Gervase Markham wrote: > Kikx wrote: > >> Yes ... >> but there is still 2 solutions >> - A very big warning if we speak in SSL3 and the answer came in SSL2 > > > SSL3 has a mechanism for detecting an attacker attempting to downgrade a > connection between two SSL3 endpoints to SSL2 in order to MITM it, if > that's what you mean.
I don't understand your point ... I have writen a program a couple of month before with downgrade a connection to SSL 2 without any warning ... And I can't understand how the "mechanism" works because before the handshake you have no security and as the attaker ask for an SSL2 connexion, there is no more checksum for the transaction in clear text ... then as the transaction in clear are not checked ... the attaker can do whatever he wants !!!! (assuming that both of endpoints will accept such a level of encryption) After that I can understand that we can't just disable the SSL2 but a warning should be welcomed ... and this warning is not in the SSL2 or SSL3 protocols Regards Kikx _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security