Closed Bug 901695 Opened 11 years ago Closed 10 years ago

Limit TLS intolerance fallback to sites that are not HSTS

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: briansmith, Unassigned)

References

Details

HSTS should stop us from doing TLS intolerance fallback, since the purpose of HSTS is to make TLS-related errors fatal.
We may need to continue to allow TLS 1.2 -> TLS 1.1 -> TLS 1.0 fallback in response to connection resets in order to work around some intermediaries that reset TLS 1.2 and TLS 1.1 connections, based on my understanding of GOogle's findings. However, we should at least prevent the fallback to SSL 3.0 for HSTS sites. Adding dependency on bug 775370 since that will make it easier for us to get the HSTS state during the TLS connection. CC'ing keeler in case he wants to do this after bug 775370 is done.
Depends on: 775370
Duplicate of bug 643894?
Given Bug 643894 is specifically about disabling TLS -> SSL fallback (and not inter-TLS), I marked this as a dependancy. But feel free to dupe.
Depends on: 643894
Not necessary after bug 1084025 is fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Depends on: 1084025
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.