OFFICIAL NEWS


IMPORTANT – Please change your Ryzom password

Nixus (atys)
So basically IMO you can't expect adequate security from SSL or TLS if you're average Joe or app dev who want "secure connection". And thinking you're secure when you're not is really bad.
I totally agree on the fact that the current SSL/TLS implementations are very hard to use. OpenSSL isn't called OpenSSHELL for nothing, for I used it in the past I can guarantee it. Talking about it, that's the reason why we should support LibreSSL, I'm pretty sure the OpenBSD guys will offer us something decent.

However, only a limited range of developers have to deal with the OpenSSL/GnuTLS/whateverSSL madness. The main (and almost only) use case I can see is when you have to re-implement a protocol which will be secured by SSL/TLS. For example when writing an HTTP/IMAP/POP/IRC/WhateverElse server or a library; and when you are writing such things you're not a lambda app dev. When you're an average developer and you want to use HTTP and/or HTTPS, you use a library which provides it and therefore you don't have to call a single OpenSSL function yourself. All you need is some basic knowledge about how SSL/TLS works and, given the adequate learning resources, it should be a matters of days studying. Same thing for the system administrators: all they need is to know how to configure their server properly (eg: managing certificates, choosing the correct cipher suites, setting HSTS if revelant and so on).

That said, I would agree on the fact it's not easy for a simple user to know whether or not the communication is secured. For years now we simply told them "if you can see the padlock, then it's secure", which is a false statement because too much incompetent sys admins have absolutely no idea on how to configure a server. For example, secure.ryzom.com hasn't been updated for years and was absolutely not "secure" until, under pressure, VL replaced it with new one with an acceptable configuration. In my opinion, if every sys admins were competent, users should just have to trust the little padlock icon.

Nixus (atys)
IMO best thing you can try as password hashing these days is something like scrypt or Catena.
Hum, I never heard about it. Has it been reviewed/audited by independent security researchers?

---

Markanjio di Segafredo
Alkiane
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire
Show topic
Last visit Thursday, 28 March 10:30:19 UTC
P_:

powered by ryzom-api