Hugo Slabbert wrote: > On Tue 2015-Jun-30 01:04:48 +0200, Michelle Sullivan > <[email protected]> wrote: > >>> That said, so far today, only 0.015% of our outbound messages that >>> were over an encrypted link were using SSLv3. At our volume, that's >>> not nothing, unfortunately, but it's a pretty small amount to allow to >>> continue to allow the possibility of breaking the rest. TLSv1 is >>> still about 5%, way too high to deprecate at this point. >>> >>> Inbound is 0.1% at SSLv3, 37% at TLSv1. >> So +60% is unencrypted inbound... because it has to be or because it is >> not forced otherwise... that is the burning question. You policy >> Encrypted or nothing and it'll be interesting how many cope and how many >> don't... > > Just to be clear: It sounds like you're talking about a scenario > where Google would require TLS inbound and possibly outbound and > refusing *any* cleartext delivery. Is that right? Correct me if I'm > wrong, but I don't believe Brandon's said anything to that effect.
I got the impression that was exactly what was being proposed. > Any discussion so far has been about "if STARTTLS && ( DHE -le 512 ) > then disconnect", possibly/probably with DANE in the mix as well and > refusing to fall back to clear if STARTTLS is initiated but fails to > negotiate, This I have no problem with... it makes good sense. Michelle -- Michelle Sullivan http://www.mhix.org/ _______________________________________________ mailop mailing list [email protected] http://chilli.nosignal.org/mailman/listinfo/mailop
