W3C home > Mailing lists > Public > public-xg-webid@w3.org > September 2011

Re: TLS 1.0 vulnerability found

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 21 Sep 2011 15:25:31 +0200
Message-Id: <1C476CD1-BE9B-4891-8153-C9F9D2EDAECB@bblfish.net>
To: WebID XG <public-xg-webid@w3.org>

On 21 Sep 2011, at 11:51, Henry Story wrote:

> 
> On 21 Sep 2011, at 10:22, Nathan wrote:
> 
>> http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
> 
> It looks like the pressure is growing to get all browsers to support TLS 1.2. Clearly until they do switching is difficult for web sites.  

A non Verified Account of a user called Ben Laurie, who has the same name as a person interested in security at Google said on g+ to support an argument that the above issue was a non-problem and that there are easier solutions than moving to TLS 1.2 [1]:

<quote>
 I am not at liberty to discuss details until Duong and Rizzo give their talk, but I have looked into this for OpenSSL. So, more soon! However, unless they have something they're not telling me, they don't have much.
 OpenSSL 1.0.1 supports TLS 1.1 and 1.2.
 It isn't clear that all the churn in 1.2 is actually desirable.
</quote>

So for what that is worth, a piece of a puzzle that might raise a few questions.

Henry

[1] https://plus.google.com/109693896432057207496/posts/D4JN2NmQzjj

Social Web Architect
http://bblfish.net/
Received on Wednesday, 21 September 2011 13:26:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 21 September 2011 13:26:13 GMT