
POODLE and the fundamental market failure of browser security - cpeterso
https://freedom-to-tinker.com/blog/jbonneau/poodle-and-the-fundamental-market-failure-of-browser-security/
======
ynik
Don't forget that SSL/TLS normally resists downgrade attacks -- but browsers
use insecure fallback due to servers that don't properly handle the SSL
handshake. The whole purpose of TLS_FALLBACK_SCSV is just to re-enable the TLS
downgrade resistence while retaining compatibility to those broken servers.

I wonder what would effect more users - disabling SSLv3, or disabling insecure
fallback?

------
AnthonBerg
what if browsers support SSLv3 but throw a giant warning: "INSECURE SITE"? The
message has to be framed correctly of course.

~~~
danw3
I think the real benefit of that sort of solution would be to put the blame
squarely upon the shoulders of the outdated sites in question without the
browser vendors worrying about losing customers (A win/win?). It's an
opportunity to inform users about the major security flaws on sites like
Citibank and put some pressure on them to take this sort of security flaw
seriously.

