Do not trigger TLS intolerance fallback automatically

RESOLVED DUPLICATE of bug 1084025

Status

()

Core
Security: PSM
RESOLVED DUPLICATE of bug 1084025
4 years ago
4 years ago

People

(Reporter: emk, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Looks like bug 1084025 is too early to release.
I wrote a patch to add a checkbox to enable non-secure fallback on reload.
(Reporter)

Comment 1

4 years ago
Created attachment 8548199 [details] [diff] [review]
Disable TLS intolerance fallback by default and introduce an XPCOM interface to enable the fallback
Attachment #8548199 - Flags: review?(dkeeler)
(Reporter)

Comment 2

4 years ago
Created attachment 8548200 [details] [diff] [review]
Add a UI to enable TLS intolerance fallback
Attachment #8548200 - Flags: review?(dolske)
I don't think that it is a good idea to add a UI for this. I am pretty sure it can be avoided. If the rate of page load failure is too high, we can reduce it by whitelisting the most common domain names into automatic fallback. I don't think that whitelist would be too large to manage.

The question is, is the page load failure rate actually too high? What percentage of page loads are failing due to what appears to be TLS intolerance now? And, what is the threshold between an acceptable and an unacceptable rate?

In other words, how was it determined that "bug 1084025 is too early to release"?
Comment on attachment 8548200 [details] [diff] [review]
Add a UI to enable TLS intolerance fallback

Review of attachment 8548200 [details] [diff] [review]:
-----------------------------------------------------------------

I'm pretty dubious about the value of adding a checkbox. Users are not going to understand what this means or the risks of enabling it. So this is basically going to be read as "Firefox is broken, please make it work like it's supposed to" and everybody loses.

(But if I'm missing context that has been discussed elsewhere, it would be useful to link to it here.)
Attachment #8548200 - Flags: review?(dolske) → review-
Comment on attachment 8548199 [details] [diff] [review]
Disable TLS intolerance fallback by default and introduce an XPCOM interface to enable the fallback

Review of attachment 8548199 [details] [diff] [review]:
-----------------------------------------------------------------

Sounds like we're not going to do this, so I'm cancelling review for now.
Attachment #8548199 - Flags: review?(dkeeler)

Comment 6

4 years ago
(In reply to Justin Dolske [:Dolske] from comment #4)
> Comment on attachment 8548200 [details] [diff] [review]
> Add a UI to enable TLS intolerance fallback
> 
> Review of attachment 8548200 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> I'm pretty dubious about the value of adding a checkbox. Users are not going
> to understand what this means or the risks of enabling it. So this is
> basically going to be read as "Firefox is broken, please make it work like
> it's supposed to" and everybody loses.
> 
> (But if I'm missing context that has been discussed elsewhere, it would be
> useful to link to it here.)

Most users, but it would make it easy for those who do pay attention to notify sites.
We did this in bug 1084025, so I'm going to go ahead and dup this to that.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1084025
You need to log in before you can comment on or make changes to this bug.