12 Nov
2014
12 Nov
'14
9:54 a.m.
Timo Sirainen:
... I don't think SSLv3 is especially exploitable with IMAP/POP3 protocols.
It's well known SSLv3 *is* a problem for HTTP, we assume, it isn't for
SMTP/POP/IMAP
Administrators, also responsible for putting new paper in the printer,
may not have the skill to distinguish in that detail. They see the
panic in HTTP and see no action on other Application. What do they
learn?
On the other side:
If we consequently disable the broken protocol they /may/ see
"Ah, SSLv3 REALLY seem to be broken, the experts disable it here and
there and over there, too"
The attention is much higher.
Andreas