IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

Yuhong Bao <yuhongbao_386@hotmail.com> Fri, 31 October 2014 17:55 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63B91A00B5 for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 10:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.041
X-Spam-Level: *
X-Spam-Status: No, score=1.041 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlo9wAPVAX5z for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 10:55:35 -0700 (PDT)
Received: from BLU004-OMC2S14.hotmail.com (blu004-omc2s14.hotmail.com [65.55.111.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DAF41A02F1 for <tls@ietf.org>; Fri, 31 Oct 2014 10:55:33 -0700 (PDT)
Received: from BLU177-W52 ([65.55.111.73]) by BLU004-OMC2S14.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 31 Oct 2014 10:55:32 -0700
X-TMN: [LWVls33p6/D43Vsg6pEeg59O4b2Oftek]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W52733815FEA1B28C0A6EC6C39A0@phx.gbl>
Content-Type: multipart/alternative; boundary="_930d85b1-0208-495d-9b43-986a821c2a8f_"
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: Watson Ladd <watsonbladd@gmail.com>, Bodo Moeller <bmoeller@acm.org>
Date: Fri, 31 Oct 2014 10:55:32 -0700
Importance: Normal
In-Reply-To: <CACsn0c=3RFSRAbw5tvgK+WwPwXFc6n59nr+yWdfxWJbc9m0CVQ@mail.gmail.com>
References: <BLU177-W4981235CC3AA2325B8CC01C39F0@phx.gbl>, <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp>, <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>, <CADMpkc+sBA8X4XodX2S_S4jTkpixzJfQ82UKUQyF-_fHG5Vqrg@mail.gmail.com>, <CACsn0c=3RFSRAbw5tvgK+WwPwXFc6n59nr+yWdfxWJbc9m0CVQ@mail.gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 31 Oct 2014 17:55:32.0830 (UTC) FILETIME=[DDAD67E0:01CFF533]
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BX5bdXsplIxWX357AhpyOB2bY_k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 17:55:36 -0000

> The question is not why SSL v3 got it wrong. The question is why we
> didn't get it right a few years later, and stop using broken
> protocols. You wrote in 2004 that one byte could be extracted from a
> SSL v3 ciphertext, thus breaking confidentiality completely. Yet it's
> not until 2014 that this actually leads to action on depreciating SSL
> v3.
Ah, back in 2004 most browsers still comes with SSLv2 enabled by default.TLS 1.0 was barely five years old.IE6 was the dominant browser and it came with TLS 1.0 disabled by default.It wasn't until late 2006 that Firefox 2.0 and IE7 was released that disabled SSLv2.SSLv2 had much worse security flaws than SSLv3 did.
Yuhong Bao

v2.23.0 | Report a Bug | By Email