Open Bug 665859 Opened 8 years ago Updated 5 days ago
Change default of security
.ssl .treat _unsafe _negotiation _as _broken to true
Regarding CVE-2009-3555, I think the time has come to go one step further. Let's drop security indicators (identity button) if a site is unpatched. This is already implemented. This behaviour can be changed by flipping a preference. The identity button will indicate a plain page, and page info will indicate a page with mixed content. security.ssl.treat_unsafe_negotiation_as_broken currently defaults to false. I propose to change the default to true.
What percentage (roughly) of SSL sites will this break the security indicators for? Gerv
(In reply to comment #1) > What percentage (roughly) of SSL sites will this break the security > indicators for? According to http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-and-vulnerable-sites the overall percentage of unpatched servers is: 45 %
I think it is highly unlikely that we would make a change which removes the SSL indicators from Facebook, Amazon and Yahoo. I'm not sure how we can apply more pressure to get people to fix this, but breaking half the SSL web in our browser isn't it IMO. Gerv
(In reply to Kai Engert (:kaie) from comment #2) > According to > http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched- > and-vulnerable-sites the overall percentage of unpatched servers is: > > 45 % Is there any new/more recent Data avaiable as of now?
(In reply to XtC4UaLL [:xtc4uall] from comment #5) > Is there any new/more recent Data avaiable as of now? https://www.trustworthyinternet.org/ssl-pulse/ Renegotiation Support: Secure renegotiation 133,476 87.1% Insecure renegotiation 7,340 4.8% Both 2,059 1.3% No support 10,382 6.8% Survey is of top 200k SSL supporting sites.
(In reply to Dave Garrett from comment #6) > Survey is of top 200k SSL supporting sites. Well, that's what it says on the page anyway. It appears that survey is of a bit over 150k, based on those numbers.
I would like to continue here: Secure renegotiation 136,161 92.8% Insecure renegotiation 3,944 2.7% Both 1,454 1% No support 5,149 3.5% I'm using security.ssl.require_safe_negotiation now for a while and I don't have that much problems. I think it's a good time to change, since we also land other warnings for SHA-1, RC4, SSL3, DHE < 1024 etc.
Component: Security: UI → Security: PSM
6 years now. It is time to stop pretending websites are secure by showing non-degraded security indicator. Flip security.ssl.treat_unsafe_negotiation_as_broken to true.
Priority: -- → P5
https://www.ssllabs.com/ssl-pulse/ indicates that this is still an issue of significant magnitude, at least in their survey. I think that we'd need a shield study for this.
Found a culprit: https://www.ssllabs.com/ssltest/analyze.html?d=isp.netscape.com
You need to log in before you can comment on or make changes to this bug.