Re: IETF mail server and SSLv3

Russ Housley <housley@vigilsec.com> Thu, 03 March 2016 04:34 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88A01B3C52 for <ietf@ietfa.amsl.com>; Wed, 2 Mar 2016 20:34:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ww8_XrBozbex for <ietf@ietfa.amsl.com>; Wed, 2 Mar 2016 20:34:20 -0800 (PST)
Received: from odin.smetech.net (x-bolt-wan.smeinc.net [209.135.219.146]) by ietfa.amsl.com (Postfix) with ESMTP id 87D8D1B3C4D for <ietf@ietf.org>; Wed, 2 Mar 2016 20:34:20 -0800 (PST)
Received: from localhost (ronin.smetech.net [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 047EE9A4003 for <ietf@ietf.org>; Wed, 2 Mar 2016 23:34:20 -0500 (EST)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 6fu8zRy9Vw4O for <ietf@ietf.org>; Wed, 2 Mar 2016 23:22:19 -0500 (EST)
Received: from [172.20.6.52] (unknown [12.207.21.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 949249A4001 for <ietf@ietf.org>; Wed, 2 Mar 2016 23:34:07 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1085)
Subject: Re: IETF mail server and SSLv3
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <sjmvb66r1st.fsf@securerf.ihtfp.org>
Date: Wed, 02 Mar 2016 23:34:04 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <ABDE99FE-4884-4B2C-8115-8D9CB03D372B@vigilsec.com>
References: <F38A9FEF-7DBB-4F40-860E-6CB425E5EEE3@ietf.org> <sjmvb66r1st.fsf@securerf.ihtfp.org>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.1085)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/yWstW-NUDKAbsWmscuQ8UtLT7P4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2016 04:34:22 -0000

> If not, isn't there a chance that disabling SSLv3 will cause *SOME* email to fallback to non-encrypted?

http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/

"DROWN shows that sometimes, bad crypto is even worse than no crypto," Graham Steel, cofounder and CEO of crypto software provider Cryptosense, told Ars. "Hopefully, DROWN will strengthen the general movement to eliminate weak crypto all over the Internet."