Florian,
On 10/16/2014 12:50, Florian Weimer wrote:
Neither. I'm talking about the out-of-protocol insecure version
negotiation for TLS implemented in Firefox. That's a broader scope
than bug 689814, which is strictly about fallback to SSL 3.0.
+1
This fallback needs to get removed, yesterday.
SSL/TLS have had a secure mechanism for preventing protocol version
downgrade attacks from day 1.
Firefox circumvents this. It's about time Firefox - and others - to
conform to the standard.
TLS_FALLBACK_SCSV is a one-time band-aid that won't do any good in the
long run.
Any server administrator that cares about security will simply disable
SSL3 in their server, rather than go through the process of upgrading
their software to support this draft.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto