On (10/15/14 03:03), Dag-Erling Smørgrav wrote:
Summary: Google researchers have discovered a plaintext recovery attack
against SSL 3.0 with no known mitigation.
I would like us to ship Firefox with SSL 3.0 disabled by default. This
means setting security.tls.version.min to 1, or, in terms of code,
changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in
security/manager/ssl/src/nsNSSComponent.cpp. I assume that other
Mozilla ports use the same code and require the same changes.
Note that this does not preclude the user from changing the setting back
to 0 in about:config.
I would also like to do the same for Chrome, but I don't know the exact
procedure and I am unable to find out or test, since Chrome has been
broken for several months.
FireFox devs will be disabling SSLv3 by default in the November release of
Firefox:
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
In the interim, they've released an addon to force TLS only:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
It might be less surprising if we bundle the addon with the current
installation.
-r
DES
--
Dag-Erling Smørgrav - [email protected]
_______________________________________________________
Please think twice when forwarding, cc:ing, or bcc:ing
ports-security-team messages. Ask if you are unsure.
--
Ryan Steinmetz
PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-gecko
To unsubscribe, send any mail to "[email protected]"
