Closed Bug 1081451 Opened 11 years ago Closed 9 years ago

The False-Start implementation should not abuse the permission manager

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Version:
SeaMonkey 2.29 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: snork, Unassigned)

References

Details

Requesting an about:config setting to enable/disable TLS False-Start. Some might argue that a list of many previously visited domains in the Data Manager is information disclosure, though I guess the severity of the information could be disputed. Since any web page can have content served from any number of other pages/domains it is quite possible that one could wind up with "verynaughtysite.com" and "illegalstuff.com" in their Data Manager even though they never knowingly intended to visit those domains directly. Some might also say that this information disclosure is the equivalent of cached pages (though SeaMonkey offers the ability to clear that content much more easily than domains in Data Manager). I personally just don't like having to clean up long lists of domains in my Data Manager (the long way) in order to manage the domains that I *do* wish to record preferences for. I would hazard a guess that the amount of time I spend clicking on domain names, clicking "forget about this domain", clicking "preferences", and clicking "forget this data" is more than the time I save by false-starting TLS connections. Bug 664574 requesting the ability to highlight multiple domains in Data Manager would at least save time cleaning up preferences for unwanted domains, but it would be much nicer to simply never record those preferences in the first place. In fact, if SeaMonkey had a way to recognize a web server's ability to offer TLS False-Start and use it for the current browser session (without saving the preference in Data Manager) that might be reasonable too.
OS: Windows XP → All
Hardware: x86 → All
AFAICT, the reporter is inconvenienced by the way that the false start mechanism abuses the permission manager. The false start system is abusing permission manager that way in support of an off-by-default and never-will-be-enabled option. Gecko can simply remove everything related to the "security.ssl.false_start.require-forward-secrecy" pref to solve this problem. See http://hg.mozilla.org/mozilla-central/rev/288b02c2e5d1, where one such pref was already removed.
Thanks for filing the bug. AFAICT, Bug 952863 removed the bits where the false start implementation was abusing the permission manager. So, in that sense, this bug is now "INVALID".
Blocks: 952863
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Summary: Setting to Disable TLS False-Start Feature Request → The False-Start implementation should not abuse the permission manager
On second thought, I should have resolved this as FIXED, since the false start implementation still exists, and the bug filed here was in fact fixed. Sorry for the bugspam.
No longer blocks: 952863
Depends on: 952863
Resolution: INVALID → FIXED
You need to log in before you can comment on or make changes to this bug.