Closed Bug 1215796 Opened 8 years ago Closed 8 years ago

Cleanup some non-secure fallback options

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla44
Tracking Status
firefox44 --- fixed

People

(Reporter: emk, Assigned: emk)

References

Details

(Keywords: dev-doc-complete)

Attachments

(3 files)

Once we have an override UX, we can remove some redundant options.
Depends on: 1201025
This is an easy footgun.
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #8675338 - Flags: review?(dkeeler)
Unrestricted RC4 fallback was enabled until Firefox 43. The static fallback will be disabled since Firefox 44. So this list is just a waste of binary size.
Attachment #8675339 - Flags: review?(dkeeler)
Chrome 45+ already disabled the non-secure fallback to TLS 1.0. Chrome 48+ will remove the option to re-enable the fallback.
Attachment #8675340 - Flags: review?(dkeeler)
Comment on attachment 8675339 [details] [diff] [review]
Remove the static fallback whitelist

Review of attachment 8675339 [details] [diff] [review]:
-----------------------------------------------------------------

Great
Attachment #8675339 - Flags: review?(dkeeler) → review+
Comment on attachment 8675338 [details] [diff] [review]
Remove unrestricted RC4 fallback pref

Review of attachment 8675338 [details] [diff] [review]:
-----------------------------------------------------------------

I'm concerned about removing this so quickly after shipping the new UI. If we find a significant problem, we're going to want an easy, low-risk change we can make to restore the original behavior (as in, flipping a pref). Let's keep this for a release or two until we're confident about it (for one thing, no RC4 override UI has been implemented for android or b2g, as far as I'm aware).
Attachment #8675338 - Flags: review?(dkeeler)
Comment on attachment 8675340 [details] [diff] [review]
Bump the lowest valid fallback limit to 2 (TLS 1.1)

Review of attachment 8675340 [details] [diff] [review]:
-----------------------------------------------------------------

I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no longer the case?
Anyway, I don't see this as a change we urgently need to make, seeing as the pref defaults to a fallback limit of TLS 1.2.
Attachment #8675340 - Flags: review?(dkeeler)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no
> longer the case?

IE requires to fallback to TLS 1.0, but we don't. We had to support RC4 fallback with TLS 1.2 because of FALLBACK_SCSV.
https://hg.mozilla.org/mozilla-central/rev/e7e994b6a5a3
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Ah, forgot to put a leave-open.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #8675339 - Flags: checkin+
:emk, since we've gone through a few release cycles since the first patch in this bug landed, it would be best to land any remaining patches in a separate bug (this makes it easier for everyone to track what landed in which version).
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.