- From: Jim Manico <jim.manico@owasp.org>
- Date: Fri, 28 Nov 2014 07:11:04 -1000
- To: "noloader@gmail.com" <noloader@gmail.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
PS: The HTTP/2 working group specifies that only TLS 1.2+ will be supported in the new standard and for good reason. They are also flagging certain cipher suites as "bad" and not to be used. Good moves, I think. -- Jim Manico @Manicode (808) 652-3805 On Nov 27, 2014, at 9:25 PM, Jeffrey Walton <noloader@gmail.com> wrote: >> Browsers certainly block certain kinds of TLS. SSL 3.0, for instance. > I think nearly all the browser support SSL 3.0. At least that's what > we are being told for draft-ietf-tls-downgrade-scsv. (How quickly > Heartbleed and complexity have been forgotten). > > As I understand it, TLS 1.0 suffers a similar padding attack as SSL > 3.0 (the method of generating the IV changed between the two). I hope > the browsers are ready to pivot quickly once the TLS PoC is unleashed. > >> And terrible cipher suites that we all know are bad. > Similar could be said for continued use of RC4. >
Received on Friday, 28 November 2014 17:11:31 UTC