Closed Bug 1084909 Opened 6 years ago Closed 5 years ago
Cannot enter in secure page in www
.bod .com .ve bank when sslv3 disabled
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20141018030201 Steps to reproduce: go to www.bod.com.ve and click "inicio de sesion" Actual results: An error occurred during a connection to bod.bodmillenium.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Expected results: Show login / password page to access bank's online system
This is the result of bug 1076983 setting "security.tls.version.min" to "0" makes it working again. That change disables only the insecure SSLv3 support and this report looks therefore as invalid/tech evangelism but moving to Security:PSM for a final decision.
This server supports really only the old and insecure sslv3 via https://www.ssllabs.com/ssltest/analyze.html?d=bod.bodmillenium.com Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 No SSL 3 INSECURE Yes SSL 2 No
Thanks , it's working again !
Gabriel: Mozilla disabled sslv3 due to a known security issue known under the name "POODLE" attack. Google for it if you want to know more about this security issue. With changing the min version preference back to "0" you are vulnerable to this attack and you should use this only as temporary workaroumd. Can you contact your bank and report this issue to them ? You can point them to this bug report if it helps.
Note that the server in question comes up as "mitigated" for POODLE, but mitigating this is done by using RC4, which is itself insecure. (and thus why virtually nobody is attempting this) Someone might want to create a new meta-bug to track SSL3 only servers and attempt to contact their admins to get them upgraded, however honestly, it's probably a lost cause. Anything still SSL3-only at this point is effectively not maintained and it might be impossible to contact anyone in the relevant companies that will care. The only practical route forward is probably just to wait until their users complain to them directly and close these bugs as INVALID.
Shouldn't this move into Tech Evangelism?
https site is now down now (http is still up), hopefully to do the transition.
Actually, I tested the wrong site, sorry.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Summary: Cannot enter in secure page in www.bod.com.ve bank after update → Cannot enter in secure page in www.bod.com.ve bank when sslv3 disabled
Target Milestone: --- → Nov
Version: 36 Branch → unspecified
Looks like they fixed the site although ssllabs still shows an outdated result. https://bod.bodmillenium.com now supports TLS 1.0 and TLS_RSA_WITH_AES_128_CBC_SHA.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.