Support for SSL False Start in Firefox
Hi, Google is currently communicating about how they will use SSL False Start to accelerate the web, even if it means breaking a small fraction of incompatible site (they will use a black list that should mitigate most of the problem). See http://news.cnet.com/8301-30685_3-20018437-264.html Am I right that there is currently no bug and no plan to make available in Firefox the False Start support that's has been included in NSS in bug 525092 ? (as noted here https://bugzilla.mozilla.org/show_bug.cgi?id=525092#c24 making it minimally available requires one call to set the SSL_ENABLE_FALSE_START option, and a preference to optionally disable it. Handling the black list is more work, I don't know if Google plans to make their list a public resource, maybe Wan-Teh Chang can tell) XP2 mda.firefox and mdt.crypto, fu2 mda.firefox -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Support for SSL False Start in Firefox
On Tue, Oct 5, 2010 at 6:28 AM, Jean-Marc Desperrier jmd...@gmail.com wrote: Hi, Google is currently communicating about how they will use SSL False Start to accelerate the web, even if it means breaking a small fraction of incompatible site (they will use a black list that should mitigate most of the problem). See http://news.cnet.com/8301-30685_3-20018437-264.html Am I right that there is currently no bug and no plan to make available in Firefox the False Start support that's has been included in NSS in bug 525092 ? (as noted here https://bugzilla.mozilla.org/show_bug.cgi?id=525092#c24 making it minimally available requires one call to set the SSL_ENABLE_FALSE_START option, and a preference to optionally disable it. Handling the black list is more work, I don't know if Google plans to make their list a public resource, maybe Wan-Teh Chang can tell) It was added, and then disabled by default: https://bugzilla.mozilla.org/show_bug.cgi?id=583908 https://bugzilla.mozilla.org/show_bug.cgi?id=591523 The False Start blacklist is a public resource. It is published in the Chromium source tree. Disabling False Start in Firefox 4 was the right decision because without additional changes to NSS or PSM, the failures caused by False Start are nondeterministic, depending on the arrival times of the client's Finished message and the first application data record. Nondeterministic failures make debugging very difficult. In addition, the Mozilla team is uncomfortable using a blacklist. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Support for SSL False Start in Firefox
On 10/05/2010 03:28 PM, From Jean-Marc Desperrier: Hi, Google is currently communicating about how they will use SSL False Start to accelerate the web, even if it means breaking a small fraction of incompatible site (they will use a black list that should mitigate most of the problem). See http://news.cnet.com/8301-30685_3-20018437-264.html Interestingly the folks at CNET made a huge mistake in their calculations since only a fraction of the 227 million web sites are SSL secured. Of that 0.05% appears to be rather tiny, certainly not the 114,000 sites they claimed in the article. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Support for SSL False Start in Firefox
Google is currently communicating about how they will use SSL False Start to accelerate the web, even if it means breaking a small fraction of incompatible site (they will use a black list that should mitigate most of the problem). See http://news.cnet.com/8301-30685_3-20018437-264.html Interestingly the folks at CNET made a huge mistake in their calculations since only a fraction of the 227 million web sites are SSL secured. Of that 0.05% appears to be rather tiny, certainly not the 114,000 sites they claimed in the article. From the EFF SSL Observatory (pretty recent data): 10.8M started an SSL handshake 4.3+M used valid cert chains 1.3+M distinctvalid leaves so that's more like 2000 sites that will be broken assuming Google's numbers are legit (of course if those are the top 500 sites it would be rather painful, but a blacklist of 2000 entries is pretty simple to maintain). So he's only off by a factor of 50 or so. Signer: Eddy Nigg, StartCom Ltd. -- Kurt Seifried k...@seifried.org tel: 1-703-879-3176 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
