Mozilla is getting rid of SSLv3 in version 34. I imagine Chrome will follow, and MS will phase it out on the client side for supported versions. The biggest issue the browsers have is not supporting it and web sites that depend on SSL 3.0. IMO these sites should join the herd and migrate over to TLS. Apache, nginx, and IIS can all be configured not to authenticate using SSLv3 chain with their respectively configured certificates. This is what most web admins are doing, in conjunction with killing support for older browser versions. For example, anything below IE 8 depends on SSLv3, so these browsers are out of luck (and significantly out of date) for accessing sites configured to not us SSLv3. Also, EFF had a notification about upgrading the HTTPS everywhere plugin, the latest version will mitigate (prevent) the use of SSLv3 certs. -- Jeremy MountainJohnson Jeremy.MountainJohnson at gmail.com On Thu, Oct 16, 2014 at 12:10 PM, gregrwm <tclug1 at whitleymott.net> wrote: > poodle i think i understand, disable ssl in servers and browsers. > breach/crime are still issues too if i read correctly, tho i'm less sure i > understand, but i think the advice is encrypt or compress as you wish, but > don't do both. the question: where are we at with firefox, chrome, and > apache regarding following this advice? > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > tclug-list at mn-linux.org > http://mailman.mn-linux.org/mailman/listinfo/tclug-list >