"Salz, Rich" <[email protected]> writes:
>It’s pretty simple: There are no longer any secure SSLv3 ciphers.
I'm currently travelling and have only had time for a quick look at the Poodle
doc, but it seems to require a combination of things, a client that
automatically falls back to SSLv3, that runs Javascript and performs actions
on behalf of an attacker, and that deals with things like cookies [*]. In
other words, web browsers. If you've got some embedded device that uses TLS
as a generic substrate then it's unlikely that you'll be affected, even if
you've somehow managed to set things up to fall back to SSLv3 rather than just
reporting a connection error. So while I certainly wouldn't recommend
sticking with SSLv3, it's not quite the cryptocalypse yet if you're not a web
browser.
Peter.
[*] It can probably be generalised, but it'd have to be done on a case-by-case
basis for each application of SSL, and probably wouldn't work for many of
those cases.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
