Closed
Bug 1147824
Opened 9 years ago
Closed 9 years ago
Poodle attack in mail.mozilla.org
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: shahmeerbond, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 Steps to reproduce: Hey there I found the existance of poodle attack in mail.mozilla.org I tested the domain using poodlescan.com and found it to be vulnerable Actual results: The SSL v3 is allowed on the domain making it vulnerable Expected results: The domain should not have been vulnerable
Updated•9 years ago
|
Group: core-security → websites-security
Component: Untriaged → Other
OS: Windows 8.1 → All
Product: Firefox → Websites
Hardware: x86_64 → All
Version: Firefox 38 → unspecified
Reporter | ||
Comment 1•9 years ago
|
||
Awaiting your reply on this
Comment 2•9 years ago
|
||
Please use the list of available sites for the bounty program at https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs . This site is not on the list and, in fact, we have transitioned away from it for Mozilla email.
Reporter | ||
Comment 3•9 years ago
|
||
So this counts as a hostile sub domain. Don't you think that. Because one way or another it proves a vulnerability
Comment 4•9 years ago
|
||
It isn't on the list so it would have to be an extremely bad vulnerability in order to be worth a bounty. This is a subdomain scheduled to be decommissioned. I suggest actually using the list of eligible domains in the FAQ when looking for bounties.
Reporter | ||
Comment 5•9 years ago
|
||
I will, Thanks for the suggestion. And sorry for the stupid questions
Updated•9 years ago
|
Flags: sec-bounty?
Comment 6•9 years ago
|
||
The use of SSLv3 on this domain is voluntary. We're aware of the risks, and have accepted them. Thanks for reporting it, but this is not a vulnerability.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•