On Saturday 29 January 2011, Christoph Anton Mitterer wrote: > It seems that iceweasel still is vulnerable to the SSL > renegotiation attack, as simply is configured per default to allow > the vulnerable renegotiation:
This has to be balanced between compatibility and security. Currently less than 50% of the servers on the internet are patched. So it is sensible to not deny renegotiation for unpatched servers. Patched servers usually won't allow insecure renegotiation, anyway. There are also many servers that don't allow renegotiation at all. So the problem is mostly about the browser knowing if the remote server is secure. > security.ssl.require_safe_negotiation;true FWIW, this setting is about negotiation, not about _re_negotiation. You probably want to change security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref instead. It will take a lot longer until security.ssl.require_safe_negotiation can be switched on by default. Look at how long it took for SSLv2 to disappear. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org