Closed
Bug 1105341
Opened 10 years ago
Closed 6 years ago
A security error is logged in browser console when opening some mozilla.org web page.
Categories
(www.mozilla.org :: Analytics, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: VarCat, Unassigned)
Details
FF 34.RC1 Buil Id: 20141125180439 OS: Win 7 x64, Ubuntu 14.04 x64, Mac Os 10.9.5 STR: 1. Open https://www.mozilla.org/en-US/firefox/34.0/firstrun/ Issue: The following security errors are logged in the browser console: cdn.optimizely.com : server does not support RFC 5746, see CVE-2009-3555 cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555
Updated•10 years ago
|
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Firefox → mozilla.org
QA Contact: shyam
Version: 34 Branch → other
Comment 1•10 years ago
|
||
Isn't this a web team thing? Alex, who controls the references to optimizely, and can we fix this and/or evangelize with them so they fix it? :-)
Flags: needinfo?(agibson)
Comment 2•10 years ago
|
||
Looks like this security error happens on every page on mozilla.org when the Optimizely script is included (which is currently every page, since it's in the base template). Cc'ing cmore - Chris, can you speak to someone at Optimizely to see if they can fix this on their server?
Flags: needinfo?(agibson) → needinfo?(chrismore.bugzilla)
Updated•10 years ago
|
Assignee: server-ops → nobody
Component: Server Operations → Analytics
Flags: needinfo?(chrismore.bugzilla)
Product: mozilla.org → www.mozilla.org
QA Contact: shyam
Version: other → Production
Comment 3•10 years ago
|
||
I've moved this to the correct product and I have contacted Optimizely support to see what they suggest.
Updated•10 years ago
|
Summary: A security error is logged in browser console when opening the mozilla firstrun page. → A security error is logged in browser console when opening any mozilla.org web page.
Comment 5•10 years ago
|
||
I've talked to Optimizely, they are able to replicate the problem and have opened a ticket with their webops team.
Flags: needinfo?(chrismore.bugzilla)
Comment 6•10 years ago
|
||
Note that as of Bug 1107952 we are no longer including Optimizely on every page on mozilla.org, and are instead enabling it on specific pages when required using a Waffle flag. This bug can still be observed at the following URL where Optimizely is currently running: https://www.mozilla.org/en-US/firefox/new/ Error: 'cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555'
Comment 7•9 years ago
|
||
Here's the response from Optimizely: ---- We are still waiting on one of our CDN providers to confirm about whether they have SSLv3 turned off on their end. Another provider, Edgecast, confirmed that this is due to SSLv3 being turned off at their end. The Poodle SSL vulnerability from a while ago has no patch as of yet and the work around recommended was to turn off SSLv3. We did this with our ELBs too and Edgecast has done so as well. So, from what we can tell, a security "Fix" is causing this symptom. It looks like there isn't a way client side (like in Firefox) to test if server-initiated renegotiation is disabled or vulnerable, which is why Firefox shows this issue even if it is mitigated, so it appears to be a false positive. I hope this helps! Please let me know if you have any other questions or want further clarification. ----
Updated•9 years ago
|
Summary: A security error is logged in browser console when opening any mozilla.org web page. → A security error is logged in browser console when opening some mozilla.org web page.
This looks like it is closed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•