Cleanup some non-secure fallback options

RESOLVED FIXED in Firefox 44

Status

()

Core
Security: PSM
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: emk, Assigned: emk)

Tracking

({dev-doc-complete})

unspecified
mozilla44
dev-doc-complete
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox44 fixed)

Details

Attachments

(3 attachments)

(Assignee)

Description

2 years ago
Once we have an override UX, we can remove some redundant options.
(Assignee)

Updated

2 years ago
Depends on: 1201025
(Assignee)

Comment 1

2 years ago
Created attachment 8675338 [details] [diff] [review]
Remove unrestricted RC4 fallback pref

This is an easy footgun.
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
Attachment #8675338 - Flags: review?(dkeeler)
(Assignee)

Comment 2

2 years ago
Created attachment 8675339 [details] [diff] [review]
Remove the static fallback whitelist

Unrestricted RC4 fallback was enabled until Firefox 43. The static fallback will be disabled since Firefox 44. So this list is just a waste of binary size.
Attachment #8675339 - Flags: review?(dkeeler)
(Assignee)

Comment 3

2 years ago
Created attachment 8675340 [details] [diff] [review]
Bump the lowest valid fallback limit to 2 (TLS 1.1)

Chrome 45+ already disabled the non-secure fallback to TLS 1.0. Chrome 48+ will remove the option to re-enable the fallback.
Attachment #8675340 - Flags: review?(dkeeler)
(Assignee)

Comment 4

2 years ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=7fc65622f2b6
Comment on attachment 8675339 [details] [diff] [review]
Remove the static fallback whitelist

Review of attachment 8675339 [details] [diff] [review]:
-----------------------------------------------------------------

Great
Attachment #8675339 - Flags: review?(dkeeler) → review+
Comment on attachment 8675338 [details] [diff] [review]
Remove unrestricted RC4 fallback pref

Review of attachment 8675338 [details] [diff] [review]:
-----------------------------------------------------------------

I'm concerned about removing this so quickly after shipping the new UI. If we find a significant problem, we're going to want an easy, low-risk change we can make to restore the original behavior (as in, flipping a pref). Let's keep this for a release or two until we're confident about it (for one thing, no RC4 override UI has been implemented for android or b2g, as far as I'm aware).
Attachment #8675338 - Flags: review?(dkeeler)
Comment on attachment 8675340 [details] [diff] [review]
Bump the lowest valid fallback limit to 2 (TLS 1.1)

Review of attachment 8675340 [details] [diff] [review]:
-----------------------------------------------------------------

I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no longer the case?
Anyway, I don't see this as a change we urgently need to make, seeing as the pref defaults to a fallback limit of TLS 1.2.
Attachment #8675340 - Flags: review?(dkeeler)
(Assignee)

Comment 8

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no
> longer the case?

IE requires to fallback to TLS 1.0, but we don't. We had to support RC4 fallback with TLS 1.2 because of FALLBACK_SCSV.

Comment 9

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e7e994b6a5a3
https://hg.mozilla.org/mozilla-central/rev/e7e994b6a5a3
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
(Assignee)

Comment 11

2 years ago
Ah, forgot to put a leave-open.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Updated

2 years ago
Attachment #8675339 - Flags: checkin+
:emk, since we've gone through a few release cycles since the first patch in this bug landed, it would be best to land any remaining patches in a separate bug (this makes it easier for everyone to track what landed in which version).
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
Keywords: dev-doc-needed
Added a note in https://developer.mozilla.org/en-US/Firefox/Releases/44#Security
Keywords: dev-doc-needed → dev-doc-complete
You need to log in before you can comment on or make changes to this bug.