Hacker News new | past | comments | ask | show | jobs | submit login

This works, but from TFA:

"Disabling SSL 3.0 support … presents significant compatibility problems"

"Therefore our recommended response is to support TLS_FALLBACK_SCSV."

Disabling SSLv3 will indeed affect a significant amount of clients in the real world.

I've seen a few commenters here on HN that point out that pretty much everything since Windows XP (ignoring IE6) supports at least 1.0 of the TLS protocols. While that may be correct in theory, in practice it's not.

At a 1MM+ visitors/week site we still see a few percent of our users that regularly connect using SSLv3 across different versions of Windows, including more modern ones such as Windows Vista, 7 and 8(!)

Though I'm not sure why this is the case, antivirus software suites such as McAfee[1] have in the past been known to disable TLS 1.0 system wide in Windows.

[1] http://answers.microsoft.com/en-us/ie/forum/ie8-windows_othe...

It's well-known that the fallback can be triggered by accident, see for instance https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00:

"[...] Also, handshake errors due to network glitches could similarly be misinterpreted as interaction with a legacy server and result in a protocol downgrade."

Perhaps that's what you're seeing.

CloudFlare sees 0.65% of HTTPS traffic using SSL v3 so it's a pretty small impact.

and of that 0.65% - 98% of them have the ability to connect over TLS.

so we're talking 2% of 1% that are dead in the water.

Except if you force downgrade browsers. So they nee to actually support the extension to prevent that.

The point was that if you disable SSLv3, you will cut off some users from your site, but only 0.65%, so it's not that bad of an effect.

Does anyone have any idea what kind of clients would require SSL3 to stay enabled? Old android phones and/or Windows XP perhaps?

Quoting myself (https://news.ycombinator.com/item?id=8453718):

"For clients, a quick look at https://www.ssllabs.com/ssltest/clients.html shows that even older clients (Android 2.3, Java 6, the oldest supported version of IE, etc) support TLS 1.0, so there should be no issues disabling SSLv3 on servers too."

IE6/XP According to Qualsys.

IE6 on XP can actually use TLS, it is just not enabled by default.

But IE8 is readily available on XP so who would use IE6

I think it's probably safe to say that anyone who's using IE6 is either not one who cannot change the defaults (by policy or by skill) or their machine is already malware infested.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact