Re: POODLE SSLv3 downgrade attack

[Florian Weimer <fw@deneb.enyo.de>]

* Erwann Abalea:

> Or more commonly because some equipment (a firewall, most of the time)
> closes the connection at both ends, and the browser retries the connection
> with a protocol downgrade. Web browsers don't intentionally break the
> handshake, they try to adapt to various servers+networks environments to
> get the resource desired by the end user.

They enable server operators to get away with non-compliant behavior.
Now they even punish those who actually maintain their web servers by
forcing them to implement TLS_FALLBACK_SCSV support.  Web browsers are
very much too blame for this particular mess.

And even worse, developers now rush in client application changes to
send TLS_FALLBACK_SCSV on every handshake, even if they do not perform
a browser-style insecure protocol version downgrade.  This will make
deployment of TLS 1.3 on servers rather difficult.