Disabling SSLv3 protocol

A. Schulze sca at andreasschulze.de
Wed Nov 12 07:54:19 UTC 2014


Timo Sirainen:

> ... I don't think SSLv3 is especially exploitable with IMAP/POP3 protocols.

It's well known SSLv3 *is* a problem for HTTP, we assume, it isn't for  
SMTP/POP/IMAP

Administrators, also responsible for putting new paper in the printer,  
may not have the skill to distinguish in that detail. They see the  
panic in HTTP and see no action on other Application. What do they  
learn?

On the other side:
If we consequently disable the broken protocol they /may/ see
"Ah, SSLv3 REALLY seem to be broken, the experts disable it here and  
there and over there, too"

The attention is much higher.

Andreas






More information about the dovecot mailing list