Closed Bug 1430671 Opened 6 years ago Closed 6 years ago

Disable 3DES suites

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
57 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1227524

People

(Reporter: mark, Unassigned)

Details

Triple-DES is a known weak cipher with feasible attacks similar to RC4. It should be disabled by default in Firefox. Having it enabled and actively negotiated is a risk for users of Firefox.

I'm aware that mainstream browsers need to be careful about these things because they may "break the web" but the number of sites affected is relatively small (we've been running without 3DES for over a year -- since Sept 2016 -- and only a small handful of sites, almost invariably running ISS 6.0 (!), are problematic to this day; others have cleaned up their act after our users notified them). It's clear that the sites still left despite evangelism are not going to change their ways unless they are forced to.

It's about time this particular status quo is broken. This is 2018; people should no longer be running 15+ year old server software for public "secure" servers that is 3 years past EoL for the OS it came with (Server 2003).
Someone has to go first -- might as well be the browser that positions itself as valuing privacy and security highly.

(I did search for other bugs but surprisingly found none filed for this change)
This is tracked in bug 1227524.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.