Closed Bug 1264186 Opened 9 years ago Closed 9 years ago

archive.mozilla.org SSLV3 and Other Weak Ciphers

Categories

(Websites :: Other, defect)

Product:
Websites
Component:
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1084577

People

(Reporter: seantmelia, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

archive.mozilla.org is running SSLv3 which is vulnerable to POODLE. It is also using other weak ciphers like RC4-MD5 and DES-CBC3-SHA which should be disabled as well. Reproduction command: $ sslyze --regular archive.mozilla.org Output: * TLSV1_2 Cipher Suites: Preferred: ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 200 OK Accepted: ECDHE-RSA-AES256-SHA384 ECDH-256 bits 256 bits HTTP 200 OK ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 200 OK ECDHE-RSA-AES256-GCM-SHA384 ECDH-256 bits 256 bits HTTP 200 OK AES256-SHA - 256 bits HTTP 200 OK AES256-GCM-SHA384 - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA256 ECDH-256 bits 128 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK ECDHE-RSA-AES128-GCM-SHA256 ECDH-256 bits 128 bits HTTP 200 OK RC4-MD5 - 128 bits HTTP 200 OK AES128-SHA256 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK AES128-GCM-SHA256 - 128 bits HTTP 200 OK DES-CBC3-SHA - 112 bits HTTP 200 OK * TLSV1_1 Cipher Suites: Preferred: ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 200 OK AES256-SHA - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK RC4-MD5 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK DES-CBC3-SHA - 112 bits HTTP 200 OK * TLSV1 Cipher Suites: Preferred: ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 200 OK AES256-SHA - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK RC4-MD5 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK DES-CBC3-SHA - 112 bits HTTP 200 OK * SSLV3 Cipher Suites: Preferred: ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK Accepted: ECDHE-RSA-AES256-SHA ECDH-256 bits 256 bits HTTP 200 OK AES256-SHA - 256 bits HTTP 200 OK ECDHE-RSA-AES128-SHA ECDH-256 bits 128 bits HTTP 200 OK RC4-MD5 - 128 bits HTTP 200 OK AES128-SHA - 128 bits HTTP 200 OK DES-CBC3-SHA - 112 bits HTTP 200 OK
Flags: sec-bounty?
This is specifically done so that Windows XP SP2 users can continue to access the Firefox binaries.
Group: websites-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE

(In reply to April King [:April] from comment #1)

This is specifically done so that Windows XP SP2 users can continue to
access the Firefox binaries.

I believe XP (SP2 and later) have been fully desupported since the ESR 52 line stopped publishing updates. Should we revisit this now?

Flags: needinfo?(april)

That's a good question, but not one I can answer. I think :ulfr would probably be the ideal contact here, since he's responsible for product delivery.

Flags: needinfo?(april) → needinfo?(jvehent)
Flags: needinfo?(jvehent)
You need to log in before you can comment on or make changes to this bug.