Change default of security.ssl.treat_unsafe_negotiation_as_broken to true
Categories
(Core :: Security: PSM, defect, P5)
Tracking
()
People
(Reporter: KaiE, Unassigned)
References
(Depends on 2 open bugs, Blocks 2 open bugs)
Details
(Whiteboard: [psm-backlog])
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Comment 3•14 years ago
|
||
![]() |
||
Comment 5•12 years ago
|
||
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
![]() |
||
Updated•9 years ago
|
Updated•8 years ago
|
![]() |
||
Updated•8 years ago
|
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
Comment 12•7 years ago
|
||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
https://www.ssllabs.com/ssl-pulse/ now says 0.3% (463 sites) have insecure negotiation and 0.1% (163 sites) have "both".
Is that significant, or is it similar to https://bugzilla.mozilla.org/show_bug.cgi?id=665859#c10 ?
Rather than a shield study (or perhaps as well), would it make sense for security.ssl.require_safe_negotiation==FALSE to show some sort of warning of problem sites ? At present there is little to alert site admins to this issue, unless someone happens to set this flag.
Comment 16•6 years ago
|
||
Comment 17•5 years ago
|
||
https://www.ssllabs.com/ssltest/analyze.html?d=un.org&s=157.150.185.49
https://www.ssllabs.com/ssl-pulse/
Monthly Scan: June 03, 2020
Total sites surveyed: 139,071
Secure renegotiation: 137,396 98.8%
Insecure renegotiation: 288 0.2%
Both: 110 0.1%
No support: 1,277 0.9%
Comment 21•3 years ago
|
||
https://www.ssllabs.com/ssl-pulse/ shows
Total sites surveyed 136,344
Renegotiation Support
Secure renegotiation 135,256 99.2%
Insecure renegotiation 65 < 0.1%
Both 44 < 0.1%
No support 979 0.7%
https://www.ssllabs.com/ssltest/analyze.html?d=un.org says that "There is no support for secure renegotiation" for un.org
Firefox 100 shows a padlock-warning, but viewing the technical details there are other issues with their encryption.
Is there a current site without secure renegotiation but no other encryption problems to show the current state of this bug ?
Updated•3 years ago
|
Comment 22•4 months ago
|
||
It's 2025. security.ssl.treat_unsafe_negotiation_as_broken
should be set to true
a long time ago.
It is different from security.ssl.require_safe_negotiation
, which blocks connections and causes websites to break (often subresources)
Also, I would suggest implementing a warning in Inspect -> Console, so people are actually aware of this issue.
BTW, I'm surprised to find out, despite how low the stats seem to be, I have to keep security.ssl.require_safe_negotiation
turned off because some obscure website breaks, especially non-English ones.
Comment 23•4 months ago
|
||
For example, https://www.51job.com/ is a fairly large job searching site in China, with security.ssl.require_safe_negotiation
turned on, the website itself loads fine, but all the Javascript/CSS don't load because https://js.51jobcdn.com/ fails with SSL_ERROR_UNSAFE_NEGOTIATION
error.
With security.ssl.treat_unsafe_negotiation_as_broken
turned on, https://js.51jobcdn.com/in/js/2016/jquery.js works. But there's zero information/warning about "unsafe negotiation" in the console. All I get is a "weak encryption" icon in the network tab, and no further information about "unsafe negotiation".
Comment 24•4 months ago
|
||
Description
•