[Ach] POODLE

[Alain Wolf]

Am 15.10.2014 um 09:18 schrieb Alexander Wuerstlein:
> On 2014-10-15T08:39, L. Aaron Kaplan <aaron at lo-res.org> wrote:
>>
>> ---
>> Mobile
>>
>>
>>> On 15.10.2014, at 01:50, Aaron Zauner <azet at azet.org> wrote:
>>>
>>> Hi,
>>>
>>> Guess it's good we opted to forbid SSLv3 where possible:
>>>
>>> https://www.imperialviolet.org/2014/10/14/poodle.html
>>>
>> ACK! 
>> We should also reference their paper and explain why we disabled it. 
>>
>> BTW: for that we'll need the cipherstringB macro again - to replace the cipherstring in the document in a consistent way. 
> Yes, but I would leave out the 'where possible'. Using Cleartext and a
> warning page or no connection at least somehow signals danger to the end
> user, whereas current user agents don't (yet) warn on SSL3-connections.
> So I would recommend turning off SSL3 on a server, period. 
>
> Is there any data as for how frequent SSL3-only user-agents still are?
Maybe Cloudflare. I remember them having interesting stats on RC4, they
should have that on SSLv3 too.
https://blog.cloudflare.com/the-web-is-world-wide-or-who-still-needs-rc4/


> Even ancient Internet Explorers on WinXP can be configured[0] to support
> TLS 1.0 after all, so I would not include a 'where possible' for those
> weird setups: such an addition would maybe confuse more server admins
> into "erring on the side of (misguided) caution", leaving them with SSL3
> enabled "because I might have compatibility problems".
>
>
>
> Ciao,
>
> Alexander Wuerstlein.
>
>
> [0] says wikipedia: http://en.wikipedia.org/wiki/Transport_Layer_Security
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141015/bf7cb5df/attachment.sig>