[Cryptography] DROWN attack on SSLv2 enabled servers

Viktor Dukhovni cryptography at dukhovni.org
Sun Mar 6 17:49:04 EST 2016


> On Mar 6, 2016, at 3:29 PM, ianG <iang at iang.org> wrote:
> 
> Instead, they've preferred to travel with the false sirens of algorithm agility.

Democracy is the worst form of government, except for all the others.

In fact algorithm agility (and protocol negotiation) make it possible
to move on.  OpenSSL 1.1.0 (beta slated for later this week) moved on
before DROWN.  The 1.0.x stable branches remained backwards compatible
with SSLv2 too long, this has now been addressed.

-- 
	Viktor.



More information about the cryptography mailing list