- From: Jeffrey Walton <noloader@gmail.com>
- Date: Fri, 28 Nov 2014 02:23:36 -0500
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Browsers certainly block certain kinds of TLS. SSL 3.0, for instance. I think nearly all the browser support SSL 3.0. At least that's what we are being told for draft-ietf-tls-downgrade-scsv. (How quickly Heartbleed and complexity have been forgotten). As I understand it, TLS 1.0 suffers a similar padding attack as SSL 3.0 (the method of generating the IV changed between the two). I hope the browsers are ready to pivot quickly once the TLS PoC is unleashed. > And terrible cipher suites that we all know are bad. Similar could be said for continued use of RC4.
Received on Friday, 28 November 2014 07:24:02 UTC