Welcome! Log In Create A New Profile

Re: [PATCH] SSL: don't enable SSLv3 by default

Forum List Message List New Topic Print View

Piotr Sikora

October 30, 2014 07:34PM

Hey Maxim,

> - SSLv3 is still important from compatibility point of view, there
> are various clients which doesn't support (or enable by default)
> anything better;

But is it, really?

All major browsers (Chrome [1], Firefox [2], IE [3], Opera [4]) either
already disabled SSLv3 or are about to do it.

Huge chunk of websites (>42% of Alexa's top 10.000 [5]) requires at
least TLSv1.0, including major properties like Facebook, Twitter [6],
Wikipedia [7] and websites that are using one of the popular CDNs
(CloudFlare [8], Akamai [9], MaxCDN [10], Fastly [11]).

OpenBSD and LibreSSL disabled SSLv3 by default [12].

Furthermore, when we disabled SSLv3 across our network [8] and gave
website owners the ability to opt-in back to it... less than 0.001%
did re-enable it.

Hopefully that list is long enough to convince you that SSLv3 is not
really important... Definitely not important enough to be enabled by
default, because that's what the commit changes, people can still
enable SSLv3 in the conf if they really need to.

[1] https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4
[2] https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
[3] http://azure.microsoft.com/blog/2014/10/29/protecting-against-the-ssl-3-0-vulnerability/
[4] http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/
[5] https://8ack.de/ssl/
[6] https://twitter.com/twittersecurity/status/522190947782643712
[7] https://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/
[8] https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
[9] https://blogs.akamai.com/2014/10/poodle-faq-what-akamai-customers-need-to-know.html
[10] https://www.maxcdn.com/blog/delivery-sslv3-disabled/
[11] http://www.fastly.com/blog/fastly-update-POODLE/
[12] http://marc.info/?l=openbsd-cvs&m=141339479327258&w=2

Best regards,
Piotr Sikora

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] SSL: don't enable SSLv3 by default	Piotr Sikora	976	October 30, 2014 12:18AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Maxim Dounin	579	October 30, 2014 09:48AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Richard Fussenegger	529	October 30, 2014 10:08AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Maxim Dounin	647	October 30, 2014 11:28AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Richard Fussenegger	586	October 30, 2014 11:32AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Maxim Dounin	542	October 30, 2014 11:48AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Richard Fussenegger	563	October 30, 2014 11:56AM
Re: [PATCH] SSL: don't enable SSLv3 by default	Piotr Sikora	750	October 30, 2014 07:34PM
Re: [PATCH] SSL: don't enable SSLv3 by default	Maxim Dounin	553	October 31, 2014 12:26AM
Re: [PATCH] SSL: don't enable SSLv3 by default	nginxorg	1015	October 31, 2014 09:36AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 124

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018