Re: BridgeWorks

On 7/23/2024 8:16 PM, Arne Vajhøj wrote:

On 7/23/2024 3:16 PM, Dave Froble wrote:

On 7/22/2024 2:31 PM, Arne Vajhøj wrote:

On 7/22/2024 1:39 PM, Dave Froble wrote:

I would not consider SSL, TLS, MD5, Sha-1, and such applications.  They are
more environment protection, the way I see it.  And you are correct, some no
longer protect the environment for the real apps.
>
Please explain to me how an application, for example an inventory application
that tracks on hand product, would ever be involved in security?  It is the
environment that must provide the security, and the apps the actual work.
Things get a bit grey when an application communicates outside the
environment, but even then, it is the available security that is used, not the
apps.
>
So, your comments are not relevant to whether or not the apps written in say
VB6 need support, at least from a security perspective.

>
I don't think it is good description of such stuff to call it
environment that are independent of applications.
>
Sometimes application code directly specify algorithms.
>
This one line of VB.NET code:
>
Test("SHA-2 256 bit (managed)", New SHA256Managed())

>
So now the discussion ignores the previous discussion, in this case VB6?  As
far as I know VB6 does not have what you mention below?

>
True.
>
But the concept of program code directly specifying algorithms
is generic.
>
That can also happen in VB6.
>
I just happened to have some VB.NET code but not any VB6 code.
>

use SHA-256. An no environment change will make it use a different
algorithm (unless one did some really dirty hacking of the
.NET libraries).
>
Sometimes newer libraries are not available.

>
In my limited experience, encryption and such are separate code/libraries.  So
linking them into an existing app would still provide protection.

>
Usually an external library.
>
But no guarantee that new versions will show up for a
library.
>
If the technology is generally considered obsolete then the
likelihood of new version may even be small.
>

Let us say that one has some code that use HTTPS. And
that programming language has a library that supports
TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
found and TLS 1.4 is created. If a new version of the library
supporting TLS 1.4 becomes available then all fine - update the
library and the application is fine. But if not then the
application has a problem, because the available library is
not getting updated.

>
How does that differ from some "supported" implementation languages?  Doesn't
matter if TLS 1.4 doesn't exist now, does it?

>
It is not like:
>
supported language => guarantee for updated library
not supported language => guarantee for no updated library
>
But the likelihood for an updated library is much higher
if the language is actively maintained, supported and
developed by the vendor, because there is an expectation that
there is a long term market for the library.
>
If the language has been EOL, not supported and superseded
by another product from the vendor, then the market has shrunk
and are expected to continue to shrink. That is a situation that
make many libraries drop support as well.
>
This is not just a theoretical thing.
>
If you look at third party COM components used by VB6 and VBS back
in the late 90's and early 00's, then most of it are gone. The move
may be pretty slow, but after 22 years then the market is heavily
reduced.
>
Arne

Well, if the issue is external communications, and it isn't always so, then there is always "Tunnel" (or whatever it is called).
The original claims were that one could not use old apps that were implemented in a currently unsupported language.  That argument is full of holes.  Trying to introduce communications into the discussion is just FUD.
--
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486