Alas, there’s no easy way to tell exactly what has been removed or changed in LibreSSL. We could maintain such a list, but I think the project is more than the sum of our differences, so focusing on a bullet point list is the wrong approach.
Looks like the wikipedia page has been updated1 to include what was known before this announcement. I wonder how long before it gets updated to current info….
Of course don’t forget that anyone can edit wikipedia, so take it with a grain of salt.
The standout here is that if you reuse keys (eg between email & web servers), an attacker can use an email server that supports sslv2 to decrypt web traffic that uses modern crypto.
I have two questions:
https://twitter.com/bob_beck/status/704693297583788032
I doubt libressl still supports sslv2…
I doubt it, too, but I’d love a quick way to know that doesn’t involve me either reading source or following the mailing list.
Alas, there’s no easy way to tell exactly what has been removed or changed in LibreSSL. We could maintain such a list, but I think the project is more than the sum of our differences, so focusing on a bullet point list is the wrong approach.
Looks like the wikipedia page has been updated1 to include what was known before this announcement. I wonder how long before it gets updated to current info…. Of course don’t forget that anyone can edit wikipedia, so take it with a grain of salt.
The standout here is that if you reuse keys (eg between email & web servers), an attacker can use an email server that supports sslv2 to decrypt web traffic that uses modern crypto.
Seems my personal site is fine according to the checker. I’ll keep an eye on it just to be sure though.