Kai,
On 10/20/2014 16:47, Kai Engert wrote:
On Mon, 2014-10-20 at 16:45 -0700, Julien Pierre wrote:
What is the purpose of Firefox continuing to do any fallback at all ?
IMO, making a second connection with any lower version of SSL/TLS
defeats the intent of the SSL/TLS protocol, which have built-in defenses
against protocol version downgrade.
Isn't it time this fallback gets eliminated at last ?
I'm stating what I found, I'm not making that decision.
Sorry, I didn't mean to blame you for that decision - but IMO this
should be pointed out to whoever made that call.
The whole TLS_FALLBACK_SCSV would be unnecessary if not for this browser
misbehavior - and I hope the IETF will reject it.
Julien
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
