Closed Bug 1147824 Opened 9 years ago Closed 9 years ago

Poodle attack in mail.mozilla.org

Categories

(Websites :: Other, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: shahmeerbond, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36

Steps to reproduce:

Hey there
I found the existance of poodle attack in mail.mozilla.org
I tested the domain using poodlescan.com and found it to be vulnerable




Actual results:

The SSL v3 is allowed on the domain making it vulnerable


Expected results:

The domain should not have been vulnerable
Group: core-security → websites-security
Component: Untriaged → Other
OS: Windows 8.1 → All
Product: Firefox → Websites
Hardware: x86_64 → All
Version: Firefox 38 → unspecified
Awaiting your reply on this
Please use the list of available sites for the bounty program at https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs .

This site is not on the list and, in fact, we have transitioned away from it for Mozilla email.
So this counts as a hostile sub domain. Don't you think that. Because one way or another it proves a vulnerability
It isn't on the list so it would have to be an extremely bad vulnerability in order to be worth a bounty. This is a subdomain scheduled to be decommissioned.

I suggest actually using the list of eligible domains in the FAQ when looking for bounties.
I will, Thanks for the suggestion. 
And sorry for the stupid questions
Flags: sec-bounty?
The use of SSLv3 on this domain is voluntary. We're aware of the risks, and have accepted them. Thanks for reporting it, but this is not a vulnerability.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
Group: websites-security
You need to log in before you can comment on or make changes to this bug.