Now this isn’t email servers, but in terms of websites, ~9% of surveyed sites support it: https://www.trustworthyinternet.org/ssl-pulse/
Frank From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Brandon Long via mailop Sent: Wednesday, March 02, 2016 7:30 PM To: Franck Martin <fmar...@linkedin.com> Cc: Matthew Huff <mh...@ox.com>; mailop@mailop.org Subject: Re: [mailop] TLS/SSL DROWN attack with respect to email servers I thought that POODLE required a specific type of fallback that tended to be browser specific (ie, prevent a tls connection, forcing the browser to fall back to a ssl3 connection), do any smtp servers actually do that? looks like we're down to small enough ssl3 we could disable it, though. Almost all of our ssl3 comes from badoo.com <http://badoo.com> , never heard of it. Who hasn't already disabled ssl2? I'm kind of shocked at their numbers. Brandon (not a security expert) On Wed, Mar 2, 2016 at 4:09 PM, Franck Martin via mailop <mailop@mailop.org <mailto:mailop@mailop.org> > wrote: Disable SSLv3 too, because of Poodle. We will need to get rid of RC4, unfortunately this is the only cypher some old exchange machines understand. Also falling back to clear text from STARTTLS is more and more frowned upon. On Wed, Mar 2, 2016 at 1:45 PM, Matthew Huff <mh...@ox.com <mailto:mh...@ox.com> > wrote: If your mail server still is advertising SSLv2, you SSL private key may be vulnerable. https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack What's worse, if you are using a wildcard cert, then any other server that is using the same cert can be trivially decrypted even if that server is only using TLS1.2 and strong cyphers. I know that there are a number of broken email servers that will bounce mail if TLS is negotiated but they can't negotiate older SSL or weaker cyphers, but it's probably a good idea to either: 1) Disable TLS, or 2) Disable SSLv2 ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 <tel:914-460-4039> aim: matthewbhuff | Fax: 914-694-5669 <tel:914-694-5669> _______________________________________________ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org <mailto:mailop@mailop.org> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
