* Aaron Zauner <[email protected]> [141014 13:56]: > Hi Viktor, > > I disagree with a couple of points you make: > > * Viktor Dukhovni <[email protected]> [141014 10:30]: > > And in particular the "MUST NOT" for RC4 is also inapplicable with > > opportunistic TLS. > > > > [...] > > > > 3. > > SSL Protocol version recommendations. > > > > Once again with unauthenticated opportunistic TLS even SSL 3.0 or > > TLS 1.0 is (much) better than cleartext. So the MUST NOT SSL 3.0 > > and SHOULD NOT TLS 1.0 are too strong.
BTW: On the SHOULD NOT for TLS 1.0, see BEAST (CVE-2011-3389). There was also [0]. This is a protocol flaw that some tried to mitigate with RC4 [sic!] a while ago. There's not much that you can do anyhow, AEAD ciphersuites are not available in TLS 1.0 nor is protection against chosen-plaintext attacks with CBC [1]. This is fixed in TLS 1.1. Aaron [0] - http://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf [1] - http://eprint.iacr.org/2004/111 http://eprint.iacr.org/2006/136
signature.asc
Description: Digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
