[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Perry E. Metzger
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 22:56:21 -0400

On Thu, 23 Oct 2014 23:05:46 +0200 Kurt Roeckx <address@hidden> wrote:
> > So, why do we need to support SSL
> > 3.0 again? What's the rationale, other than making the lives of
> > attackers easy?
> I'm all for dropping SSL 3.0 support and I disabled it in openssl
> in Debian testing and unstable.  This was already planned for some
> time, and the POODLE attack made me just do it.

Then we're pretty much in agreement already and no more needs to be
said. :)

> But if your concern is about the POODLE attack, please note that
> the attack requires many connection attemps where the attacker has
> control over the plaintext that is being send.

Long experience says that attacks only get stronger with time. (They
don't get weaker -- people don't forget attacks -- and smart people
often figure out refinements.) I prefer closing the door rather than
waiting to find out what the next implication of downgrade attacks is.

Anyway, you agree with me on the SSL 3.0 part, and I'm not seriously
suggesting TLS 1.0 be dropped *yet*, so we agree.

Perry E. Metzger                address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]