really drop SSLv2
Etienne Goyer
etienne.goyer at canonical.com
Mon Aug 9 15:43:45 BST 2010
On 10-08-09 10:10 AM, James Westby wrote:
> On Thu, 05 Aug 2010 10:02:07 -0400, Etienne Goyer <etienne.goyer at canonical.com> wrote:
>> On 10-08-04 06:05 PM, Kees Cook wrote:
>>> Hi Jim,
>>>
>>> On Wed, Aug 04, 2010 at 09:44:25AM -0400, Jim Tarvid wrote:
>>>> Why not kill the weak ciphers too?
>>>
>>> Sure! Can you send a patch for this?
>>
>> I do not really see the point. Since the client and the server will
>> negotiate the strongest cipher they both support, what exactly would we
>> gain by removing cipher considered weak?
>
> Because a malicious party will not negotiate the strongest cipher, they
> may negotiate the weakest.
If you are connecting to a malicious party in the first place, the
problem is not the cipher.
If there are attacks where a malicious third-party can manipulate the
cipher negotiation between two legitimate endpoints, then I could see
the point of disabling weak cipher. Otherwise, it still evade me.
--
Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor - LPIC-3
~= Ubuntu: Linux for Human Beings =~
More information about the ubuntu-devel
mailing list