[woodruffw]

> The highest SSL version that is common to server and client should always be used.

That is how it works. What you're missing is that everyone, both servers and clients, agrees that supporting old SSL versions is a bad idea. And they're right.

[kazinator]

Since I don't agree, it cannot be everyone.

More precisely, I don't agree with web clients not connecting to old servers.

[dale_glass]

Security done properly requires some sacrifices. Keeping old insecure versions working means exposing users to trivial ways of breaking encryption.

[kazinator]

If that were the actual principle being accurately followed, the first feature to have been removed from browsers would have been plain HTTP before any version of SSL.

Plain HTTP is what people resort to when their browser refuses to connect to an old device or server using HTTPS, which is worse than old SSL.

[Avamander]

No, because clear lack of security is better than faux security. With older SSL versions, it's security that even creates extra risk for all clients (by leaking server secrets and allowing ciphersuites that don't have PFS).

[b112]

What hogwash. You alert the user, problem solved.

The absurd idea that a user will have a 20 year old encrypted mail, because software still supports it, is ridiculous. What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server. You literally are not thinking sensibility about any of this, you examples are paper tigers.

This stance is absurb.

[Avamander]

> You alert the user, problem solved.

How do you alert the users that are running the problematic software and haven't yet updated it? The very premise is ridiculous.

> What really happens is someone has a 20 year old mail no matter what, itcwill always exist, and the choice is, support it or not. Support it to be read, support it to be converted, warn the user, suggest fixes.

Well yeah and the choice should be to not support it. If the user needs those letters they can either decrypt or just re-encrypt them. It's silly to claim that a message can somehow be both so vital to be protected by encryption, but not upgraded to something more modern.

> And your SSL example is senseless! In what world do you envision super secure stuff alongside weaker legacy, on the same damned server.

I'm not envisioning it. Nobody should be running such old useless garbage. What was suggested earlier in this thread does not work and must not happen in practice.

[kazinator]

> lack of security is better than faux security

Only when we are doing theatre. In the actual facts, lack of security is worse than inferior security.