From: Kurt Roeckx <kurt@roeckx.be>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Florian Weimer <fw@deneb.enyo.de>,
Rob Browning <rlb@defaultvalue.org>,
emacs-devel@gnu.org
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 23:05:46 +0200 [thread overview]
Message-ID: <20141023210546.GA18158@roeckx.be> (raw)
In-Reply-To: <20141023162616.2217bfa1@jabberwock.cb.piermont.com>
On Thu, Oct 23, 2014 at 04:26:16PM -0400, Perry E. Metzger wrote:
> To reiterate: all the major sites already use TLS 1.2 with AES.
We don't only care about "major sites", there are plenty of
other sites. But if you count youtube as a major site it will
talk RC4 to Firefox. Bug agl announced that that is about to
change soon.
But you really should look at the stats of the "top 1 million"
sites I posted earlier if you want to know the state of the "major
sites".
> Ceasing to use
> SSL 3.0 is simple (even ceasing to use TLS 1.0 and 1.1 is simple but
> we're talking about SSL 3.0 here).
Ceasing to use TLS 1.0 is not simple. Only about 50% of the
servers support higher version. So we still need to support
TLS 1.0. As Florian stated openssl 0.9.8 does not support TLS
1.1 or newer and 0.9.8 is still used way too much.
> So, why do we need to support SSL
> 3.0 again? What's the rationale, other than making the lives of
> attackers easy?
I'm all for dropping SSL 3.0 support and I disabled it in openssl
in Debian testing and unstable. This was already planned for some
time, and the POODLE attack made me just do it.
But if your concern is about the POODLE attack, please note that
the attack requires many connection attemps where the attacker has
control over the plaintext that is being send. This is relativly
easy to exploit in a browser but I don't know of any attack where
this can be done outside a browser. So you want to do 1 or more
of the following:
- Disable SSLv3 in your browser
- Disable SSLv3 in your webserver
- Disable javascript
When talking about HTTPS there are clients and servers that
support SSL 3.0 but don't support TLS 1.0. But the stats say it's
less than 1% for both of them. Some people will care about that
1%, others won't.
Kurt
next prev parent reply other threads:[~2014-10-23 21:05 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05 ` Rob Browning
2014-10-23 14:03 ` Ted Zlatanov
2014-10-23 15:57 ` Rob Browning
2014-10-24 13:39 ` Ted Zlatanov
2016-02-20 15:28 ` Kurt Roeckx
2016-02-21 2:47 ` Lars Ingebrigtsen
2017-02-22 20:38 ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28 ` Rob Browning
2014-10-22 20:14 ` Stefan Monnier
2014-10-22 21:02 ` Andreas Schwab
2014-10-23 16:49 ` Andreas Schwab
2014-10-23 17:29 ` Lars Magne Ingebrigtsen
2014-10-23 20:36 ` Stefan Monnier
2014-10-24 7:01 ` Lars Magne Ingebrigtsen
2014-10-27 19:42 ` Filipp Gunbin
2014-10-23 16:34 ` Richard Stallman
2014-10-23 18:00 ` Florian Weimer
2014-10-23 18:37 ` Perry E. Metzger
2014-10-23 18:43 ` Florian Weimer
2014-10-23 18:57 ` Perry E. Metzger
2014-10-23 18:59 ` Florian Weimer
2014-10-23 19:11 ` Kurt Roeckx
2014-10-23 19:42 ` Perry E. Metzger
2014-10-23 19:50 ` Florian Weimer
2014-10-23 20:26 ` Perry E. Metzger
2014-10-23 21:05 ` Kurt Roeckx [this message]
2014-10-24 2:56 ` Perry E. Metzger
2014-10-23 21:48 ` Stephen J. Turnbull
2014-10-24 3:00 ` Perry E. Metzger
2014-10-24 20:51 ` Stephen J. Turnbull
2014-10-24 21:14 ` Perry E. Metzger
2014-10-24 21:33 ` Lars Magne Ingebrigtsen
2014-10-25 0:36 ` Perry E. Metzger
2014-10-25 15:27 ` Ted Zlatanov
2014-10-25 15:53 ` Lars Magne Ingebrigtsen
2014-10-26 8:15 ` Florian Weimer
2014-10-26 11:42 ` Lars Magne Ingebrigtsen
2014-10-26 12:45 ` Florian Weimer
2014-10-26 1:42 ` Richard Stallman
2014-10-26 7:38 ` Florian Weimer
2014-10-24 21:47 ` Stephen J. Turnbull
2014-10-25 0:42 ` Perry E. Metzger
2014-10-27 17:17 ` Stephen J. Turnbull
2014-10-27 19:39 ` Perry E. Metzger
2014-10-28 7:04 ` Stephen J. Turnbull
2014-10-28 7:45 ` Thien-Thi Nguyen
2014-10-28 8:44 ` Stephen J. Turnbull
2014-10-28 13:31 ` Stefan Monnier
2014-10-28 15:19 ` Perry E. Metzger
2014-10-28 15:33 ` Florian Weimer
2014-10-28 16:20 ` Perry E. Metzger
2014-10-28 16:52 ` Stefan Monnier
2014-10-28 17:11 ` Perry E. Metzger
2014-10-29 3:19 ` Stephen J. Turnbull
2014-10-28 15:10 ` Perry E. Metzger
2014-10-29 2:33 ` Stephen J. Turnbull
2014-10-29 3:06 ` Perry E. Metzger
2014-10-29 7:28 ` Stephen J. Turnbull
2014-10-29 11:19 ` Perry E. Metzger
2014-10-23 19:03 ` Kurt Roeckx
2014-10-24 13:35 ` Ted Zlatanov
2014-10-25 7:31 ` Richard Stallman
2014-10-25 14:33 ` Perry E. Metzger
2014-10-25 15:49 ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141023210546.GA18158@roeckx.be \
--to=kurt@roeckx.be \
--cc=emacs-devel@gnu.org \
--cc=fw@deneb.enyo.de \
--cc=perry@piermont.com \
--cc=rlb@defaultvalue.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).