On Tue, 2006-01-24 at 09:19 +0100, Mike Hommey wrote: > > Please read /usr/share/doc/firefox/NEWS.Debian.gz > > mozilla-firefox (1.0.3-2) unstable; urgency=high > > SSLv2 and all 40-bit ciphers are disabled by default in this > release. The insecurities of SSLv2 are outlined in > http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm. 40-bit > ciphers do not provide a realistic amount of security in this day > and age. SSLv2 can be reenabled from the Preferences dialog, and > the 40-bit ciphers from about:config (look under the > security.ssl.* keys). > > I'll add that you can also enable the missing cipher by adding > pref("security.ssl3.rsa_rc4_40_md5", true); > > either in /etc/firefox/pref/firefox.js or any .js file you may create in > /etc/firefox/pref.
For goodness' sake, what kind of madness is this?! I seriously do *not* appreciate having my web browser telling me which sites I can and cannot connect to. There's already the warning about low-grade encryption once rc4-40 is enabled. Why is this warning inadequate? It's not firefox's place to decide whether it's safe for me to connect to a given 40-bit encrypted site. > Closing the bug. Emphatically reopening. This is madness. If you really want to switch off 40bit connections by default, then at least have the courtesy to explain in the dialog box what is happening and how to deal with it. Expecting people to scrounge through README files when all they are trying to do is (deliberately) connect to a low-grade encrypted site is highly out of line. The user should not be punished just because some web site happens to have have taken their own security seriously. It's definitely not firefox's place to behave like this. Drew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
