Closed
Bug 1215796
Opened 10 years ago
Closed 9 years ago
Cleanup some non-secure fallback options
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: emk, Assigned: emk)
References
Details
(Keywords: dev-doc-complete)
Attachments
(3 files)
|
7.61 KB,
patch
|
Details | Diff | Splinter Review | |
|
51.69 KB,
patch
|
keeler
:
review+
emk
:
checkin+
|
Details | Diff | Splinter Review |
|
22.69 KB,
patch
|
Details | Diff | Splinter Review |
Once we have an override UX, we can remove some redundant options.
|
Assignee | |
Comment 1•10 years ago
|
||
This is an easy footgun.
|
|
Assignee | |
Comment 2•10 years ago
|
||
Unrestricted RC4 fallback was enabled until Firefox 43. The static fallback will be disabled since Firefox 44. So this list is just a waste of binary size.
Attachment #8675339 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 3•10 years ago
|
||
Chrome 45+ already disabled the non-secure fallback to TLS 1.0. Chrome 48+ will remove the option to re-enable the fallback.
Attachment #8675340 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 4•10 years ago
|
||
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8675339 [details] [diff] [review]
Remove the static fallback whitelist
Review of attachment 8675339 [details] [diff] [review]:
-----------------------------------------------------------------
Great
Attachment #8675339 -
Flags: review?(dkeeler) → review+
|
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8675338 [details] [diff] [review]
Remove unrestricted RC4 fallback pref
Review of attachment 8675338 [details] [diff] [review]:
-----------------------------------------------------------------
I'm concerned about removing this so quickly after shipping the new UI. If we find a significant problem, we're going to want an easy, low-risk change we can make to restore the original behavior (as in, flipping a pref). Let's keep this for a release or two until we're confident about it (for one thing, no RC4 override UI has been implemented for android or b2g, as far as I'm aware).
Attachment #8675338 -
Flags: review?(dkeeler)
|
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8675340 [details] [diff] [review]
Bump the lowest valid fallback limit to 2 (TLS 1.1)
Review of attachment 8675340 [details] [diff] [review]:
-----------------------------------------------------------------
I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no longer the case?
Anyway, I don't see this as a change we urgently need to make, seeing as the pref defaults to a fallback limit of TLS 1.2.
Attachment #8675340 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 8•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no
> longer the case?
IE requires to fallback to TLS 1.0, but we don't. We had to support RC4 fallback with TLS 1.2 because of FALLBACK_SCSV.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
Assignee | |
Comment 11•9 years ago
|
||
Ah, forgot to put a leave-open.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8675339 -
Flags: checkin+
|
|
||
Comment 12•9 years ago
|
||
:emk, since we've gone through a few release cycles since the first patch in this bug landed, it would be best to land any remaining patches in a separate bug (this makes it easier for everyone to track what landed in which version).
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Keywords: dev-doc-needed
|
|
||
Comment 13•9 years ago
|
||
Added a note in https://developer.mozilla.org/en-US/Firefox/Releases/44#Security
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•