Status

()

Firefox
Developer Tools: Console
3 years ago
3 years ago

People

(Reporter: annevk, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

3 years ago
Given how much of a mess it is to remove SSLv3, we should start early with TLSv10.
This needs to be aligned with our existing server guidance, which recommends TLSv1.0 support in the Intermediate configuration.

https://wiki.mozilla.org/Security/Server_Side_TLS
TLSv1.0 support =/= TLSv1.0 negotiation.

I'd think it's still reasonable for the server guidance to recommend support of TLSv1.0 in the intermediate configuration, but each of those guideline also recommends support for higher protocol versions which will be negotiated using a modern browser and therefore not trigger a warning.

I'm not even sure we can detect a server supporting TLSv1.0 while connecting using TLSv1.2 (at least that's what I read...)

Updated

3 years ago
OS: Mac OS X → All
Hardware: x86 → All
Summary: Warn about TLSv10 usage → Warn about TLS 1.0 usage
Created attachment 8576294 [details] [diff] [review]
WIP - Warn about TLS 1.0 usage in console

This is pretty much the same as bug 1092835, I just reused the same code after it got removed for SSL3 in bug 1106470 and updated it for TLS 1.0. No tests included, because I don't know how to add a TLS 1.0 host to mochitest. Also, feel free to grab this as I'm not sure when I'll get time to add the tests.
Attachment #8576294 - Attachment is obsolete: true
Created attachment 8576298 [details] [diff] [review]
bug1092836.diff

Fixed patch format.
Attachment #8576298 - Attachment is obsolete: true
Created attachment 8576303 [details] [diff] [review]
WIP - Warn about TLS 1.0 usage in console
I don't think it is a viable approach to spam Web Console in half of the Internet. It will be rapidly ignored and more important warnings (e.g. use of RC4) will be buried in the spam.
You need to log in before you can comment on or make changes to this bug.