Assurance

["Joe St Sauver" <>]

Hi,

Dave commented:

#Well, there isn't much you can do if the gov't gets their claws on either
#end of the channels pre/post encryption/decryption.  

Right, and that's also obviously happening, too, but those articles make 
it clear that there are ALSO issues with the formerly trustworthy 
encrypted middle. That's an absolutely huge sea change.

#However, while it is concerning and 

Describing the most recent revelations as "concerning" significantly
downplays an industry wide sea change.

If you don't have trustworthy crypto, an awful lot of other things just
fall completely apart.

#upping key-sizes and encryption levels can assist to a degree, 

Not at all clear what crypto algorithms or implementations are trustworthy 
at this point. You can have a great algorithm, but if you're running with a 
flawed RNG, for example, you can still be toast.

The best bet might be to nest or layer encryption using different (hopefully)
strong algorithms, in the hope that one of N might still give you some 
protection, but of course that's inconvenient, so it's unlikely that people
will do it.

#my problem here is more a standard that is
#requiring me to make a change to a core authentication service which is
#guaranteed to break users who are not running the latest greatest version
#of whatever their preferred browser is.

TLS 1.1 (aka SSL 3.2) dates to 2006. 

TLS 1.2 (aka SSL 3.3) dates to 2008.

Now I'll grant you that OpenSSL didn't support 1.2 until OpenSSL 1.0.1,
but 1.0.1d (and then e) shipped in February 2013, so it's now time,
particularly given some of the recent revelations.

Regards,

Joe