Major Update: I got a core fact incorrect, in a big way. Thanks to @ivanristic for catching it. It’s an obvious error and I wasn’t thinking things through. ECC is used at a different point than RC4 in establishing a connection, so this doesn’t necessarily affect the use of RC4. David Mortman seems to think it may be more about mobile support and speeding up SSL/TLS on smaller devices. My apologies, and I will leave the initial post up as a record of my error.
In a rambling press release that buries far too much interesting stuff, Symantec announced the release of both ECC and DSA digital certificates for SSL/TLS. On the surface this looks like merely an attempt to speed things up with ECC, and hit government requirements for DSA, but that’s not the entire story.
As some of you might remember, a total d*ck of a patent troll operating under the name of TQP Development has been suing everyone they can get their hands on for using the RC4 cipher in TLS/SSL. We know of small businesses, not merely big guys, getting hit with these suits. This is important because RC4 was the best way to get around certain attacks against SSL/TLS.
Which brings us back to ECC. I wouldn’t bet my personal fortune on it, but I suspect it avoided both the security and legal issues in question. Pretty interesting, but I suppose the Symantec lawyers wouldn’t let them put that in a release.
Comments