*SSL 2.0 is a disaster* How bad is this? I have internet-facing production web s... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		omh on May 23, 2014 \| parent \| context \| favorite \| on: Why TLS is called "TLS", not "SSL 3.1" SSL 2.0 is a disaster How bad is this? I have internet-facing production web servers running software which (unfortunately) does not support TLS even in the most recent versions. Are there practical attacks I should be worried about?

yuhong on May 23, 2014 | [–]

Yea, I think it took until 2006 before IE and Firefox was able to disable SSLv2. SNI doesn't work with SSLv3 though, and the increasing IP address crunch and the obsolescence of XP/Server 2003 will make it more common.

cmircea on May 23, 2014 | [–]

Yes. SSL 3.0 is okay, but not 2.0.

justizin on May 23, 2014 | [–]

okey-er.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact