Closed
Bug 1084909
Opened 10 years ago
Closed 10 years ago
Cannot enter in secure page in www.bod.com.ve bank when sslv3 disabled
Categories
(Web Compatibility :: Desktop, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Nov
People
(Reporter: gabriel2007, Unassigned)
References
Details
(Keywords: regression, Whiteboard: [country-ve] [ssl] )
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20141018030201
Steps to reproduce:
go to www.bod.com.ve and click "inicio de sesion"
Actual results:
An error occurred during a connection to bod.bodmillenium.com. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Expected results:
Show login / password page to access bank's online system
Reporter | ||
Updated•10 years ago
|
Hardware: x86 → x86_64
Comment 1•10 years ago
|
||
This is the result of bug 1076983
setting "security.tls.version.min" to "0" makes it working again.
That change disables only the insecure SSLv3 support and this report looks therefore as invalid/tech evangelism but moving to Security:PSM for a final decision.
Blocks: POODLE
Status: UNCONFIRMED → NEW
Component: Untriaged → Security: PSM
Ever confirmed: true
Keywords: regression
Product: Firefox → Core
Whiteboard: [invalid ?]
Comment 2•10 years ago
|
||
This server supports really only the old and insecure sslv3
via https://www.ssllabs.com/ssltest/analyze.html?d=bod.bodmillenium.com
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 No
SSL 3 INSECURE Yes
SSL 2 No
Reporter | ||
Comment 3•10 years ago
|
||
Thanks , it's working again !
Comment 4•10 years ago
|
||
Gabriel:
Mozilla disabled sslv3 due to a known security issue known under the name "POODLE" attack. Google for it if you want to know more about this security issue.
With changing the min version preference back to "0" you are vulnerable to this attack and you should use this only as temporary workaroumd.
Can you contact your bank and report this issue to them ?
You can point them to this bug report if it helps.
Comment 5•10 years ago
|
||
Note that the server in question comes up as "mitigated" for POODLE, but mitigating this is done by using RC4, which is itself insecure. (and thus why virtually nobody is attempting this)
Someone might want to create a new meta-bug to track SSL3 only servers and attempt to contact their admins to get them upgraded, however honestly, it's probably a lost cause. Anything still SSL3-only at this point is effectively not maintained and it might be impossible to contact anyone in the relevant companies that will care. The only practical route forward is probably just to wait until their users complain to them directly and close these bugs as INVALID.
Comment 7•10 years ago
|
||
https site is now down now (http is still up), hopefully to do the transition.
Comment 8•10 years ago
|
||
Actually, I tested the wrong site, sorry.
Updated•10 years ago
|
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Summary: Cannot enter in secure page in www.bod.com.ve bank after update → Cannot enter in secure page in www.bod.com.ve bank when sslv3 disabled
Target Milestone: --- → Nov
Version: 36 Branch → unspecified
Updated•10 years ago
|
Blocks: POODLEBITE
Updated•10 years ago
|
Whiteboard: [invalid ?] → [country-ve] [ssl]
Comment 9•10 years ago
|
||
Looks like they fixed the site although ssllabs still shows an outdated result. https://bod.bodmillenium.com now supports TLS 1.0 and TLS_RSA_WITH_AES_128_CBC_SHA.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•