http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=729 Don't know how apropos it is to bugtraq, but I suppose it's relevant to the web application security community. It's fairly well known amongst people who use SSL to secure portions of their web application that SSL version 2 is "bad." It's so bad that a bunch of really smart people went out and created SSL version 3. So I was pretty surprised today when I noticed that https://www.google.com/ is using an expired certificate and SSLv2. Guess the moral of the story is: "even the big guys can get it wrong." /etc Matt H. -- One Ringtone to rule them all, one Carrier to find them, One Phone to bring them all and to the Service Contract bind them. ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
