really drop SSLv2
etienne.goyer at canonical.com
Mon Aug 9 15:55:11 BST 2010
On 10-08-08 04:47 PM, Darren Albers wrote:
> One of the attacks against SSL is to break all the attempts to
> negotiate a strong cipher leaving the endpoints to negotiate a weak or
> hopefully null cipher (If the server supports a null cipher which I
> hope is not the case). If you want a strong environment make sure
> that the weakest cipher you support is still one you would feel safe
> transmitting confidential information over.
Ok, I see. If it is possible indeed for a third-party to manipulate the
cipher negotiation between two legitimate endpoints (through a MITM
attack, I presume), then it does make sense to disable weak ciphers.
Sorry for the noise, I was not really aware of that attack vector. Not
sure I understand the problem fully, but it seems like the SSL protocol
handshake is terribly weak if it does not resist tampering. I am going
to read up on that.
Technical Account Manager - Canonical Ltd
Ubuntu Certified Instructor - LPIC-3
~= Ubuntu: Linux for Human Beings =~
More information about the ubuntu-devel