On 1/6/2014, 8:31 PM, Matthew Wild wrote: > I believe the best thing we can do for now is to fix and update the > clients, rather than just cutting them off on the server-side. It > shouldn't be that hard...
That makes sense, thanks for the quick reply. On 1/6/2014, 8:31 PM, Matthew Wild wrote: > Also note that SSLv3 hasn't been shown to be any less secure than > TLSv1 (in fact they are essentially the same), but TLSv1 is still very > widely used. Therefore there is no security reason to disable SSLv3, > unless you also plan to disable TLSv1 at the same time. In accordance with IETF draft for TLS and XMPP[1] would it be wise to push for both the removal of SSLv3 and TLS 1.0 in clients or is that too pushy? Personally, I think we need to be aggressive in order to provide secure messaging in a timely fashion. [1]: https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/ -- Best Regards, Justin Bull E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C
signature.asc
Description: OpenPGP digital signature
