really drop SSLv2
James Westby
jw+debian at jameswestby.net
Mon Aug 9 15:10:15 BST 2010
On Thu, 05 Aug 2010 10:02:07 -0400, Etienne Goyer <etienne.goyer at canonical.com> wrote:
> On 10-08-04 06:05 PM, Kees Cook wrote:
> > Hi Jim,
> >
> > On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
> >> Why not kill the weak ciphers too?
> >
> > Sure! Can you send a patch for this?
>
> I do not really see the point. Since the client and the server will
> negotiate the strongest cipher they both support, what exactly would we
> gain by removing cipher considered weak?
Because a malicious party will not negotiate the strongest cipher, they
may negotiate the weakest.
Granted this will generally just affect that one conversation, but
depending on the attack that may be enough.
Thanks,
James
More information about the ubuntu-devel
mailing list