In message <[EMAIL PROTECTED]>, Bill Stewart writes: > At 04:35 PM 10/6/99 , Phillip Hallam-Baker wrote: > > That means that you can only succeed against web-users whose browsers > still accept SSL2.0, which is most Netscape users by default; > I don't know if IE also defaults to that, but it probably does. > Even if the https://www.target.com uses SSL3.0, the user isn't talking to it > - > they're talking to https://www.attacker.com, which can use 2.0 if it wants. Right -- and as long as sites like amazon.com -- to pick a real-world, just-verified example -- accept only SSL 2.0, asking folks to turn it off just isn't real. --Steve Bellovin