út 29. 10. 2019 v 13:29 odesílatel Michael Kesper <mkes...@schokokeks.org>

> > I see. Still an odd kind of protection though.  The attacker can just
> downgrade themselves.
> No. A sensible server will not talk to you if your requested SSL version
> is too low.
> pub.orcid.org seems to use absolutely outdated and insecure software
> versions.

right. If you want good security, you need to limit TLS version on both
side (client-urlib3 and server-whatever). Than downgrade attack is not

Best regards
 Ondřej Nový

Reply via email to