Closed
Bug 1085138
(POODLEBITE)
Opened 10 years ago
Closed 8 years ago
[META] Sites broken due to reliance on a security protocol that was obsolete last millennium
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: davemgarrett, Unassigned)
References
Details
(Keywords: site-compat)
TE bugs are being filed for SSL3-only sites that are now breaking due to nobody in their right mind supporting it anymore. Here's a meta-bug for them to avoid cluttering up bug 1076983. Someone needs to contact these sites' maintainers, if they exist at all, and tell them to at bare minimum use the replacement that was released in 1999.
Comment 1•10 years ago
|
||
AFAIK, TLS 1.0 was released in 1999 but remember that even IE6 shipped with it disabled.
Reporter | ||
Comment 2•10 years ago
|
||
IE6 still has it disabled by default to this day, which is exactly why we have this problem. One trivial pref-flip update could've probably avoided all this a decade ago. :/
Comment 3•10 years ago
|
||
Yea, the point of mentioning this is to show that SSLv3 did not instantly become obsolete as implied in the title of the bug.
Updated•10 years ago
|
Keywords: site-compat
Comment 4•10 years ago
|
||
One other thing I am also seeing is sites downgrading to SSLv3 when browsers attempt to negotiate TLS >1.0, eg: https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com (Look at the "Handshake Simulation")
Reporter | ||
Comment 5•10 years ago
|
||
(In reply to Yuhong Bao from comment #4) > One other thing I am also seeing is sites downgrading to SSLv3 when browsers > attempt to negotiate TLS >1.0, eg: > https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com > https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com > (Look at the "Handshake Simulation") That is really interesting. Thanks for bringing it up. It appears to me that these sites have intentionally broken security. The first is in India and the second is in China. Fortunately, they actually do support TLS even if they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do in fact seem to work fine with TLS. It's an odd case, but disabling SSL3 improves security by forcing them to use TLS. Nice to see a side-benefit to this.
Comment 6•10 years ago
|
||
(In reply to Dave Garrett from comment #5) > (In reply to Yuhong Bao from comment #4) > > One other thing I am also seeing is sites downgrading to SSLv3 when browsers > > attempt to negotiate TLS >1.0, eg: > > https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com > > https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com > > (Look at the "Handshake Simulation") > > That is really interesting. Thanks for bringing it up. It appears to me that > these sites have intentionally broken security. The first is in India and > the second is in China. Fortunately, they actually do support TLS even if > they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do > in fact seem to work fine with TLS. It's an odd case, but disabling SSL3 > improves security by forcing them to use TLS. Nice to see a side-benefit to > this. I don't think it is intentional, it is a bug.
Depends on: 1109053
Reporter | ||
Updated•9 years ago
|
See Also: → TLS-Intolerance
Reporter | ||
Updated•9 years ago
|
See Also: → RC4-Dependence
Reporter | ||
Comment 9•8 years ago
|
||
All dependencies are closed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•