On 03/02/2016 08:34 PM, Russ Housley wrote:
If not, isn't there a chance that disabling SSLv3 will cause *SOME* email to
fallback to non-encrypted?
http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack/
"DROWN shows that sometimes, bad crypto is even worse than no crypto," Graham Steel,
cofounder and CEO of crypto software provider Cryptosense, told Ars. "Hopefully, DROWN will
strengthen the general movement to eliminate weak crypto all over the Internet."
If you believe that keeping SSLv3 around for interoperability reasons is
a good idea you really need to learn more about the DROWN bug.
Thanks for posting this Russ.
Doug