Ian G wrote: > Something I've been meaning to ask - is there any particular > reason to continue to discuss SSLv3 when instead we could > just talk about and promote TLSv1 ? That is, is there anything > in the two specs and the deployed implementations that might > make one or the other incompatible?
TLS was supposed to replace SSLv3 because of functionality reasons more then security ones, in that you could have a port (say 80) that could then escalate to encryption if asked. One of the most widely deployed uses of this is SMTP-TLS, both encrypted and non-encrypted uses the same port (port 25) but when the client first connects to the server it sends a signal to start the encryption handshaking process. This is especially important for web related uses as you could also send the hostname you wanted to connect to before doing the handshaking, which means if a server has 50 certificates to choose from, and you send a specific hostname it can try and match that and send you the right certificate, rather then sending a certificate which is currently the case. Due to being able to reuse ports it was also supposed to serve the (perceived) purpose of reducing the number of IPs needed by web hosting companies for encrypted websites. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
