[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bacula and TLS
On Oct 9, 2014, at 18:38 , J. Lewis Muir <jlmuir%imca-cat.org@localhost> wrote:
> On 10/9/14 11:14 AM, Havard Eidnes wrote:
>> Is there a particular reason SSL encryption isn't turned on by default
>> where it can?
> reason might be that it increases the dependencies for the package.
Generally, OpenSSL is included in base on most OSes.
> Another reason might be to avoid linking with OpenSSL since it has had a
> difficult security track record, and linking against it could be seen as
> a security liability.
I find this argumentation a bit weird?
It sounds like are you arguing that using no encryption whatsoever "might" be safer for the user, because the way encryption is provided is thru using a library that has had some serious vulnerabilities (which btw. because of that, already got more traction and both more funding and resources to shape up the project )
Even other "high profile" security software like OpenSSH doesn't have a close-to-zero security track record  (well, nothing in there as bad as the "heartbleed" bug), but I would never suggest or argue that could be safer to go back to non encrypted Telnet just because there has been 30+ security issues in OpenSSH.
 24-Jun-2014: Team status changes including six new development team members
30-Jun-2014: Project roadmap released
Main Index |
Thread Index |