Closed
Bug 689813
Opened 13 years ago
Closed 11 years ago
Add pref to disable insecure fallback to SSL 3.0 for TLS intolerant servers
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 689814
People
(Reporter: briansmith, Unassigned)
References
Details
(Keywords: sec-want, Whiteboard: [sg:want?])
I would like to coordinate with other browser vendors to disable our insecure fallback to SSL 3.0 when we cannot connect to a server and/or we detect some SSL errors. The default value of the pref will be to allow the insecure fallback for now.
Comment 1•12 years ago
|
||
From our stats, it appears that ~1% of HTTPS connections involve SSLv3 fallback. While I'm keen on getting rid of SSLv3 fallback, in general we don't add options and it's not clear whether this would meet our UI team's bar for visibility. (In past we have had options for enabling and disabling TLS 1.0 and SSL 3.0, but those have been removed.) Previously, Yngve has suggested taking renegotiation extension support as an indication of TLS 1.0 compatibility. (i.e. if we tried SSLv3 fallback and found a renego patched SSLv3 server, then the fallback was the result of flakiness.) He indicated that, while not perfect, there were only a handful of sites that were a problem under that condition. However, we use SSLv3 fallback in order to workaround a number of incompatibilities from standard TLS intolerance to problems with DEFLATE and specific extensions. It's unclear whether Yngve's prober results would therefore be representative.
Comment 2•11 years ago
|
||
Bug 901718 aims for removing the fallback to SSLv3. This bug should be marked as a duplicate of Bug 901718.
Reporter | ||
Comment 3•11 years ago
|
||
(In reply to Florian Bender from comment #2) > Bug 901718 aims for removing the fallback to SSLv3. This bug should be > marked as a duplicate of Bug 901718. Bug 901718 is about removing fallback to SSL 3.0 for two specific reasons (connection resets and EOF), to match Chrome's behavior. This bug is about adding a pref (not exposed in the UI) to disable SSL 3.0 fallback completely. Bug 689814 is about making that option default to blocking SSL 3.0 fallback completely. Bug 707275 is about adding telemetry to measure all of this (amongst other things). I agree, though, that we don't need a separate bug for this. We will add prefs (without any UI) in bug 689814 as needed. I will comment in that bug about what I forsee us actually doing.
Reporter | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•