Closed
Bug 1083996
Opened 10 years ago
Closed 10 years ago
SSL Version Control rollbacks the min version on uninstall after Firefox update
Categories
(Firefox :: Extension Compatibility, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: emk, Unassigned)
References
Details
Steps to reproduce:
1. Install Nightly built in 2014-10-15 or earlier:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-10-15-03-02-02-mozilla-central/
2. Make sure security.tls.version.min is set to 0 (default).
3. Install SSL Version Control:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
4. Update Nightly from About Nightly.
5. Open about:config and confirm the security.tls.version.min value.
Actual result:
security.tls.version.min is set to the vulnerable old value (a.k.a. 0).
Expected result:
SSL Version Control should not restore the old version in this case.
Mozilla recommends installing SSL Version Control as a workaround for v33 users, so this bug is significant.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
|
Reporter | |
Updated•10 years ago
|
|
|
Reporter | |
Comment 1•10 years ago
|
||
Sorry, insert the following step between 4. and 5.:
4.1. Uninstall SSL Version Control.
|
||
Comment 2•10 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #1)
> Sorry, insert the following step between 4. and 5.:
> 4.1. Uninstall SSL Version Control.
That's a critical step to omit :) I agree that this is a bug. The latest Nightly defaults to 1, and the add-on should restore the value to the default (not the value it was prior to installation).
Richard, do you think that you could look at this?
Flags: needinfo?(rlb)
|
|
Reporter | |
Comment 3•10 years ago
|
||
The add-on shouldn't restore the min version if it is lower than the default value.
Summary: SSL Version Control rollbacks the min version after Firefox update → SSL Version Control rollbacks the min version on uninstall after Firefox update
|
|
Reporter | |
Comment 4•10 years ago
|
||
Or the add-on should reset security.tls.version.min to the default value if the (current) default is larger than ssl-version-control.old.security.tls.version.min.
|
||
Comment 5•10 years ago
|
||
I have uploaded version 0.3 to addons.mozilla.org, which should fix this issue. It should appear as soon as it is reviewed.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(rlb)
Resolution: --- → FIXED
|
|
Reporter | |
Comment 7•10 years ago
|
||
SSL Version Control 0.3 still copies back the ols version blindly.
https://addons.mozilla.org/en-US/firefox/files/browse/283134/file/bootstrap.js#L50
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 8•10 years ago
|
||
Any progress?
Firefox 34 is about to ship.
|
|
||
Comment 9•10 years ago
|
||
Richard, don't get fancy: void clearUserPref(in string aPrefName);
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIPrefBranch#clearUserPref%28%29
The current code is over-engineered.
|
|
Reporter | |
Comment 10•10 years ago
|
||
I confirmed this with a release version of Firefox. Now the STR is:
1. Install Firefox 33.1.1 (or earlier).
2. Launch Firefox with a fresh profile.
3. Install SSL Version Control 0.3.
4. Update Firefox to 34.
5. Uninstall SSL Version Control.
Actual result:
SSL Version Control 0.3 rollbacks the "security.tls.version.min" pref to 0.
|
|
Reporter | |
Comment 12•10 years ago
|
||
Fixed by SSL Version Control 0.4.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Flags: needinfo?(rlb)
You need to log in
before you can comment on or make changes to this bug.
Description
•