Re: BridgeWorks

On 7/24/2024 10:50 PM, Dave Froble wrote:

On 7/23/2024 8:16 PM, Arne Vajhøj wrote:

On 7/23/2024 3:16 PM, Dave Froble wrote:

On 7/22/2024 2:31 PM, Arne Vajhøj wrote:

Let us say that one has some code that use HTTPS. And
that programming language has a library that supports
TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
found and TLS 1.4 is created. If a new version of the library
supporting TLS 1.4 becomes available then all fine - update the
library and the application is fine. But if not then the
application has a problem, because the available library is
not getting updated.

>
How does that differ from some "supported" implementation languages?  Doesn't
matter if TLS 1.4 doesn't exist now, does it?

>
It is not like:
>
supported language => guarantee for updated library
not supported language => guarantee for no updated library
>
But the likelihood for an updated library is much higher
if the language is actively maintained, supported and
developed by the vendor, because there is an expectation that
there is a long term market for the library.
>
If the language has been EOL, not supported and superseded
by another product from the vendor, then the market has shrunk
and are expected to continue to shrink. That is a situation that
make many libraries drop support as well.
>
This is not just a theoretical thing.
>
If you look at third party COM components used by VB6 and VBS back
in the late 90's and early 00's, then most of it are gone. The move
may be pretty slow, but after 22 years then the market is heavily
reduced.

 You assume that such libraries are for specific environments, and some may be. But isn't OpenSSL sort of generic, usable by just about anything?  Should not most such things be that way.  If not, then why not?

OpenSSL is widely used for a certain type of languages in modern time.
If you have an application written in a native language within
the last two decades, then there is a pretty good chance that it uses
OpenSSL. JVM languages, CLR languages, script languages - no (at least
not directly). Something written 30 years ago - no (it would use
Bsafe or something else that had the proper RSA license).
VB6 is a bit in the middle. VB6 can call functions in regular
Win32 DLL's, but often a COM component will be preferred - OO API,
the choice between static and dynamic (dynamic only if a scriptable
COM component), usually nicer API with less hacking with data types.
Arne