Summary: Google researchers have discovered a plaintext recovery attack against SSL 3.0 with no known mitigation.
I would like us to ship Firefox with SSL 3.0 disabled by default. This means setting security.tls.version.min to 1, or, in terms of code, changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in security/manager/ssl/src/nsNSSComponent.cpp. I assume that other Mozilla ports use the same code and require the same changes. Note that this does not preclude the user from changing the setting back to 0 in about:config. I would also like to do the same for Chrome, but I don't know the exact procedure and I am unable to find out or test, since Chrome has been broken for several months. DES -- Dag-Erling Smørgrav - [email protected] _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-gecko To unsubscribe, send any mail to "[email protected]"
