[5863] in cryptography@c2.net mail archive
Re: Is SSL dead?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Oct 8 19:54:32 1999
From: "Steven M. Bellovin" <smb@research.att.com>
To: Bill Stewart <bill.stewart@pobox.com>
Cc: Greg Broiles <gbroiles@netbox.com>,
"Phillip Hallam-Baker" <hallam@ai.mit.edu>,
"Robert Hettinga" <rah@shipwright.com>, dcsb@ai.mit.edu,
cypherpunks@cyberpass.net, cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 08 Oct 1999 18:40:36 -0400
Message-Id: <19991008224042.1F2F641F16@SIGABA.research.att.com>
In message <3.0.5.32.19991007095728.009e8650@idiom.com>, Bill Stewart writes:
> At 04:35 PM 10/6/99 , Phillip Hallam-Baker wrote:
>
> That means that you can only succeed against web-users whose browsers
> still accept SSL2.0, which is most Netscape users by default;
> I don't know if IE also defaults to that, but it probably does.
> Even if the https://www.target.com uses SSL3.0, the user isn't talking to it
> -
> they're talking to https://www.attacker.com, which can use 2.0 if it wants.
Right -- and as long as sites like amazon.com -- to pick a real-world,
just-verified example -- accept only SSL 2.0, asking folks to turn it off just
isn't real.
--Steve Bellovin
