1. Gmail comes from (roughly) the same source as BoringSSL. It wouldn't be likely for the two to have security profiles so diverged. It warrants verification, I'd say.
2. Maybe it's worth having an option to disable enforcing the DH length. Not sure which is the lesser evil - if a person can't check his email, the fact that the piece of software thinks it's secure becomes rather irrelevant (Denial of Service through security configuration :). 3. In a similar tone, SSLv3 is certainly broken. On the other hand, is a completely insecure connection better than SSLv3. Oh, and let's not bring up the crap of "false security", "security perceptions", etc. This is strictly about whether it's worth to make the attacker do some work (e.g., cross the street or twist a door-knob), or should one leave his door wide ajar when the proper strong lock doesn't work? -- Regards, Mouse -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
