[cryptography] no, don't advertise that you support SSLv2!

ianG iang at iang.org
Tue Aug 4 07:43:12 EDT 2015


On 4/08/2015 05:29 am, Patrick Pelletier wrote:
> I was on an e-commerce site today, and was horrified when I saw the
> following badge:
>
> https://lib.store.yahoo.net/lib/yhst-11870311283124/secure.gif
>
> Did they still have SSLv2 enabled?  I checked, and luckily they don't:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=us-dc2-order.store.yahoo.net
>
> So, it's not as bad as their badge claims, but still, they only get a
> C.  (They support only one version: TLS 1.0.)  I would've thought a big
> Web property like Yahoo could do better.  :(


Why is this any different to a web browser showing a padlock to users 
that means you're secure?



iang



More information about the cryptography mailing list