Article <v7sehl$244jr$1@dont-email.me>

Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connections
Warning: mysqli::query(): Couldn't fetch mysqli in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\index.php on line 66
Article <v7sehl$244jr$1@dont-email.me>

Deutsch English Français Italiano

<v7sehl$244jr$1@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Dave Froble <davef@tsoft-inc.com>
Newsgroups: comp.os.vms
Subject: Re: BridgeWorks
Date: Wed, 24 Jul 2024 22:50:27 -0400
Organization: A noiseless patient Spider
Lines: 103
Message-ID: <v7sehl$244jr$1@dont-email.me>
References: <v7e9qt$33dn4$1@dont-email.me> <v7edd2$33v6h$1@dont-email.me>
 <v7h8d1$3msj2$1@dont-email.me> <v7hveg$3u9vu$3@dont-email.me>
 <v7j76f$4mtj$1@dont-email.me> <v7lic0$ktou$1@dont-email.me>
 <v7m5g4$ogvf$1@dont-email.me> <v7m8hf$o37u$2@dont-email.me>
 <v7ovi5$1b5dr$1@dont-email.me> <v7ph58$1dmh2$3@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 25 Jul 2024 04:50:30 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="7eb19978bd0d904f38936c7032d830ae";
	logging-data="2232955"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/gdbIIzcnQnkchoVhvAUCiECun/D7c/ZU="
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
Cancel-Lock: sha1:DuNPnjbTX4U7O7D17tvgaBGezzA=
In-Reply-To: <v7ph58$1dmh2$3@dont-email.me>

On 7/23/2024 8:16 PM, Arne Vajhøj wrote:
> On 7/23/2024 3:16 PM, Dave Froble wrote:
>> On 7/22/2024 2:31 PM, Arne Vajhøj wrote:
>>> On 7/22/2024 1:39 PM, Dave Froble wrote:
>>>> I would not consider SSL, TLS, MD5, Sha-1, and such applications.  They are
>>>> more environment protection, the way I see it.  And you are correct, some no
>>>> longer protect the environment for the real apps.
>>>>
>>>> Please explain to me how an application, for example an inventory application
>>>> that tracks on hand product, would ever be involved in security?  It is the
>>>> environment that must provide the security, and the apps the actual work.
>>>> Things get a bit grey when an application communicates outside the
>>>> environment, but even then, it is the available security that is used, not the
>>>> apps.
>>>>
>>>> So, your comments are not relevant to whether or not the apps written in say
>>>> VB6 need support, at least from a security perspective.
>>>
>>> I don't think it is good description of such stuff to call it
>>> environment that are independent of applications.
>>>
>>> Sometimes application code directly specify algorithms.
>>>
>>> This one line of VB.NET code:
>>>
>>> Test("SHA-2 256 bit (managed)", New SHA256Managed())
>>
>> So now the discussion ignores the previous discussion, in this case VB6?  As
>> far as I know VB6 does not have what you mention below?
>
> True.
>
> But the concept of program code directly specifying algorithms
> is generic.
>
> That can also happen in VB6.
>
> I just happened to have some VB.NET code but not any VB6 code.
>
>>> use SHA-256. An no environment change will make it use a different
>>> algorithm (unless one did some really dirty hacking of the
>>> .NET libraries).
>>>
>>> Sometimes newer libraries are not available.
>>
>> In my limited experience, encryption and such are separate code/libraries.  So
>> linking them into an existing app would still provide protection.
>
> Usually an external library.
>
> But no guarantee that new versions will show up for a
> library.
>
> If the technology is generally considered obsolete then the
> likelihood of new version may even be small.
>
>>> Let us say that one has some code that use HTTPS. And
>>> that programming language has a library that supports
>>> TLS 1.3. Then in 5 years a vulnerability in TLS 1.3 is
>>> found and TLS 1.4 is created. If a new version of the library
>>> supporting TLS 1.4 becomes available then all fine - update the
>>> library and the application is fine. But if not then the
>>> application has a problem, because the available library is
>>> not getting updated.
>>
>> How does that differ from some "supported" implementation languages?  Doesn't
>> matter if TLS 1.4 doesn't exist now, does it?
>
> It is not like:
>
> supported language => guarantee for updated library
> not supported language => guarantee for no updated library
>
> But the likelihood for an updated library is much higher
> if the language is actively maintained, supported and
> developed by the vendor, because there is an expectation that
> there is a long term market for the library.
>
> If the language has been EOL, not supported and superseded
> by another product from the vendor, then the market has shrunk
> and are expected to continue to shrink. That is a situation that
> make many libraries drop support as well.
>
> This is not just a theoretical thing.
>
> If you look at third party COM components used by VB6 and VBS back
> in the late 90's and early 00's, then most of it are gone. The move
> may be pretty slow, but after 22 years then the market is heavily
> reduced.
>
> Arne

You assume that such libraries are for specific environments, and some may be. 
But isn't OpenSSL sort of generic, usable by just about anything?  Should not 
most such things be that way.  If not, then why not?


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486