AnsweredAssumed Answered

[Suggestion] Warn about SSLv3 support

Question asked by hellotls on Sep 25, 2014
Latest reply on Oct 10, 2014 by eighty

Hi, Ivan!


I want to suggest SSL Labs to warn about the support of SSL v3, just like the warning about SHA-1 certificates. As you wrote in SSL/TLS Deployment Best Practices, "SSL v3 is very old and obsolete. Because it lacks some key features and because virtually all clients support TLS 1.0 and better, you should not support SSL v3 unless you have a very good reason." However, according to SSL Pulse, there are 98.3% sites supporting SSL v3. I think by warning about and penalizing the support of SSL v3, we can push more sites to drop SSL v3.


Most browsers support TLS 1.0. Actually even IE 6 on XP supports TLS 1.0. It's just not turned on by default. The IE6 market share was 3.33% on August 2014, and the trend is about 0.2% dropping each month, by Net Applications. So I don't think it will cause too much compatibility issues if we warn about SSL v3.