A security error is logged in browser console when opening some mozilla.org web page.

RESOLVED FIXED

Status

www.mozilla.org
Analytics
RESOLVED FIXED
4 years ago
2 months ago

People

(Reporter: VarCat, Unassigned)

Tracking

Production

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
FF 34.RC1
Buil Id: 20141125180439
OS: Win 7 x64, Ubuntu 14.04 x64, Mac Os 10.9.5

STR:

1. Open https://www.mozilla.org/en-US/firefox/34.0/firstrun/

Issue:
The following security errors are logged in the browser console:

cdn.optimizely.com : server does not support RFC 5746, see CVE-2009-3555
cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555

Updated

4 years ago
Assignee: nobody → server-ops
Component: General → Server Operations
Product: Firefox → mozilla.org
QA Contact: shyam
Version: 34 Branch → other

Comment 1

4 years ago
Isn't this a web team thing? Alex, who controls the references to optimizely, and can we fix this and/or evangelize with them so they fix it? :-)
Flags: needinfo?(agibson)
Looks like this security error happens on every page on mozilla.org when the Optimizely script is included (which is currently every page, since it's in the base template). 

Cc'ing cmore - Chris, can you speak to someone at Optimizely to see if they can fix this on their server?
Flags: needinfo?(agibson) → needinfo?(chrismore.bugzilla)

Updated

4 years ago
Assignee: server-ops → nobody
Component: Server Operations → Analytics
Flags: needinfo?(chrismore.bugzilla)
Product: mozilla.org → www.mozilla.org
QA Contact: shyam
Version: other → Production

Comment 3

4 years ago
I've moved this to the correct product and I have contacted Optimizely support to see what they suggest.

Comment 4

4 years ago
Will update after I hear from them.
Flags: needinfo?(chrismore.bugzilla)

Updated

4 years ago
Summary: A security error is logged in browser console when opening the mozilla firstrun page. → A security error is logged in browser console when opening any mozilla.org web page.

Comment 5

4 years ago
I've talked to Optimizely, they are able to replicate the problem and have opened a ticket with their webops team.
Flags: needinfo?(chrismore.bugzilla)
Note that as of Bug 1107952 we are no longer including Optimizely on every page on mozilla.org, and are instead enabling it on specific pages when required using a Waffle flag.

This bug can still be observed at the following URL where Optimizely is currently running:

https://www.mozilla.org/en-US/firefox/new/

Error: 'cdn3.optimizely.com : server does not support RFC 5746, see CVE-2009-3555'

Comment 7

4 years ago
Here's the response from Optimizely:

----
We are still waiting on one of our CDN providers to confirm about whether they have SSLv3 turned off on their end.

Another provider, Edgecast, confirmed that this is due to SSLv3 being turned off at their end.

The Poodle SSL vulnerability from a while ago has no patch as of yet and the work around recommended was to turn off SSLv3. We did this with our ELBs too and Edgecast has done so as well.
So, from what we can tell, a security "Fix" is causing this symptom.

It looks like there isn't a way client side (like in Firefox) to test if server-initiated renegotiation is disabled or vulnerable, which is why Firefox shows this issue even if it is mitigated, so it appears to be a false positive.

I hope this helps! Please let me know if you have any other questions or want further clarification.
----

Updated

4 years ago
Summary: A security error is logged in browser console when opening any mozilla.org web page. → A security error is logged in browser console when opening some mozilla.org web page.

Comment 8

2 months ago
This looks like it is closed.
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.