This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.
Yes, even though SSL 3.0 defines an encrypt-only cipher suite (the
SSL_DH_anon_WITH_DES_CBC_SHA cipher suite), there are many possible
attacks against it, and some recommend against using it. SSL *MUST*
have strong server authentication or it becomes open to some attacks.
Netscape's browser and server products do not presently support
encrypt-only cipher suites for this reason.