Bug 1085138 (POODLEBITE)

[META] Sites broken due to reliance on a security protocol that was obsolete last millennium

RESOLVED FIXED

Status

Tech Evangelism
Desktop
RESOLVED FIXED
3 years ago
7 months ago

People

(Reporter: Dave Garrett, Unassigned)

Tracking

({site-compat})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
TE bugs are being filed for SSL3-only sites that are now breaking due to nobody in their right mind supporting it anymore. Here's a meta-bug for them to avoid cluttering up bug 1076983. Someone needs to contact these sites' maintainers, if they exist at all, and tell them to at bare minimum use the replacement that was released in 1999.
(Reporter)

Updated

3 years ago
Blocks: 1076983

Comment 1

3 years ago
AFAIK, TLS 1.0 was released in 1999 but remember that even IE6 shipped with it disabled.
(Reporter)

Comment 2

3 years ago
IE6 still has it disabled by default to this day, which is exactly why we have this problem. One trivial pref-flip update could've probably avoided all this a decade ago. :/

Comment 3

3 years ago
Yea, the point of mentioning this is to show that SSLv3 did not instantly become obsolete as implied in the title of the bug.

Updated

3 years ago
Keywords: site-compat

Updated

3 years ago
Depends on: 1042380

Updated

3 years ago
Depends on: 1090909

Comment 4

3 years ago
One other thing I am also seeing is sites downgrading to SSLv3 when browsers attempt to negotiate TLS >1.0, eg:
https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
(Look at the "Handshake Simulation")
(Reporter)

Comment 5

3 years ago
(In reply to Yuhong Bao from comment #4)
> One other thing I am also seeing is sites downgrading to SSLv3 when browsers
> attempt to negotiate TLS >1.0, eg:
> https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
> https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
> (Look at the "Handshake Simulation")

That is really interesting. Thanks for bringing it up. It appears to me that these sites have intentionally broken security. The first is in India and the second is in China. Fortunately, they actually do support TLS even if they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do in fact seem to work fine with TLS. It's an odd case, but disabling SSL3 improves security by forcing them to use TLS. Nice to see a side-benefit to this.

Comment 6

3 years ago
(In reply to Dave Garrett from comment #5)
> (In reply to Yuhong Bao from comment #4)
> > One other thing I am also seeing is sites downgrading to SSLv3 when browsers
> > attempt to negotiate TLS >1.0, eg:
> > https://www.ssllabs.com/ssltest/analyze.html?d=billdesk.com
> > https://www.ssllabs.com/ssltest/analyze.html?d=chinapay.com
> > (Look at the "Handshake Simulation")
> 
> That is really interesting. Thanks for bringing it up. It appears to me that
> these sites have intentionally broken security. The first is in India and
> the second is in China. Fortunately, they actually do support TLS even if
> they attempt a downgrade to SSL3. If connecting with SSL3 disabled they do
> in fact seem to work fine with TLS. It's an odd case, but disabling SSL3
> improves security by forcing them to use TLS. Nice to see a side-benefit to
> this.

I don't think it is intentional, it is a bug.

Updated

3 years ago
Depends on: 1095507

Updated

2 years ago
Depends on: 1107014

Updated

2 years ago
Depends on: 1106591
Depends on: 1107037

Updated

2 years ago
Duplicate of this bug: 1109797
Depends on: 1109797

Updated

2 years ago
Duplicate of this bug: 1109211
Depends on: 1109211
Depends on: 1112178

Updated

2 years ago
No longer depends on: 1095507
Depends on: 1109053
Depends on: 1117638
(Reporter)

Updated

2 years ago
See Also: → bug 1126620
Depends on: 1128318
Depends on: 1090765

Updated

2 years ago
Depends on: 1120887
Depends on: 1120977
No longer depends on: 1112178
(Reporter)

Updated

2 years ago
See Also: → bug 1138101

Updated

2 years ago
No longer depends on: 1120977

Updated

2 years ago
No longer depends on: 1109053

Updated

2 years ago
Depends on: 1182548
(Reporter)

Comment 9

7 months ago
All dependencies are closed.
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.