[nSLUG] LTS considered harmful

George N. White III gnwiii at gmail.com
Sat Mar 11 12:01:21 AST 2017


Last year, Obama issued an order that all US Gov't public facing web
servers use https.
It seems this also affects  public facing web servers operated by
contractors, such as
hdfgroup.org.  The NASA systems I use are configured to "Mozilla Modern"
standards
(https://wiki.mozilla.org/Security/Server_Side_TLS):

"For services that don't need backward compatibility, the parameters below
provide a higher level of security. This configuration is compatible with
Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9,
Android 5.0, and Java 8."

As the hackers move to softer targets in other countries, similar
configurations are going to be needed in Canada.

This list omits many real-world clients (python scripts, git, etc), so in
practice, Ubuntu 14.04 (LTS) support for https in git doesn't work because
git was built with libcurl that uses an old gnutls library.   Many sites
ran into trouble because they aren't allowed to upgrade LTS linux
until year 5, nor are they supposed to replace vendor-supplied tools.
Linux was not alone in being  caught using obsolete libraries, current
macOS python ssl is linked to a very old openssl library.

Given the current security environment, a 5-year "LTS" model doesn't work
for systems that need to connect to internet servers.  Firefox, Chrome, and
Java provide their own TLS implementations.    Anaconda python includes
newer TLS libraries with tools such as git and curl.   Maybe it is time to
have "Mozilla Modern network tools for LT linux".

-- 
George N. White III <aa056 at chebucto.ns.ca>
Head of St. Margarets Bay, Nova Scotia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20170311/8201b39c/attachment-0001.html>


More information about the nSLUG mailing list