Alexander Wuerstlein arw at cs.fau.de
Wed Oct 15 09:18:49 CEST 2014

On 2014-10-15T08:39, L. Aaron Kaplan <aaron at lo-res.org> wrote:
> ---
> Mobile
> > On 15.10.2014, at 01:50, Aaron Zauner <azet at azet.org> wrote:
> > 
> > Hi,
> > 
> > Guess it's good we opted to forbid SSLv3 where possible:
> > 
> > https://www.imperialviolet.org/2014/10/14/poodle.html
> > 
> ACK! 
> We should also reference their paper and explain why we disabled it. 
> BTW: for that we'll need the cipherstringB macro again - to replace the cipherstring in the document in a consistent way. 

Yes, but I would leave out the 'where possible'. Using Cleartext and a
warning page or no connection at least somehow signals danger to the end
user, whereas current user agents don't (yet) warn on SSL3-connections.
So I would recommend turning off SSL3 on a server, period. 

Is there any data as for how frequent SSL3-only user-agents still are?
Even ancient Internet Explorers on WinXP can be configured[0] to support
TLS 1.0 after all, so I would not include a 'where possible' for those
weird setups: such an addition would maybe confuse more server admins
into "erring on the side of (misguided) caution", leaving them with SSL3
enabled "because I might have compatibility problems".


Alexander Wuerstlein.

[0] says wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security

More information about the Ach mailing list