[cryptography] no, don't advertise that you support SSLv2!

Patrick Pelletier code at funwithsoftware.org
Tue Aug 4 00:29:43 EDT 2015


I was on an e-commerce site today, and was horrified when I saw the 
following badge:

https://lib.store.yahoo.net/lib/yhst-11870311283124/secure.gif

Did they still have SSLv2 enabled?  I checked, and luckily they don't:

https://www.ssllabs.com/ssltest/analyze.html?d=us-dc2-order.store.yahoo.net

So, it's not as bad as their badge claims, but still, they only get a 
C.  (They support only one version: TLS 1.0.)  I would've thought a big 
Web property like Yahoo could do better.  :(

--Patrick



More information about the cryptography mailing list