[keycloak-dev] Blacklisting/document broken protocols

Juraci Paixão Kröhling jpkroehling at redhat.com
Wed Mar 2 03:34:19 EST 2016


On 01.03.2016 21:25, Bruno Oliveira wrote:
>
> Ahoy, today I was reading about this "new" vulnerability on TLS
> (http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html).
> And was wondering if we should blacklist or document broken protocols.
> Preventing people to deploy Keycloak in non secure environments.
>
...
>
> Should we document? Blacklist? Or leave it as is?

I'd say "do nothing". Good system admins already have something in place 
that would alert them in those cases, ranging from monitoring 
vulnerabilities databases to scripting the score check via ssllabs.com.

The main problem that I see with adding some sort of support like this 
directly into Keycloak is that you'd need a lot of effort to keep it up 
to date. If a comprehensive check cannot be done, people would either 
ignore it, or people will trust it because of the false sense of 
security it gives.

- Juca.



More information about the keycloak-dev mailing list