|
|
|
|
|
|
by corbezzoli
972 days ago
|
|
|
1) Pardon me if I’m wrong, but downgrade attacks will be possible for as long as HTTP-non-S is allowed. Browsers could support SSLv2 as long as they treat it as an insecure origin. (This assumes HSTS isn’t used, which definitely isn’t on SSLv2 hosts) 2) This one yes. |
|
|
Iirc it was possible to perform downgrade attacks upto sslv3, but again the client must accept these algorithms - modern browsers reject them.
Disabling port 80 has no value[1], unless clients who do not respect hsts are of concern (I think curl does not).
[1] https://letsencrypt.org/docs/allow-port-80/