Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2014-08-19 📝 Original message:On Tue, Aug 19, 2014 at ...
📅 Original date posted:2014-08-19
📝 Original message:On Tue, Aug 19, 2014 at 9:07 AM, Justus Ranvier
<justusranvier at riseup.net> wrote:
> If that's not acceptable, even using TLS with self-signed certificates
> would be an improvement.
TLS is a huge complex attack surface, any use of it requires an
additional dependency with a large amount of difficult to audit code.
TLS is trivially DOS attacked and every major/widely used TLS
implementation has had multiple memory disclosure or remote execution
vulnerabilities even in just the last several years.
We've dodged several emergency scale vulnerabilities by not having TLS.
📝 Original message:On Tue, Aug 19, 2014 at 9:07 AM, Justus Ranvier
<justusranvier at riseup.net> wrote:
> If that's not acceptable, even using TLS with self-signed certificates
> would be an improvement.
TLS is a huge complex attack surface, any use of it requires an
additional dependency with a large amount of difficult to audit code.
TLS is trivially DOS attacked and every major/widely used TLS
implementation has had multiple memory disclosure or remote execution
vulnerabilities even in just the last several years.
We've dodged several emergency scale vulnerabilities by not having TLS.