On Thu, Oct 16, 2014 at 03:13:10AM +0000, Peter Gutmann wrote:
> I'm currently travelling and have only had time for a quick look at the Poodle
> doc, but it seems to require a combination of things, a client that
> automatically falls back to SSLv3, that runs Javascript and performs actions
> on behalf of an attacker, and that deals with things like cookies [*]. In
> other words, web browsers. If you've got some embedded device that uses TLS
> as a generic substrate then it's unlikely that you'll be affected, even if
> you've somehow managed to set things up to fall back to SSLv3 rather than just
> reporting a connection error. So while I certainly wouldn't recommend
> sticking with SSLv3, it's not quite the cryptocalypse yet if you're not a web
> browser.
Correct. I'm advising Postfix users to not at this time take any
action to disable SSLv3. The net effect of doing so is slightly
negative, as a few additional messages will then be sent in the
clear. For most sites, their SSLv3 only traffic is all spam. For
a few, it is banks they deal with that have older mail security
"appliances" that only support SSLv3.
I just sent similar advice to the exim-dev list.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
