Closed Bug 1084577 (poodlebleed) Opened 11 years ago Closed 11 years ago

Mozilla.org (and other sites) vulnerable to POODLE due to SSLv3 being enabled [poodlebleed]

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mandeepjadon18, Unassigned)

References

Details

(Whiteboard: webops config bug is 1077634)

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Steps to reproduce: goto http://poodlebleed.com/ and test the mozilla servers . you'll find the Server at mozilla.org has SSL 3.0 enabled. Clients connecting with browsers that support SSL 3.0 and HTTPS fall back will not be secure. Actual results: SSL 3.0 enabled at the server side . Expected results: ideally the server should have no support for SSL 3.0 as it is very weak .
Thank you for reporting this. We already have an inventory of which of our sites need upgrading. We have a lot of sites to upgrade and are prioritizing the ones with sensitive data. Disabling SSLv3 prevents IE 6 users from connecting. For our Firefox download site, which has no sensitive information that can be recovered by the POODLE attack, we have chosen explicitly to allow that compatibility.
Group: client-services-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Component: Security → Other
Product: Marketplace → Websites
Version: 2014-Q4 → unspecified
Whiteboard: webops config bug is 1077634
Alias: poodlebleed
Summary: poodlebleed → Mozilla.org (and other sites) vulnerable to POODLE due to SSLv3 being enabled [poodlebleed]
Rewording the summary in hopes that it'll make this bug a little bit easier to find and therefore reduce dupes.
Do we still want to IE 6 as a super old browser? I think it is time to fix the Poodle attack and weak DH exchange (see https://www.ssllabs.com/ssltest/analyze.html?d=download.mozilla.org) at least after XP and Vista support is officially dropped.
Flags: needinfo?(gijskruitbosch+bugs)
Flags: needinfo?(curtis.koenig+bz)
I don't make decisions about www.m.o and so I don't understand why I was needinfo'd.
Flags: needinfo?(gijskruitbosch+bugs)
I don't make decisions for w.m.o either
Flags: needinfo?(curtis.koenig+bz)
As long as we continue to support Windows XP SP2, then we'll support IE 6.
So should we file a new bug and make it blocked by XP support deprecation?
Is this not already the bug?
You need to log in before you can comment on or make changes to this bug.