----- Original Message ----- > From: "Julien Pierre" <julien.pie...@oracle.com> > To: "mozilla's crypto code discussion list" > <dev-tech-crypto@lists.mozilla.org> > Sent: Tuesday, 21 October, 2014 1:59:44 AM > Subject: Re: Proposal: Disable SSLv3 in Firefox ESR 31 > > Kai, > > On 10/20/2014 16:47, Kai Engert wrote: > > On Mon, 2014-10-20 at 16:45 -0700, Julien Pierre wrote: > >> What is the purpose of Firefox continuing to do any fallback at all ? > >> IMO, making a second connection with any lower version of SSL/TLS > >> defeats the intent of the SSL/TLS protocol, which have built-in defenses > >> against protocol version downgrade. > >> Isn't it time this fallback gets eliminated at last ? > > I'm stating what I found, I'm not making that decision. > > > Sorry, I didn't mean to blame you for that decision - but IMO this > should be pointed out to whoever made that call. > > The whole TLS_FALLBACK_SCSV would be unnecessary if not for this browser > misbehavior - and I hope the IETF will reject it.
Yes, it's external to the TLS, and yes, it's bad that browsers do use the manual fallback. Yes, the servers should be regularly updated and as such bugs that cause it fixed. Yes, the configurations should be updated to align them with current recommendations. But it doesn't happen in real world. So either we can push for policies which will never be implemented and be workable in real world, or we can try to make the systems secure in real world for people that care (both users and server admins that do apply updates regularly). Yes, I'd like to live in a world where it's not necessary, but we don't. -- Regards, Hubert Kario -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
