Re: bacula and TLS

[Fredrik Pettai <pettai%nordu.net@localhost>]

On Oct 9, 2014, at 18:38 , J. Lewis Muir <jlmuir%imca-cat.org@localhost> wrote:
> On 10/9/14 11:14 AM, Havard Eidnes wrote:
>> Is there a particular reason SSL encryption isn't turned on by default
>> where it can? 

>  Another
> reason might be that it increases the dependencies for the package.

Generally, OpenSSL is included in base on most OSes.
 
> Another reason might be to avoid linking with OpenSSL since it has had a
> difficult security track record, and linking against it could be seen as
> a security liability.

I find this argumentation a bit weird? 

It sounds like are you arguing that using no encryption whatsoever "might" be safer for the user, because the way encryption is provided is thru using a library that has had some serious vulnerabilities (which btw. because of that, already got more traction and both more funding and resources to shape up the project [1])

Even other "high profile" security software like OpenSSH doesn't have a close-to-zero security track record [2] (well, nothing in there as bad as the "heartbleed" bug), but I would never suggest or argue that could be safer to go back to non encrypted Telnet just because there has been 30+ security issues in OpenSSH. 

[1] 24-Jun-2014: Team status changes including six new development team members
    (https://www.openssl.org/about/)
    30-Jun-2014: Project roadmap released
    (https://www.openssl.org/about/roadmap.html)

[2] http://www.openssh.com/security.html