| 1 |
Zhang Weiwu wrote: |
| 2 |
> I think I have to give up only using TLS, but use SSL instead. Most of |
| 3 |
> my visitors to my site are using Internet Explorer, but I just tried and |
| 4 |
> found (by surprise) Internet Explorer 6 by default does not allow TLS |
| 5 |
> connection. The users must go to Internet Options -> Advanced -> Enable |
| 6 |
> TLS 1.0 connection. I know well my visitors are too stupid to do this, |
| 7 |
> and in Internet Cafe people have no access to Internet Options. |
| 8 |
> |
| 9 |
> But why? Why IE6 choose not to use TLS by default? Are they really |
| 10 |
> stupid or something? |
| 11 |
|
| 12 |
The client and the server negotiate to find a common method to encrypt |
| 13 |
communications. If TLS is available to both then there is a possibility |
| 14 |
that it will be used. However, most browsers/email clients/whatever come |
| 15 |
with the least restrictive set of ciphers and methods enabled, for |
| 16 |
backwards compatability. So you may find that you have your site set up |
| 17 |
properly but the client will end up using 40 bit SSLv2, even though it |
| 18 |
is totally insecure these days (to be technical, it was busted from the |
| 19 |
get go). Check out the mod_ssl modules in your |
| 20 |
/etc/apache/conf/modules.d directory for more details on what you can do |
| 21 |
to provide high quality encryption service to your customers. |
| 22 |
|
| 23 |
Dave |
Archives