alain at alainwolf.ch
Wed Oct 15 09:32:16 CEST 2014
Am 15.10.2014 um 09:18 schrieb Alexander Wuerstlein:
> On 2014-10-15T08:39, L. Aaron Kaplan <aaron at lo-res.org> wrote:
>>> On 15.10.2014, at 01:50, Aaron Zauner <azet at azet.org> wrote:
>>> Guess it's good we opted to forbid SSLv3 where possible:
>> We should also reference their paper and explain why we disabled it.
>> BTW: for that we'll need the cipherstringB macro again - to replace the cipherstring in the document in a consistent way.
> Yes, but I would leave out the 'where possible'. Using Cleartext and a
> warning page or no connection at least somehow signals danger to the end
> user, whereas current user agents don't (yet) warn on SSL3-connections.
> So I would recommend turning off SSL3 on a server, period.
> Is there any data as for how frequent SSL3-only user-agents still are?
Maybe Cloudflare. I remember them having interesting stats on RC4, they
should have that on SSLv3 too.
> Even ancient Internet Explorers on WinXP can be configured to support
> TLS 1.0 after all, so I would not include a 'where possible' for those
> weird setups: such an addition would maybe confuse more server admins
> into "erring on the side of (misguided) caution", leaving them with SSL3
> enabled "because I might have compatibility problems".
> Alexander Wuerstlein.
>  says wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security
> Ach mailing list
> Ach at lists.cert.at
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Ach