Thomas Kahle schrieb:
On 30/03/15 10:57, Andrew Savchenko wrote:
And using https for that will create a
tremendous stress on mirror's CPUs, so this is a bad approach.
Not to mention that https itself is very hapless protocol with tons
of vulnerabilities (all SSL versions are affected and most TLS
implementations).
This is spreading FUD.
As far as I know this is correct.
All SSL protocol versions including v3 have known vulnerabilities.
In addition, a number implementations of TLS 1.0 and 1.1 have been found
susceptible to the Poodle and/or FREAK attacks.
That the https protocol is hapless is maybe a pessimistic view on the
situation. But if all were fine, why some organizations think they need
certificate pinning again?
Best regards,
Chí-Thanh Christopher Nguyễn