Closed Bug 1085138 (POODLEBITE) Opened 10 years ago Closed 8 years ago

[META] Sites broken due to reliance on a security protocol that was obsolete last millennium

Categories

(Web Compatibility :: Site Reports, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: davemgarrett, Unassigned)

References

Details

(Keywords: site-compat)

TE bugs are being filed for SSL3-only sites that are now breaking due to nobody in their right mind supporting it anymore. Here's a meta-bug for them to avoid cluttering up bug 1076983. Someone needs to contact these sites' maintainers, if they exist at all, and tell them to at bare minimum use the replacement that was released in 1999.
Blocks: POODLE
AFAIK, TLS 1.0 was released in 1999 but remember that even IE6 shipped with it disabled.
IE6 still has it disabled by default to this day, which is exactly why we have this problem. One trivial pref-flip update could've probably avoided all this a decade ago. :/
Yea, the point of mentioning this is to show that SSLv3 did not instantly become obsolete as implied in the title of the bug.
Keywords: site-compat
Depends on: 1042380
Depends on: 1090909
One other thing I am also seeing is sites downgrading to SSLv3 when browsers attempt to negotiate TLS >1.0, eg:
https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
(Look at the "Handshake Simulation")
(In reply to Yuhong Bao from comment #4)
> One other thing I am also seeing is sites downgrading to SSLv3 when browsers
> attempt to negotiate TLS >1.0, eg:
> https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
> https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
> (Look at the "Handshake Simulation")

That is really interesting. Thanks for bringing it up. It appears to me that these sites have intentionally broken security. The first is in India and the second is in China. Fortunately, they actually do support TLS even if they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do in fact seem to work fine with TLS. It's an odd case, but disabling SSL3 improves security by forcing them to use TLS. Nice to see a side-benefit to this.
(In reply to Dave Garrett from comment #5)
> (In reply to Yuhong Bao from comment #4)
> > One other thing I am also seeing is sites downgrading to SSLv3 when browsers
> > attempt to negotiate TLS >1.0, eg:
> > https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
> > https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
> > (Look at the "Handshake Simulation")
> 
> That is really interesting. Thanks for bringing it up. It appears to me that
> these sites have intentionally broken security. The first is in India and
> the second is in China. Fortunately, they actually do support TLS even if
> they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do
> in fact seem to work fine with TLS. It's an odd case, but disabling SSL3
> improves security by forcing them to use TLS. Nice to see a side-benefit to
> this.

I don't think it is intentional, it is a bug.
Depends on: 1095507
Depends on: 1107014
Depends on: 1106591
Depends on: 1107037
Depends on: 1109797
Depends on: 1109211
Depends on: 1112178
No longer depends on: 1095507
Depends on: 1117638
See Also: → TLS-Intolerance
Depends on: 1128318
Depends on: 1090765
Depends on: 1120887
Depends on: 1120977
No longer depends on: 1112178
See Also: → RC4-Dependence
No longer depends on: 1120977
No longer depends on: 1109053
Depends on: 1182548
All dependencies are closed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.