Dear Devs, Here is the blogpost of the HTTPS breakdown: http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html >From what I understand, the Client hello is the first part of the ssl handshake that is not encrypted/HMAC’d
According to https://www.openssl.org/~bodo/ssl-poodle.pdf they recommend that clients (Client Hello) send the value 0x56, 0x00 (TLS_FALLBACK_SCSV) and the servers should accept the value 0x56, 0x00 (TLS_FALLBACK_SCSV) but this is stuff is transmitted over plaintext which can potentially be modified by an attacker. Can the vulnerable SSL connection still occur with the removal of the TLS_FALLBACK value set from the client. Let me know what you think when you get a chance.
