* Drew Parsons ([EMAIL PROTECTED]) wrote: > On Tue, 2006-01-24 at 09:19 +0100, Mike Hommey wrote: > > > > > Please read /usr/share/doc/firefox/NEWS.Debian.gz > > > > mozilla-firefox (1.0.3-2) unstable; urgency=high > > > > SSLv2 and all 40-bit ciphers are disabled by default in this > > release. The insecurities of SSLv2 are outlined in > > http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm. 40-bit > > ciphers do not provide a realistic amount of security in this day > > and age. SSLv2 can be reenabled from the Preferences dialog, and > > the 40-bit ciphers from about:config (look under the > > security.ssl.* keys). > > > > I'll add that you can also enable the missing cipher by adding > > pref("security.ssl3.rsa_rc4_40_md5", true); > > > > either in /etc/firefox/pref/firefox.js or any .js file you may create in > > /etc/firefox/pref. > > For goodness' sake, what kind of madness is this?! I seriously do *not* > appreciate having my web browser telling me which sites I can and cannot > connect to.
Try to calm down. > There's already the warning about low-grade encryption once rc4-40 is > enabled. Why is this warning inadequate? It's not firefox's place to > decide whether it's safe for me to connect to a given 40-bit encrypted > site. I made this decision back in the 1.0 days, where this warning was not present IIRC. I think this was the right decision at the time because it was not clear to the average user that anything was amiss... it looked just as secure as any other site, which certainly was completely unacceptable. But if now firefox is issuing a warning, I think we can permit it by default, and allow users to make there own choice. > > Closing the bug. > > Emphatically reopening. This is madness. If you really want to switch > off 40bit connections by default, then at least have the courtesy to > explain in the dialog box what is happening and how to deal with it. > Expecting people to scrounge through README files when all they are > trying to do is (deliberately) connect to a low-grade encrypted site is > highly out of line. > > The user should not be punished just because some web site happens to > have have taken their own security seriously. It's definitely not > firefox's place to behave like this. Well the user should not be lulled into a false sense of security, this was the point. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
signature.asc
Description: Digital signature
