
way to do that.
-- Sincerely, Demi Marie Obenour (she/her/hers)
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-keys attachment: OpenPGP public key
- application/pgp-signature attachment: OpenPGP digital signature