On 6 sep. 2013, at 22:24, Dave Cridland <[email protected]> wrote: > I may be talking rubbish, but shouldn't the server be overriding the client's > order by default anyway?
Practically no server overrides the client's preference. I noticed only ~3 non-public servers do it. I'm really not sure what side is best here. On the one hand, it's the user whose data needs to be protected here. In theory I think the tradeoffs are up to them (like "when you would have to chose, would you rather have 256 bit encryption or forward secrecy?"). In practice few clients (if any) let the user pick a cipher list and many of those hard-coded lists are really bad, putting RC4-MD5 at the top. So in my opinion, servers should first try to improve their security by disabling the ciphers they don't want clients to use. Only when that is not enough should they override the client's order. Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
