<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">Am 15.10.2014 um 09:32 schrieb Alain
Wolf:<br>
</div>
<blockquote cite="mid:543E2300.1020606@alainwolf.ch" type="cite">
<pre wrap="">
Am 15.10.2014 um 09:18 schrieb Alexander Wuerstlein:
</pre>
<blockquote type="cite">
<pre wrap="">On 2014-10-15T08:39, L. Aaron Kaplan <a class="moz-txt-link-rfc2396E" href="mailto:aaron@lo-res.org"><aaron@lo-res.org></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
---
Mobile
</pre>
<blockquote type="cite">
<pre wrap="">On 15.10.2014, at 01:50, Aaron Zauner <a class="moz-txt-link-rfc2396E" href="mailto:azet@azet.org"><azet@azet.org></a> wrote:
Hi,
Guess it's good we opted to forbid SSLv3 where possible:
<a class="moz-txt-link-freetext" href="https://www.imperialviolet.org/2014/10/14/poodle.html">https://www.imperialviolet.org/2014/10/14/poodle.html</a>
</pre>
</blockquote>
<pre wrap="">ACK!
We should also reference their paper and explain why we disabled it.
BTW: for that we'll need the cipherstringB macro again - to replace the cipherstring in the document in a consistent way.
</pre>
</blockquote>
<pre wrap="">Yes, but I would leave out the 'where possible'. Using Cleartext and a
warning page or no connection at least somehow signals danger to the end
user, whereas current user agents don't (yet) warn on SSL3-connections.
So I would recommend turning off SSL3 on a server, period.
Is there any data as for how frequent SSL3-only user-agents still are?
</pre>
</blockquote>
<pre wrap="">Maybe Cloudflare. I remember them having interesting stats on RC4, they
should have that on SSLv3 too.
<a class="moz-txt-link-freetext" href="https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/">https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/</a>
</pre>
</blockquote>
I was too slow, the numbers are already there:<br>
<br>
<a class="moz-txt-link-freetext" href="https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/">https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/</a><br>
<blockquote type="cite">
<h3 id="sslv3usagestats">SSLv3 Usage Stats</h3>
<p>Across our network, 0.09% of all traffic is SSLv3. For HTTPS
traffic, 0.65% across our network uses SSLv3. The good news is
most of that traffic is actually attack traffic and some minor
crawlers. For real visitor traffic, today 3.12% of CloudFlare's
total SSL traffic comes from Windows XP users. Of that, 1.12%
Windows XP users connected using SSLv3. In other words, even on
an out-of-date operating system, 98.88% Windows XP users
connected using TLSv1.0+ — which is not vulnerable to this
vulnerability.</p>
<p>Beyond human browser traffic, some crawlers default to SSLv3.
The largest crawler we see defaulting to SSLv3 is Pingdom's.
Pingdom is a CloudFlare partner. We alerted them to this issue
and are actively working with them to ensure that their crawler
will support HTTPS over a protocol other than SSLv3.</p>
</blockquote>
<br>
<br>
<blockquote cite="mid:543E2300.1020606@alainwolf.ch" type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Even ancient Internet Explorers on WinXP can be configured[0] to support
TLS 1.0 after all, so I would not include a 'where possible' for those
weird setups: such an addition would maybe confuse more server admins
into "erring on the side of (misguided) caution", leaving them with SSL3
enabled "because I might have compatibility problems".
Ciao,
Alexander Wuerstlein.
[0] says wikipedia: <a class="moz-txt-link-freetext" href="http://en.wikipedia.org/wiki/Transport_Layer_Security">http://en.wikipedia.org/wiki/Transport_Layer_Security</a>
_______________________________________________
Ach mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a>
<a class="moz-txt-link-freetext" href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ach mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ach@lists.cert.at">Ach@lists.cert.at</a>
<a class="moz-txt-link-freetext" href="http://lists.cert.at/cgi-bin/mailman/listinfo/ach">http://lists.cert.at/cgi-bin/mailman/listinfo/ach</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Mail: <a class="moz-txt-link-abbreviated" href="mailto:alain@alainwolf.ch">alain@alainwolf.ch</a>
Home: +41 32 510 47 30
Mobile: +41 78 897 87 76
Albisriederstrasse 92
CH - 8003 Zurich
Switzerland
<a class="moz-txt-link-freetext" href="http://alainwolf.ch/">http://alainwolf.ch/</a>
</pre>
</body>
</html>