Closed Bug 1487279 Opened 1 year ago Closed 1 year ago

Pref and disable hello downgrade protection

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox64 --- fixed

People

(Reporter: mt, Assigned: mt)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

We have reason to believe that the version downgrade protections in TLS 1.3 are likely to cause problems in the short term.  That is, there are some MitM boxes that do things like copy ServerHello.random.  Inadvisable as that may be, we don't want to suddenly break all of those at the same time.  What we want to do is break them progressively.

All we need is a pref to disable the check (which NSS already has), then we turn the screws gradually using Normandy/Shield.  This bug is just to get the pref in place.
MozReview-Commit-ID: HUEeCuvo5Jr
Attachment #9005083 - Attachment description: Bug 1487279 - Pref to control TLS downgrade check, r?ekr → Bug 1487279 - Pref to control TLS downgrade check, r?keeler
Comment on attachment 9005083 [details]
Bug 1487279 - Pref to control TLS downgrade check, r?keeler

Dana Keeler [:keeler] (she/her) (use needinfo) has approved the revision.
Attachment #9005083 - Flags: review+
Priority: -- → P1
Whiteboard: [psm-assigned]
Pushed by mthomson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8cc7bb447779
Pref to control TLS downgrade check, r=keeler
https://hg.mozilla.org/mozilla-central/rev/8cc7bb447779
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.