* on the Wed, Oct 15, 2014 at 05:53:31PM +0200, Luigi Rosa wrote: > Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled > Postfix configurations?
FWIW, I don't think POODLE would work against SMTP traffic. POODLE relies on a MITM being able to pursuade the client to send a large number of specially crafted requests to the server. This works for the web because a MITM can drop some javascript into a non-SSL HTTP response which might come from a completely unrelated site, which triggers requests to be performed against the HTTPS target site. I'd be interested to hear figures regarding how much traffic would change from being encrypted to plain text if SSLv3 was dropped for SMTP... -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
