Re: [MIX] Initial feedback on Mixed Content

PS: The HTTP/2 working group specifies that only TLS 1.2+ will be
supported in the new standard and for good reason. They are also
flagging certain cipher suites as "bad" and not to be used. Good
moves, I think.

Jim Manico
(808) 652-3805

On Nov 27, 2014, at 9:25 PM, Jeffrey Walton <> wrote:

>> Browsers certainly block certain kinds of TLS. SSL 3.0, for instance.
> I think nearly all the browser support SSL 3.0. At least that's what
> we are being told for draft-ietf-tls-downgrade-scsv. (How quickly
> Heartbleed and complexity have been forgotten).
> As I understand it, TLS 1.0 suffers a similar padding attack as SSL
> 3.0 (the method of generating the IV changed between the two). I hope
> the browsers are ready to pivot quickly once the TLS PoC is unleashed.
>> And terrible cipher suites that we all know are bad.
> Similar could be said for continued use of RC4.

Received on Friday, 28 November 2014 17:11:31 UTC