Re: SSL Exploit: Mozilla family no better than the rest of the pack

Fri, 30 Sep 2011 07:23:14 -0700 

NoOp schrieb:

I'm not sure I fully understand (or probably ever will)...
<https://bugzilla.mozilla.org/show_bug.cgi?id=665814>
{(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0
(facilitated by websockets -76)]
doesn't seem to indicate java, but instead nss as being the issue. So,
"to be clear": is it a java or nss issue?



Java uses its own TLS stack, which is vulnerable as described in the bug 
on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 
mentions that this has been split off into 
https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows 
sockets to any site, which can trigger the attack, and Oracle has not 
yet made any comments that they even intend to work on the problem.



The NSS stack is vulnerable in theory, but under our control, so we can 
fix it, and will do so. To trigger the attack, HTTPS connection need to 
be made in a certain way, though, and we have no code in Firefox or 
SeaMonkey right now that does that. Websockets protocol -76 was a way to 
trigger that, but we have not been implementing this protocol version 
since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer 
protocol version of Websockets which cannot trigger that attack.



So, NSS is basically vulnerable, but we don't have any code that opens 
network connections in a way that would actually allow the attack. We 
still will fix NSS in future versions so that any change in how we're 
doing connections will also not expose us to the attack. (Note that 
Chrome is using NSS as well, and they're in the same situation as us 
here and will ship probably exactly the same fix in the future.)



We can't fix Java, and Java applets are exploitable as things stand, so 
our only possibility is to reduce/block usage of the vulnerable 
versions, which are all we know about right now, and Oracle has not made 
any commitment to fixing the problem in future versions.


I hope that explains the problem enough.

Robert Kaiser


--

Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey























					Reply via email to