[keycloak-dev] Blacklisting/document broken protocols
Juraci Paixão Kröhling
jpkroehling at redhat.com
Wed Mar 2 03:34:19 EST 2016
On 01.03.2016 21:25, Bruno Oliveira wrote:
>
> Ahoy, today I was reading about this "new" vulnerability on TLS
> (http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html).
> And was wondering if we should blacklist or document broken protocols.
> Preventing people to deploy Keycloak in non secure environments.
>
...
>
> Should we document? Blacklist? Or leave it as is?
I'd say "do nothing". Good system admins already have something in place
that would alert them in those cases, ranging from monitoring
vulnerabilities databases to scripting the score check via ssllabs.com.
The main problem that I see with adding some sort of support like this
directly into Keycloak is that you'd need a lot of effort to keep it up
to date. If a comprehensive check cannot be done, people would either
ignore it, or people will trust it because of the false sense of
security it gives.
- Juca.
More information about the keycloak-dev
mailing list