Closed Bug 1128763 Opened 10 years ago Closed 9 years ago

Do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox37 --- fixed
firefox38 --- fixed

People

(Reporter: emk, Assigned: emk)

References

Details

Attachments

(1 file)

1127285_whitelist_rst_intolerance
4.62 KB, patch
keeler
: review+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #1127285 +++

Accroding to bug 1084025 comment #99, only one of ~211k sites failed with PR_CONNECT_RESET_ERROR due to intolerance. We should consider removing PR_CONNECT_RESET_ERROR from fallback reasons. It will reduce accidental fallbacks due to network glitches.
Attachment #8558221 - Flags: review?(dkeeler)
Summary: Remove unneeded insecure fallback reasons → Whitelist PR_CONNECT_RESET_ERROR as a fallback reason
Please apply the patch from bug 1116891 first (it is already r+'ed). I'll land it along with this bug because it will loosen security without a fix for this bug.
And I kept bug 1116891 separate because I consider to uplift bug 1116891 to branches, but this bug depends on bug 1084025 which was rejected to land beta.
Comment on attachment 8558221 [details] [diff] [review]
1127285_whitelist_rst_intolerance

Review of attachment 8558221 [details] [diff] [review]:
-----------------------------------------------------------------

Ok - r=me with comment addressed.
As an aside, I think a more informative summary for this bug might be something like "do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only" (much like the comment in nsNSSIOLayer.cpp).

::: netwerk/base/security-prefs.js
@@ +15,4 @@
>  # bug 1126652, www.animate-onlineshop.jp
>  # bug 1126654, www.gamers-onlineshop.jp
> +# bug 1127611, www.utahbar.org
> +pref("security.tls.insecure_fallback_hosts", "www.kredodirect.com.ua,web3.secureinternetbank.com,cmypage.kuronekoyamato.co.jp,www.timewarnercable.com,wayfarer.timewarnercable.com,airportwifi.com,cart.pcpitstop.com,books.wwnorton.com,emaildvla.direct.gov.uk,www.gosignmeup.com,m.getawaytoday.com,cualerts.dupaco.com,www.animate-onlineshop.jp,www.gamers-onlineshop.jp,www.utahbar.org");

Let's keep changes to this list separate from functionality changes.
Attachment #8558221 - Flags: review?(dkeeler) → review+
(In reply to David Keeler [:keeler] (use needinfo?) from comment #3)
> Let's keep changes to this list separate from functionality changes.

I simply removed the security-prefs.js change. It will be moot once bug 1128227 is landed anyway.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=69e7e86ec809

https://hg.mozilla.org/integration/mozilla-inbound/rev/b202f0f65da5
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Summary: Whitelist PR_CONNECT_RESET_ERROR as a fallback reason → Do insecure fallback after PR_CONNECT_RESET_ERROR for > whitelisted sites only
Summary: Do insecure fallback after PR_CONNECT_RESET_ERROR for > whitelisted sites only → Do insecure fallback after PR_CONNECT_RESET_ERROR for whitelisted sites only
Blocks: 1128227
Blocks: 1124039
https://hg.mozilla.org/mozilla-central/rev/b202f0f65da5
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox38: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Landed as part of a roll-up patch in bug 1128227.
https://hg.mozilla.org/releases/mozilla-aurora/rev/1e9694bbffaa
status-firefox37: --- → fixed
Flags: in-testsuite+
Depends on: 1131880
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: