RE: IETF mail server and SSLv3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday, March 5, 2016 8:00 PM, Doug Barton wrote: 
> On 03/02/2016 08:34 PM, Russ Housley wrote:
> >> If not, isn't there a chance that disabling SSLv3 will cause *SOME* email to
> fallback to non-encrypted?
> >
> > http://arstechnica.com/security/2016/03/more-than-13-million-https-
> websites-imperiled-by-new-decryption-attack/
> >
> > "DROWN shows that sometimes, bad crypto is even worse than no crypto,"
> Graham Steel, cofounder and CEO of crypto software provider Cryptosense,
> told Ars. "Hopefully, DROWN will strengthen the general movement to
> eliminate weak crypto all over the Internet."
> 
> If you believe that keeping SSLv3 around for interoperability reasons is
> a good idea you really need to learn more about the DROWN bug.

To sum up: the argument for keeping old crypto like SSLv3 around is that it will provide some security to users of old systems that are not updated. The argument against it is that it keeping the old stuff installed makes everybody else less safe. On balance, "security for most" ought to win. The users of old systems have many options such as updating their server, moving to a different server, or simply working in clear text. It is a case where the security of the many trumps the comfort of a few.

-- Christian Huitema








[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]