Hey Maxim, > - SSLv3 is still important from compatibility point of view, there > are various clients which doesn't support (or enable by default) > anything better;
But is it, really? All major browsers (Chrome [1], Firefox [2], IE [3], Opera [4]) either already disabled SSLv3 or are about to do it. Huge chunk of websites (>42% of Alexa's top 10.000 [5]) requires at least TLSv1.0, including major properties like Facebook, Twitter [6], Wikipedia [7] and websites that are using one of the popular CDNs (CloudFlare [8], Akamai [9], MaxCDN [10], Fastly [11]). OpenBSD and LibreSSL disabled SSLv3 by default [12]. Furthermore, when we disabled SSLv3 across our network [8] and gave website owners the ability to opt-in back to it... less than 0.001% did re-enable it. Hopefully that list is long enough to convince you that SSLv3 is not really important... Definitely not important enough to be enabled by default, because that's what the commit changes, people can still enable SSLv3 in the conf if they really need to. [1] https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4 [2] https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ [3] http://azure.microsoft.com/blog/2014/10/29/protecting-against-the-ssl-3-0-vulnerability/ [4] http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/ [5] https://8ack.de/ssl/ [6] https://twitter.com/twittersecurity/status/522190947782643712 [7] https://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/ [8] https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/ [9] https://blogs.akamai.com/2014/10/poodle-faq-what-akamai-customers-need-to-know.html [10] https://www.maxcdn.com/blog/delivery-sslv3-disabled/ [11] http://www.fastly.com/blog/fastly-update-POODLE/ [12] http://marc.info/?l=openbsd-cvs&m=141339479327258&w=2 Best regards, Piotr Sikora _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
