Re: IETF mail server and SSLv3

Doug Barton <dougb@dougbarton.us> Sun, 06 March 2016 04:01 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B101A9089 for <ietf@ietfa.amsl.com>; Sat, 5 Mar 2016 20:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.697
X-Spam-Level:
X-Spam-Status: No, score=0.697 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wl_v0ADbicCp for <ietf@ietfa.amsl.com>; Sat, 5 Mar 2016 20:01:30 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [208.79.90.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77CCE1A9085 for <ietf@ietf.org>; Sat, 5 Mar 2016 20:01:30 -0800 (PST)
Received: from [IPv6:2001:4830:1a00:8056:3c6a:54a6:ee64:4e0d] (unknown [IPv6:2001:4830:1a00:8056:3c6a:54a6:ee64:4e0d]) by dougbarton.us (Postfix) with ESMTPSA id 21B813A0BD for <ietf@ietf.org>; Sun, 6 Mar 2016 04:01:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1457236889; bh=OD4VOtEeZ1EKQQPHSToBMoe9Hh8p3Z5bcwtICoNCPug=; h=Subject:To:References:From:Date:In-Reply-To; b=Sa/VcnUpyp0Ga5uRIwn4ERdxNe8s338oHcAEvNeqYSeMk5ecGda6eN/AfHDss8bP8 EbkWsox6129NVo5RIC2XgpwL/JAcc+IsXeheYq0GTPfPtL8eYUg+F17fhrsU5dmbcH raVWhN+eT1X0BeUIT8K+zljXkYDl2mePYtgvsH90=
Subject: Re: IETF mail server and SSLv3
To: ietf@ietf.org
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org> <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com>
From: Doug Barton <dougb@dougbarton.us>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
Message-ID: <56DBAB5A.1070708@dougbarton.us>
Date: Sat, 5 Mar 2016 20:00:26 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/f5UyZhQxqxsq1wpohiB-euDvFX0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 04:01:31 -0000

On 03/02/2016 08:34 PM, Russ Housley wrote:
>> If not, isn't there a chance that disabling SSLv3 will cause *SOME* email to fallback to non-encrypted?
>
> http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/
>
> "DROWN shows that sometimes, bad crypto is even worse than no crypto," Graham Steel, cofounder and CEO of crypto software provider Cryptosense, told Ars. "Hopefully, DROWN will strengthen the general movement to eliminate weak crypto all over the Internet."

If you believe that keeping SSLv3 around for interoperability reasons is 
a good idea you really need to learn more about the DROWN bug.

Thanks for posting this Russ.

Doug