IETF Logo Mail Archive

RE: IETF mail server and SSLv3

"Christian Huitema" <huitema@huitema.net> Sun, 06 March 2016 16:46 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6471B2EFB for <ietf@ietfa.amsl.com>; Sun, 6 Mar 2016 08:46:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stWRCGsTfyPI for <ietf@ietfa.amsl.com>; Sun, 6 Mar 2016 08:46:20 -0800 (PST)
Received: from xsmtp06.mail2web.com (xsmtp06.mail2web.com [168.144.250.232]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98D091B2EFA for <ietf@ietf.org>; Sun, 6 Mar 2016 08:46:20 -0800 (PST)
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1acbot-0002W8-0B for ietf@ietf.org; Sun, 06 Mar 2016 11:46:19 -0500
Received: (qmail 13329 invoked from network); 6 Mar 2016 16:46:13 -0000
Received: from unknown (HELO huitema1) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dougb@dougbarton.us>; 6 Mar 2016 16:46:13 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Doug Barton' <dougb@dougbarton.us>, ietf@ietf.org
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com> <56DBAB5A.1070708@dougbarton.us>
In-Reply-To: <56DBAB5A.1070708@dougbarton.us>
Date: Sun, 06 Mar 2016 08:46:16 -0800
Message-ID: <030201d177c7$b4b19830$1e14c890$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIKaCElIELMdGuKz3ViWUZFxY9p1QIjufhKAWf8d70CAtie6p6uSRXA
Content-Language: en-us
Subject: RE: IETF mail server and SSLv3
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Av2TSShLrX7QzFtozOiWSoMLFSk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 16:46:22 -0000

On Saturday, March 5, 2016 8:00 PM, Doug Barton wrote: 
> On 03/02/2016 08:34 PM, Russ Housley wrote:
> >> If not, isn't there a chance that disabling SSLv3 will cause *SOME* email to
> fallback to non-encrypted?
> >
> > http://arstechnica.com/security/2016/03/more-than-13-million-https-
> websites-imperiled-by-new-decryption-attack/
> >
> > "DROWN shows that sometimes, bad crypto is even worse than no crypto,"
> Graham Steel, cofounder and CEO of crypto software provider Cryptosense,
> told Ars. "Hopefully, DROWN will strengthen the general movement to
> eliminate weak crypto all over the Internet."
> 
> If you believe that keeping SSLv3 around for interoperability reasons is
> a good idea you really need to learn more about the DROWN bug.

To sum up: the argument for keeping old crypto like SSLv3 around is that it will provide some security to users of old systems that are not updated. The argument against it is that it keeping the old stuff installed makes everybody else less safe. On balance, "security for most" ought to win. The users of old systems have many options such as updating their server, moving to a different server, or simply working in clear text. It is a case where the security of the many trumps the comfort of a few.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email