Closed Bug 1083996 Opened 5 years ago Closed 5 years ago

SSL Version Control rollbacks the min version on uninstall after Firefox update

Categories

(Firefox :: Extension Compatibility, defect)

x86_64
Windows 8.1
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: emk, Unassigned)

References

Details

Steps to reproduce:
1. Install Nightly built in 2014-10-15 or earlier:
   https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-10-15-03-02-02-mozilla-central/
2. Make sure security.tls.version.min is set to 0 (default).
3. Install SSL Version Control:
   https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
4. Update Nightly from About Nightly.
5. Open about:config and confirm the security.tls.version.min value.

Actual result:
security.tls.version.min is set to the vulnerable old value (a.k.a. 0).

Expected result:
SSL Version Control should not restore the old version in this case.

Mozilla recommends installing SSL Version Control as a workaround for v33 users, so this bug is significant.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
See Also: → POODLE
Sorry, insert the following step between 4. and 5.:
4.1. Uninstall SSL Version Control.
(In reply to Masatoshi Kimura [:emk] from comment #1)
> Sorry, insert the following step between 4. and 5.:
> 4.1. Uninstall SSL Version Control.

That's a critical step to omit :)  I agree that this is a bug.  The latest Nightly defaults to 1, and the add-on should restore the value to the default (not the value it was prior to installation).

Richard, do you think that you could look at this?
Flags: needinfo?(rlb)
The add-on shouldn't restore the min version if it is lower than the default value.
Summary: SSL Version Control rollbacks the min version after Firefox update → SSL Version Control rollbacks the min version on uninstall after Firefox update
Or the add-on should reset security.tls.version.min to the default value if the (current) default is larger than ssl-version-control.old.security.tls.version.min.
I have uploaded version 0.3 to addons.mozilla.org, which should fix this issue.  It should appear as soon as it is reviewed.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(rlb)
Resolution: --- → FIXED
The problem was not fixed.
Flags: needinfo?(rlb)
SSL Version Control 0.3 still copies back the ols version blindly.
https://addons.mozilla.org/en-US/firefox/files/browse/283134/file/bootstrap.js#L50
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Any progress?
Firefox 34 is about to ship.
Richard, don't get fancy: void clearUserPref(in string aPrefName);

https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIPrefBranch#clearUserPref%28%29

The current code is over-engineered.
I confirmed this with a release version of Firefox. Now the STR is:
1. Install Firefox 33.1.1 (or earlier).
2. Launch Firefox with a fresh profile.
3. Install SSL Version Control 0.3.
4. Update Firefox to 34.
5. Uninstall SSL Version Control.

Actual result:
SSL Version Control 0.3 rollbacks the "security.tls.version.min" pref to 0.
Duplicate of this bug: 1106691
Fixed by SSL Version Control 0.4.
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Flags: needinfo?(rlb)
You need to log in before you can comment on or make changes to this bug.