[keycloak-dev] Blacklisting/document broken protocols
Bruno Oliveira
bruno at abstractj.org
Wed Mar 2 04:18:31 EST 2016
+1 Makes sense
On Wed, Mar 2, 2016, 5:46 AM Stian Thorgersen <sthorger at redhat.com> wrote:
> +1 To do nothing
>
> SSL for KC itself is provided by WildFly, so this is WildFly/Undertow's
> responsibility. For outgoing SSL connections (db, ldap, etc..) it's up to
> the admin to configure those resources correctly.
>
> On 2 March 2016 at 09:34, Juraci Paixão Kröhling <jpkroehling at redhat.com>
> wrote:
>
>> On 01.03.2016 21:25, Bruno Oliveira wrote:
>> >
>> > Ahoy, today I was reading about this "new" vulnerability on TLS
>> > (
>> http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
>> ).
>> > And was wondering if we should blacklist or document broken protocols.
>> > Preventing people to deploy Keycloak in non secure environments.
>> >
>> ...
>> >
>> > Should we document? Blacklist? Or leave it as is?
>>
>> I'd say "do nothing". Good system admins already have something in place
>> that would alert them in those cases, ranging from monitoring
>> vulnerabilities databases to scripting the score check via ssllabs.com.
>>
>> The main problem that I see with adding some sort of support like this
>> directly into Keycloak is that you'd need a lot of effort to keep it up
>> to date. If a comprehensive check cannot be done, people would either
>> ignore it, or people will trust it because of the false sense of
>> security it gives.
>>
>> - Juca.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160302/4fd9ccb8/attachment.html
More information about the keycloak-dev
mailing list