[jitsi-dev] [libsrc-commits] master: Backports TLSUtils for smack [...]


#1

Well, all the major service providers, hosters and browsers are
disabling SSLv3 entirely these days. I don't see the danger in doing the
same - on the contrary, it causes problems (as with Facebook now) and
gives us a bad score on these TLS rating lists,giving in turn bad press.

The lists I know of are for servers. Do you have in mind one that's for
clients?

I can't find it right now. I thought there was one mentioned not too long
ago on the dev-list in the context of Snowden's stuff. It probably won't
take long until one appears if there's none currently.

(And the current state of Damian's patch disables SSLv3 entirely for
XMPP anyway.)

Yes. We agreed to do it that way yesterday morning before having this
discussion.

Right now I'd like to understand exactly what the impact would be for
other SSL based services.

Most likely: none. The discussion around the Poodle attack mentioned that
basically only IE6 doesn't support TLSv1 and that SSLv3 is only still
enabled because it wasn't necessary to disable it until now.

Also: we must beat and punish users for wanting to use the wrong
protocol until they drop dead is not a position I support.

That is not what I meant. I'm talking of defaults.

Basically, if I decide that I want to use SSLv3 or even plain text to
connect to my service, that's my decision and no one else gets a say in
it. I am kind of annoyed by "You don't have the right to use that
protocol" radicalism.

If someone wants to go back and still use it, by all means, so shall he. But
by specifically stating so.

Ingo

ยทยทยท

On 2014-10-21 16:00, Emil Ivov wrote:

On 21.10.14, 03:54, Ingo Bauersachs wrote: