Remove support for low/weak/null cipher suites

RESOLVED FIXED

Status

SeaMonkey
Security
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: neil@parkwaycc.co.uk, Assigned: neil@parkwaycc.co.uk)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 4 obsolete attachments)

(Assignee)

Description

5 years ago
Bug #799007 removed support for security levels.
(Assignee)

Comment 1

5 years ago
D'oh, I copied all the CCs. Sorry for the spam.
(Assignee)

Comment 2

5 years ago
Created attachment 680438 [details] [diff] [review]
Proposed patch
Assignee: nobody → neil
Status: NEW → ASSIGNED
Attachment #680438 - Flags: review?(philip.chee)
Created attachment 680484 [details] [diff] [review]
remove Sync prefs

We should also remove the Sync prefs that I introduced in bug 576970 and which got removed for FF through bug 799007 and bug 799009. [Feel free to merge into your patch; this is trivial enough that I don't require my name anywhere.]
Attachment #680484 - Flags: review?(neil)
(Assignee)

Comment 4

5 years ago
Comment on attachment 680484 [details] [diff] [review]
remove Sync prefs

You were thinking of bug 810673, but I want to put those prefs back anyway...
Attachment #680484 - Flags: review?(neil) → review-
(Assignee)

Comment 5

5 years ago
Oh, actually warn_entering_weak can be removed.
(Assignee)

Comment 6

5 years ago
Created attachment 680872 [details] [diff] [review]
Revised patch

Also removed the warn_entering_weak prefs.
Attachment #680438 - Attachment is obsolete: true
Attachment #680484 - Attachment is obsolete: true
Attachment #680438 - Flags: review?(philip.chee)
Attachment #680872 - Flags: review?(philip.chee)
Comment on attachment 680872 [details] [diff] [review]
Revised patch

In the end, Help needs to be adapted, too.
(Assignee)

Comment 8

5 years ago
Oh, and Page Info stuff too, sigh...
(Assignee)

Comment 9

5 years ago
Created attachment 681657 [details] [diff] [review]
Fixed patch

I don't know what, if anything, Firefox is doing with Page Info so I thought I'd play safe and fork the strings, this allowed me to tweak one of them too.
Attachment #680872 - Attachment is obsolete: true
Attachment #680872 - Flags: review?(philip.chee)
Attachment #681657 - Flags: review?(iann_bugzilla)
Attachment #681657 - Flags: feedback?(philip.chee)

Comment 10

5 years ago
Comment on attachment 681657 [details] [diff] [review]
Fixed patch

> -pref("services.sync.prefs.sync.security.warn_entering_weak", true);
Doesn't security.warn_entering_weak need to be removed from nsThunderbirdProfileMigrator.cpp as well?

> +SiteNotVerified=Website Identity Not Verified
> +WebSiteVerified=Website Identity Verified
> +Identity_Verified=The website %S supports authentication for the page you are viewing. The identity of this website has been verified by %S, a certificate authority you trust for this purpose.
> +ViewCertificate=View the security certificate that verifies this website's identity.
Where are the above strings used?

> +NoEncryption=Connection Not Encrypted
> +Privacy_None1=The website %S does not support encryption for the page you are viewing.
> +Privacy_None2=Information sent over the Internet without encryption can be seen by other people while it is in transit. 
> +Privacy_None3=The page you are viewing is not encrypted.
> +# LOCALIZATION NOTE (pageInfo_StrongEncryptionWithBits): %1$S is the name of the encryption standard,
Wrong L10n note.

> +# %2$S is the key size of the cipher.
> +EncryptionWithBits=Connection Encrypted (%1$S, %2$S bit keys)
> +Privacy_Encryption1=The page you are viewing was encrypted before being transmitted over the Internet.
> +Privacy_Encryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
> +MixedContent=Connection Partially Encrypted
> +Privacy_Mixed1=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.

> -.urlbar-security-level[level="high"],
> -.urlbar-security-level[level="low"] {
> +.urlbar-security-level[level="high"] {
>    background-color: InfoBackground;
>    color: InfoText;

[ comment: (classic) InfoBackground on my system is rgb(255, 255, 225) which isn't very noticable. ]

Other than the above nits, stuff works as expected.

Updated

5 years ago
Attachment #681657 - Flags: feedback?(philip.chee)
(Assignee)

Comment 11

5 years ago
Created attachment 682277 [details] [diff] [review]
Addressed review comments

It occurred to me that I should rename the "new" strings to be in line with the rest of the strings, so instead of no prefix or a "Privacy_" prefix, they now all have a "security" prefix, since they are used on the Security tab.
Attachment #681657 - Attachment is obsolete: true
Attachment #681657 - Flags: review?(iann_bugzilla)
Attachment #682277 - Flags: review?(iann_bugzilla)
Attachment #682277 - Flags: feedback?(philip.chee)

Comment 12

5 years ago
Comment on attachment 682277 [details] [diff] [review]
Addressed review comments

> It occurred to me that I should rename the "new" strings to be in line with
> the rest of the strings, so instead of no prefix or a "Privacy_" prefix, they
> now all have a "security" prefix, since they are used on the Security tab.
Good idea.

f=me
Attachment #682277 - Flags: feedback?(philip.chee) → feedback+

Comment 13

5 years ago
Comment on attachment 682277 [details] [diff] [review]
Addressed review comments

>+++ b/suite/locales/en-US/chrome/browser/pageInfo.properties

>+securityNoEncryption=Connection Not Encrypted
>+securityNone1=The website %S does not support encryption for the page you are viewing.
>+securityNone2=Information sent over the Internet without encryption can be seen by other people while it is in transit. 
>+securityNone3=The page you are viewing is not encrypted.
>+# LOCALIZATION NOTE (securityEncryptionWithBits): %1$S is the name of the encryption standard,
>+# %2$S is the key size of the cipher.
>+securityEncryptionWithBits=Connection Encrypted (%1$S, %2$S bit keys)
>+securityEncryption1=The page you are viewing was encrypted before being transmitted over the Internet.
>+securityEncryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
Would it be better to say "Internet" rather than "network" here for consistency?
>+securityMixedContent=Connection Partially Encrypted
>+securityMixed1=Parts of the page you are viewing were not encrypted before being transmitted over the Internet.

r=me with that addressed.
Attachment #682277 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 14

5 years ago
(In reply to Ian Neal from comment #13)
> (From update of attachment 682277 [details] [diff] [review])
> >+securityEncryption1=The page you are viewing was encrypted before being transmitted over the Internet.
> >+securityEncryption2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network.
> Would it be better to say "Internet" rather than "network" here for
> consistency?
At first I thought that it was repetitive but I notice that we repeat the term Internet for mixed content too, so it seems reasonable.
(Assignee)

Comment 15

5 years ago
Pushed comm-central changeset 24ad7887d181.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.