Closed
Bug 1215796
Opened 9 years ago
Closed 8 years ago
Cleanup some non-secure fallback options
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: emk, Assigned: emk)
References
Details
(Keywords: dev-doc-complete)
Attachments
(3 files)
7.61 KB,
patch
|
Details | Diff | Splinter Review | |
51.69 KB,
patch
|
keeler
:
review+
emk
:
checkin+
|
Details | Diff | Splinter Review |
22.69 KB,
patch
|
Details | Diff | Splinter Review |
Once we have an override UX, we can remove some redundant options.
Assignee | ||
Comment 1•9 years ago
|
||
This is an easy footgun.
Assignee | ||
Comment 2•9 years ago
|
||
Unrestricted RC4 fallback was enabled until Firefox 43. The static fallback will be disabled since Firefox 44. So this list is just a waste of binary size.
Attachment #8675339 -
Flags: review?(dkeeler)
Assignee | ||
Comment 3•9 years ago
|
||
Chrome 45+ already disabled the non-secure fallback to TLS 1.0. Chrome 48+ will remove the option to re-enable the fallback.
Attachment #8675340 -
Flags: review?(dkeeler)
Assignee | ||
Comment 4•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=7fc65622f2b6
Comment on attachment 8675339 [details] [diff] [review] Remove the static fallback whitelist Review of attachment 8675339 [details] [diff] [review]: ----------------------------------------------------------------- Great
Attachment #8675339 -
Flags: review?(dkeeler) → review+
Comment on attachment 8675338 [details] [diff] [review] Remove unrestricted RC4 fallback pref Review of attachment 8675338 [details] [diff] [review]: ----------------------------------------------------------------- I'm concerned about removing this so quickly after shipping the new UI. If we find a significant problem, we're going to want an easy, low-risk change we can make to restore the original behavior (as in, flipping a pref). Let's keep this for a release or two until we're confident about it (for one thing, no RC4 override UI has been implemented for android or b2g, as far as I'm aware).
Attachment #8675338 -
Flags: review?(dkeeler)
Comment on attachment 8675340 [details] [diff] [review] Bump the lowest valid fallback limit to 2 (TLS 1.1) Review of attachment 8675340 [details] [diff] [review]: ----------------------------------------------------------------- I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no longer the case? Anyway, I don't see this as a change we urgently need to make, seeing as the pref defaults to a fallback limit of TLS 1.2.
Attachment #8675340 -
Flags: review?(dkeeler)
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7) > I seem to recall some aspect of RC4 fallback requiring TLS 1.0. Is this no > longer the case? IE requires to fallback to TLS 1.0, but we don't. We had to support RC4 fallback with TLS 1.2 because of FALLBACK_SCSV.
https://hg.mozilla.org/mozilla-central/rev/e7e994b6a5a3
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Assignee | ||
Comment 11•9 years ago
|
||
Ah, forgot to put a leave-open.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•9 years ago
|
Attachment #8675339 -
Flags: checkin+
:emk, since we've gone through a few release cycles since the first patch in this bug landed, it would be best to land any remaining patches in a separate bug (this makes it easier for everyone to track what landed in which version).
Status: REOPENED → RESOLVED
Closed: 9 years ago → 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Keywords: dev-doc-needed
Comment 13•8 years ago
|
||
Added a note in https://developer.mozilla.org/en-US/Firefox/Releases/44#Security
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•