really drop SSLv2

Etienne Goyer etienne.goyer at canonical.com
Mon Aug 9 15:55:11 BST 2010


On 10-08-08 04:47 PM, Darren Albers wrote:
> One of the attacks against SSL is to break all the attempts to
> negotiate a strong cipher leaving the endpoints to negotiate a weak or
> hopefully null cipher (If the server supports a null cipher which I
> hope is not the case).   If you want a strong environment make sure
> that the weakest cipher you support is still one you would feel safe
> transmitting confidential information over.

Ok, I see.  If it is possible indeed for a third-party to manipulate the
cipher negotiation between two legitimate endpoints (through a MITM
attack, I presume), then it does make sense to disable weak ciphers.

Sorry for the noise, I was not really aware of that attack vector.  Not
sure I understand the problem fully, but it seems like the SSL protocol
handshake is terribly weak if it does not resist tampering.  I am going
to read up on that.

Thanks,

-- 
Etienne Goyer
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor   -    LPIC-3

 ~= Ubuntu: Linux for Human Beings =~



More information about the ubuntu-devel mailing list