Hi, út 29. 10. 2019 v 13:29 odesílatel Michael Kesper <mkes...@schokokeks.org> napsal:
> > I see. Still an odd kind of protection though. The attacker can just > downgrade themselves. > > No. A sensible server will not talk to you if your requested SSL version > is too low. > pub.orcid.org seems to use absolutely outdated and insecure software > versions. > right. If you want good security, you need to limit TLS version on both side (client-urlib3 and server-whatever). Than downgrade attack is not possible. -- Best regards Ondřej Nový
