Disabling SSLv3 protocol
A. Schulze
sca at andreasschulze.de
Wed Nov 12 07:54:19 UTC 2014
Timo Sirainen:
> ... I don't think SSLv3 is especially exploitable with IMAP/POP3 protocols.
It's well known SSLv3 *is* a problem for HTTP, we assume, it isn't for
SMTP/POP/IMAP
Administrators, also responsible for putting new paper in the printer,
may not have the skill to distinguish in that detail. They see the
panic in HTTP and see no action on other Application. What do they
learn?
On the other side:
If we consequently disable the broken protocol they /may/ see
"Ah, SSLv3 REALLY seem to be broken, the experts disable it here and
there and over there, too"
The attention is much higher.
Andreas
More information about the dovecot
mailing list