Last Comment Bug 810671 - Remove support for low/weak/null cipher suites
: Remove support for low/weak/null cipher suites
Status: RESOLVED FIXED
:
Product: SeaMonkey
Classification: Client Software
Component: Security (show other bugs)
: unspecified
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: neil@parkwaycc.co.uk
:
Mentors:
Depends on: 799007
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-11 03:16 PST by neil@parkwaycc.co.uk
Modified: 2013-02-08 04:58 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Proposed patch (7.69 KB, patch)
2012-11-11 05:43 PST, neil@parkwaycc.co.uk
no flags Details | Diff | Review
remove Sync prefs (1.36 KB, patch)
2012-11-11 15:32 PST, Jens Hatlak (:InvisibleSmiley)
neil: review-
Details | Diff | Review
Revised patch (11.21 KB, patch)
2012-11-12 16:45 PST, neil@parkwaycc.co.uk
no flags Details | Diff | Review
Fixed patch (21.49 KB, patch)
2012-11-14 13:07 PST, neil@parkwaycc.co.uk
no flags Details | Diff | Review
Addressed review comments (22.66 KB, patch)
2012-11-15 17:16 PST, neil@parkwaycc.co.uk
iann_bugzilla: review+
philip.chee: feedback+
Details | Diff | Review

Description neil@parkwaycc.co.uk 2012-11-11 03:16:16 PST
Bug #799007 removed support for security levels.
Comment 1 neil@parkwaycc.co.uk 2012-11-11 03:29:41 PST
D'oh, I copied all the CCs. Sorry for the spam.
Comment 2 neil@parkwaycc.co.uk 2012-11-11 05:43:57 PST
Created attachment 680438 [details] [diff] [review]
Proposed patch
Comment 3 Jens Hatlak (:InvisibleSmiley) 2012-11-11 15:32:00 PST
Created attachment 680484 [details] [diff] [review]
remove Sync prefs

We should also remove the Sync prefs that I introduced in bug 576970 and which got removed for FF through bug 799007 and bug 799009. [Feel free to merge into your patch; this is trivial enough that I don't require my name anywhere.]
Comment 4 neil@parkwaycc.co.uk 2012-11-11 15:35:51 PST
Comment on attachment 680484 [details] [diff] [review]
remove Sync prefs

You were thinking of bug 810673, but I want to put those prefs back anyway...
Comment 5 neil@parkwaycc.co.uk 2012-11-11 16:13:46 PST
Oh, actually warn_entering_weak can be removed.
Comment 6 neil@parkwaycc.co.uk 2012-11-12 16:45:22 PST
Created attachment 680872 [details] [diff] [review]
Revised patch

Also removed the warn_entering_weak prefs.
Comment 7 Jens Hatlak (:InvisibleSmiley) 2012-11-12 23:26:39 PST
Comment on attachment 680872 [details] [diff] [review]
Revised patch

In the end, Help needs to be adapted, too.
Comment 8 neil@parkwaycc.co.uk 2012-11-13 00:31:47 PST
Oh, and Page Info stuff too, sigh...
Comment 9 neil@parkwaycc.co.uk 2012-11-14 13:07:00 PST
Created attachment 681657 [details] [diff] [review]
Fixed patch

I don't know what, if anything, Firefox is doing with Page Info so I thought I'd play safe and fork the strings, this allowed me to tweak one of them too.
Comment 10 Philip Chee 2012-11-15 08:42:42 PST
Comment on attachment 681657 [details] [diff] [review]
Fixed patch

> -pref("services.sync.prefs.sync.security.warn_entering_weak", true);
Doesn't security.warn_entering_weak need to be removed from nsThunderbirdProfileMigrator.cpp as well?

> +SiteNotVerified=Website Identity Not Verified
> +WebSiteVerified=Website Identity Verified
> +Identity_Verified=The website %S supports authentication for the page you are viewing. The identity of this website has been verified by %S, a certificate authority you trust for this purpose.
> +ViewCertificate=View the security certificate that verifies this website's identity.
Where are the above strings used?

> +NoEncryption=Connection Not Encrypted
> +Privacy_None1=The website %S does not support encryption for the page you are viewing.
> +Privacy_None2=Information sent over the Internet without encryption can be seen by other people while it is in transit. 
> +Privacy_None3=The page you are viewing is not encrypted.
> +# LOCALIZATION NOTE (pageInfo_StrongEncryptionWithBits): %1$S is the name of the encryption standard,
Wrong L10n note.

> +# %2$S is the key size of the cipher.
> +EncryptionWithBits=Connection Encrypted (%1$S, %2$S bit keys)
> +Privacy_Encryption1=The page you are viewing was encrypted before being transmitted over the Internet.
> +Privacy_Encryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
> +MixedContent=Connection Partially Encrypted
> +Privacy_Mixed1=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.

> -.urlbar-security-level[level="high"],
> -.urlbar-security-level[level="low"] {
> +.urlbar-security-level[level="high"] {
>    background-color: InfoBackground;
>    color: InfoText;

[ comment: (classic) InfoBackground on my system is rgb(255, 255, 225) which isn't very noticable. ]

Other than the above nits, stuff works as expected.
Comment 11 neil@parkwaycc.co.uk 2012-11-15 17:16:19 PST
Created attachment 682277 [details] [diff] [review]
Addressed review comments

It occurred to me that I should rename the "new" strings to be in line with the rest of the strings, so instead of no prefix or a "Privacy_" prefix, they now all have a "security" prefix, since they are used on the Security tab.
Comment 12 Philip Chee 2012-11-17 00:32:24 PST
Comment on attachment 682277 [details] [diff] [review]
Addressed review comments

> It occurred to me that I should rename the "new" strings to be in line with
> the rest of the strings, so instead of no prefix or a "Privacy_" prefix, they
> now all have a "security" prefix, since they are used on the Security tab.
Good idea.

f=me
Comment 13 Ian Neal 2012-11-18 09:47:47 PST
Comment on attachment 682277 [details] [diff] [review]
Addressed review comments

>+++ b/suite/locales/en-US/chrome/browser/pageInfo.properties

>+securityNoEncryption=Connection Not Encrypted
>+securityNone1=The website %S does not support encryption for the page you are viewing.
>+securityNone2=Information sent over the Internet without encryption can be seen by other people while it is in transit. 
>+securityNone3=The page you are viewing is not encrypted.
>+# LOCALIZATION NOTE (securityEncryptionWithBits): %1$S is the name of the encryption standard,
>+# %2$S is the key size of the cipher.
>+securityEncryptionWithBits=Connection Encrypted (%1$S, %2$S bit keys)
>+securityEncryption1=The page you are viewing was encrypted before being transmitted over the Internet.
>+securityEncryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
Would it be better to say "Internet" rather than "network" here for consistency?
>+securityMixedContent=Connection Partially Encrypted
>+securityMixed1=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.

r=me with that addressed.
Comment 14 neil@parkwaycc.co.uk 2012-11-18 11:10:16 PST
(In reply to Ian Neal from comment #13)
> (From update of attachment 682277 [details] [diff] [review])
> >+securityEncryption1=The page you are viewing was encrypted before being transmitted over the Internet.
> >+securityEncryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
> Would it be better to say "Internet" rather than "network" here for
> consistency?
At first I thought that it was repetitive but I notice that we repeat the term Internet for mixed content too, so it seems reasonable.
Comment 15 neil@parkwaycc.co.uk 2012-11-18 16:30:58 PST
Pushed comm-central changeset 24ad7887d181.

Note You need to log in before you can comment on or make changes to this bug.