Nelson Bolyard wrote:
That statement about plain text mode that doesn't test certificates is utter nonsense. It's causing Fear Uncertainty and Doubt (FUD). It's NONSENSE.
Nonsense for MS IE users as well?
Yes.
I just ran a test on my Win2K box, with IE 6.0. IE 6.0 attempts to negotiate the following ciphersuites:
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x010080) SSL2/RSA/RC4-128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
(0x000063) TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHAThe article you quoted talked about SSL doing no encryption and SSL not using certs. All of IE's ciphersuites listed above use certs with RSA or DSA (DSS) public keys for authentication, and use at least 40 bit encryption. So, I conclude that neither mozilla nor IE 6.0 are vulnerable to either of the above concerns.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
