From: "Perry E. Metzger" <perry@piermont.com>
To: Kurt Roeckx <kurt@roeckx.be>
Cc: Florian Weimer <fw@deneb.enyo.de>,
Rob Browning <rlb@defaultvalue.org>,
emacs-devel@gnu.org
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 22:56:21 -0400 [thread overview]
Message-ID: <20141023225621.753e2c9f@jabberwock.cb.piermont.com> (raw)
In-Reply-To: <20141023210546.GA18158@roeckx.be>
On Thu, 23 Oct 2014 23:05:46 +0200 Kurt Roeckx <kurt@roeckx.be> wrote:
> > So, why do we need to support SSL
> > 3.0 again? What's the rationale, other than making the lives of
> > attackers easy?
>
> I'm all for dropping SSL 3.0 support and I disabled it in openssl
> in Debian testing and unstable. This was already planned for some
> time, and the POODLE attack made me just do it.
Then we're pretty much in agreement already and no more needs to be
said. :)
> But if your concern is about the POODLE attack, please note that
> the attack requires many connection attemps where the attacker has
> control over the plaintext that is being send.
Long experience says that attacks only get stronger with time. (They
don't get weaker -- people don't forget attacks -- and smart people
often figure out refinements.) I prefer closing the door rather than
waiting to find out what the next implication of downgrade attacks is.
Anyway, you agree with me on the SSL 3.0 part, and I'm not seriously
suggesting TLS 1.0 be dropped *yet*, so we agree.
Perry
--
Perry E. Metzger perry@piermont.com
next prev parent reply other threads:[~2014-10-24 2:56 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05 ` Rob Browning
2014-10-23 14:03 ` Ted Zlatanov
2014-10-23 15:57 ` Rob Browning
2014-10-24 13:39 ` Ted Zlatanov
2016-02-20 15:28 ` Kurt Roeckx
2016-02-21 2:47 ` Lars Ingebrigtsen
2017-02-22 20:38 ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28 ` Rob Browning
2014-10-22 20:14 ` Stefan Monnier
2014-10-22 21:02 ` Andreas Schwab
2014-10-23 16:49 ` Andreas Schwab
2014-10-23 17:29 ` Lars Magne Ingebrigtsen
2014-10-23 20:36 ` Stefan Monnier
2014-10-24 7:01 ` Lars Magne Ingebrigtsen
2014-10-27 19:42 ` Filipp Gunbin
2014-10-23 16:34 ` Richard Stallman
2014-10-23 18:00 ` Florian Weimer
2014-10-23 18:37 ` Perry E. Metzger
2014-10-23 18:43 ` Florian Weimer
2014-10-23 18:57 ` Perry E. Metzger
2014-10-23 18:59 ` Florian Weimer
2014-10-23 19:11 ` Kurt Roeckx
2014-10-23 19:42 ` Perry E. Metzger
2014-10-23 19:50 ` Florian Weimer
2014-10-23 20:26 ` Perry E. Metzger
2014-10-23 21:05 ` Kurt Roeckx
2014-10-24 2:56 ` Perry E. Metzger [this message]
2014-10-23 21:48 ` Stephen J. Turnbull
2014-10-24 3:00 ` Perry E. Metzger
2014-10-24 20:51 ` Stephen J. Turnbull
2014-10-24 21:14 ` Perry E. Metzger
2014-10-24 21:33 ` Lars Magne Ingebrigtsen
2014-10-25 0:36 ` Perry E. Metzger
2014-10-25 15:27 ` Ted Zlatanov
2014-10-25 15:53 ` Lars Magne Ingebrigtsen
2014-10-26 8:15 ` Florian Weimer
2014-10-26 11:42 ` Lars Magne Ingebrigtsen
2014-10-26 12:45 ` Florian Weimer
2014-10-26 1:42 ` Richard Stallman
2014-10-26 7:38 ` Florian Weimer
2014-10-24 21:47 ` Stephen J. Turnbull
2014-10-25 0:42 ` Perry E. Metzger
2014-10-27 17:17 ` Stephen J. Turnbull
2014-10-27 19:39 ` Perry E. Metzger
2014-10-28 7:04 ` Stephen J. Turnbull
2014-10-28 7:45 ` Thien-Thi Nguyen
2014-10-28 8:44 ` Stephen J. Turnbull
2014-10-28 13:31 ` Stefan Monnier
2014-10-28 15:19 ` Perry E. Metzger
2014-10-28 15:33 ` Florian Weimer
2014-10-28 16:20 ` Perry E. Metzger
2014-10-28 16:52 ` Stefan Monnier
2014-10-28 17:11 ` Perry E. Metzger
2014-10-29 3:19 ` Stephen J. Turnbull
2014-10-28 15:10 ` Perry E. Metzger
2014-10-29 2:33 ` Stephen J. Turnbull
2014-10-29 3:06 ` Perry E. Metzger
2014-10-29 7:28 ` Stephen J. Turnbull
2014-10-29 11:19 ` Perry E. Metzger
2014-10-23 19:03 ` Kurt Roeckx
2014-10-24 13:35 ` Ted Zlatanov
2014-10-25 7:31 ` Richard Stallman
2014-10-25 14:33 ` Perry E. Metzger
2014-10-25 15:49 ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141023225621.753e2c9f@jabberwock.cb.piermont.com \
--to=perry@piermont.com \
--cc=emacs-devel@gnu.org \
--cc=fw@deneb.enyo.de \
--cc=kurt@roeckx.be \
--cc=rlb@defaultvalue.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).