Protocol ossification
Protocol ossification
Posted Jan 25, 2025 21:45 UTC (Sat) by Wol (subscriber, #4433)In reply to: Protocol ossification by tialaramex
Parent article: The trouble with the new uretprobes
> But when this idiot vendor's proxy copies the data into their reply to a client asking to perform TLS 1.3 that's a huge red flag for the client. Why is the server which claims it can't speak TLS 1.3 also telling me (as per TLS 1.3 protocol design) that it was asked to downgrade from TLS 1.3? I didn't ask for a downgrade, clearly there's an attack -- and there is, it's your own systems attacking you because you (most likely the corporation you work for or at) bought a tiger rock.
And this is where the European Computer Security Act (or whatever it was called) would come into effect. If the device claims to do TLS 1.3 and doesn't, it's clearly defective. And if it isn't fixed as per the CE mark ...
This is where I would like the government to say "save money, buy COTS gear in bulk, but have a supplier blacklist. If you have to replace gear because the supplier welched on the CE mark, they go on the blacklist for the life of the REPLACEMENT gear".
So if another supplier comes in and says "I'll give you a 10-year CE life instead of the standard 5", they're taking a risk, but they're also locking a competitor out of a lucrative market ...
Cheers,
Wol