The software has no concept of what the data is Which is why the software shouldn't be making a hard decision about appropriate cryptography. The users on the two ends, the folks who do know what the data is, should have the final say. The software should set sensible defaults and then let those users decide what to do about
On Wed, Feb 12, 2025 at 9:58 AM Jack Bates <jbates@paradoxnetworks.net> wrote: the large and growing gap of failure between the current default and the often still allowed unencrypted plain text. Most users don't have any idea and would allow an attacker to compromise
On 2/12/2025 2:34 PM, William Herrin wrote: their bank connection if given the choice. The defaults are designed to protect the majority?
That "curl https://enemieslist.com" returns a fault is not unreasonable. That "curl --insecure https://enemieslist.com" also fails reflects faulty thinking on the part of alleged security experts. I suspect --insecure has special meaning and shouldn't be overloaded to include anything that is "insecure". However, curl depends on the underlying libraries, and I believe it was those libraries that are being compiled and installed with older stuff disabled. A quick search shows you have to do custom builds to enable on any current system.
My personal pain point is out of band access to older servers. They're well past the manufacturer's maintenance so there are no more software updates. I can use nice modern VPN software to secure the channel between me and their LAN, but I have to maintain obsolete versions of web browsers and their dependent libraries along with obsolete versions of Java because the modern ones won't connect. I'd rather have less obsolete bug ridden software around, but the self-appointed security experts have stolen that choice from me.
In my experience, except for Java incompatibilities itself, you can usually tweak the configuration and exception rules to get Java to connect and accept older signed packages. Sometimes you have to retweak after an upgrade. FireFox appears to have quite a few options in about:config to enable older stuff and also supports exception lists for some things. Of course, my experience is limited, and I may not be nearly as archaic as you. Jack