----- Original Message ----- > From: "Nikos Mavrogiannopoulos" <nmav@xxxxxxxxxx> > To: "Hubert Kario" <hkario@xxxxxxxxxx> > Cc: "Tomas Mraz" <tmraz@xxxxxxxxxx>, security@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Tuesday, 6 May, 2014 2:31:12 PM > Subject: Re: Fedora crypto policy vs the real world Was: available crypto policies > > On Tue, 2014-05-06 at 07:42 -0400, Hubert Kario wrote: > > > Sorry, but how does that force a plaintext session? > > You try to connect to an https site. It doesn't work and an error > message is issued that no common ciphers were found. The only thing that > you can try as user is fall back to http. That would require the site to be available over HTTP and HTTPS. All sites that want HTTPS redirect all request given over HTTP to HTTPS site, so you can't manually downgrade them. That means the only users that use the HTTPS version are probably people that have installed HTTPS everywhere extension - not the average user. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hkario@xxxxxxxxxx Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
