Re: [dev] Suckless remote shell?
Greetings.
On Sun, 03 Nov 2013 12:59:36 +0100 Chris Down <chris_AT_chrisdown.name> wrote:
> On 2013-11-03 12:43, Christoph Lohmann wrote:
> > Use ssh, it’s all there. The deployment vs. suck rate is too low in com‐
> > parison to what could go wrong implementing such a critical feature
> > in an insecure way.
>
> I agree about the last point, but I'm not sure deployment should factor
> into it (although maybe your point was about the lack of eyes-on that
> new crypto stuff has). My feelings are:
Deployment is an acceptance factor. Since projects are lead by one person and
adaption is slowly made over time efforts to adapt need to be kept low.
> Cryptography is a niche. Let the cryptographers do their business, I am
> not knowledgeable enough to say what sucks and does not suck in that
> arena (other than saying that OpenSSL is one of the worst pieces of shit
> I have ever had to deal with, but that's a comment on their design, not
> their cryptography. I have heard their code is equally as crappy -- it
> certainly looks that way, but I will leave that to those more
> knowledgeable in that area to decide).
Yes, the person who created the OpenSSL API to be non‐transparent did
much more harm to Open Source than he helped. Just create a transparent
fd or at least some FILE * abstraction so you don’t need more than the
initialisation. Plan 9 does that for you easily and it works.
But back to the topic: If client cert authentication would be more user
friendly in common browsers just do all of this over encrypted web sock‐
ets. Of course sending JSON over HTTP and abstracted web sockets is the
web disgrace but should allow simple deployment. For the real users you
have the commandline client and the mass consumer gets some Javascript
client library.
Yes, the sad state of network protocols is JSON over HTTP over SSL.
Sincerely,
Christoph Lohmann
Received on Sun Nov 03 2013 - 12:59:36 CET
This archive was generated by hypermail 2.3.0
: Sun Nov 03 2013 - 13:12:10 CET