Re: [TLS] Prohibiting SSL 3.0
Yuhong Bao <yuhongbao_386@hotmail.com> Fri, 31 October 2014 17:55 UTC
Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A63B91A00B5 for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 10:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.041
X-Spam-Level: *
X-Spam-Status: No, score=1.041 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlo9wAPVAX5z for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 10:55:35 -0700 (PDT)
Received: from BLU004-OMC2S14.hotmail.com (blu004-omc2s14.hotmail.com [65.55.111.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DAF41A02F1 for <tls@ietf.org>; Fri, 31 Oct 2014 10:55:33 -0700 (PDT)
Received: from BLU177-W52 ([65.55.111.73]) by BLU004-OMC2S14.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 31 Oct 2014 10:55:32 -0700
X-TMN: [LWVls33p6/D43Vsg6pEeg59O4b2Oftek]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W52733815FEA1B28C0A6EC6C39A0@phx.gbl>
Content-Type: multipart/alternative; boundary="_930d85b1-0208-495d-9b43-986a821c2a8f_"
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: Watson Ladd <watsonbladd@gmail.com>, Bodo Moeller <bmoeller@acm.org>
Date: Fri, 31 Oct 2014 10:55:32 -0700
Importance: Normal
In-Reply-To: <CACsn0c=3RFSRAbw5tvgK+WwPwXFc6n59nr+yWdfxWJbc9m0CVQ@mail.gmail.com>
References: <BLU177-W4981235CC3AA2325B8CC01C39F0@phx.gbl>, <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp>, <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>, <CADMpkc+sBA8X4XodX2S_S4jTkpixzJfQ82UKUQyF-_fHG5Vqrg@mail.gmail.com>, <CACsn0c=3RFSRAbw5tvgK+WwPwXFc6n59nr+yWdfxWJbc9m0CVQ@mail.gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 31 Oct 2014 17:55:32.0830 (UTC) FILETIME=[DDAD67E0:01CFF533]
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BX5bdXsplIxWX357AhpyOB2bY_k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 17:55:36 -0000
> The question is not why SSL v3 got it wrong. The question is why we > didn't get it right a few years later, and stop using broken > protocols. You wrote in 2004 that one byte could be extracted from a > SSL v3 ciphertext, thus breaking confidentiality completely. Yet it's > not until 2014 that this actually leads to action on depreciating SSL > v3. Ah, back in 2004 most browsers still comes with SSLv2 enabled by default.TLS 1.0 was barely five years old.IE6 was the dominant browser and it came with TLS 1.0 disabled by default.It wasn't until late 2006 that Firefox 2.0 and IE7 was released that disabled SSLv2.SSLv2 had much worse security flaws than SSLv3 did. Yuhong Bao
- [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Martin Thomson
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Peter Gutmann
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Ilari Liusvaara
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Eric Rescorla
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Salz, Rich
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Geoffrey Keating
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Sean Turner
- Re: [TLS] Prohibiting SSL 3.0 Joseph Salowey
- Re: [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Dave Garrett
- Re: [TLS] Prohibiting SSL 3.0 Jeffrey Walton
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir