Closed Bug 1120942 Opened 10 years ago Closed 10 years ago

Do not trigger TLS intolerance fallback automatically

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1084025

People

(Reporter: emk, Unassigned)

References

Details

Attachments

(2 files)

Disable TLS intolerance fallback by default and introduce an XPCOM interface to enable the fallback
(deleted), patch
Details | Diff | Splinter Review
Add a UI to enable TLS intolerance fallback
(deleted), patch
Dolske
: review-
Details | Diff | Splinter Review
Looks like bug 1084025 is too early to release. I wrote a patch to add a checkbox to enable non-secure fallback on reload.
Attachment #8548200 - Flags: review?(dolske)
I don't think that it is a good idea to add a UI for this. I am pretty sure it can be avoided. If the rate of page load failure is too high, we can reduce it by whitelisting the most common domain names into automatic fallback. I don't think that whitelist would be too large to manage. The question is, is the page load failure rate actually too high? What percentage of page loads are failing due to what appears to be TLS intolerance now? And, what is the threshold between an acceptable and an unacceptable rate? In other words, how was it determined that "bug 1084025 is too early to release"?
Comment on attachment 8548200 [details] [diff] [review] Add a UI to enable TLS intolerance fallback Review of attachment 8548200 [details] [diff] [review]: ----------------------------------------------------------------- I'm pretty dubious about the value of adding a checkbox. Users are not going to understand what this means or the risks of enabling it. So this is basically going to be read as "Firefox is broken, please make it work like it's supposed to" and everybody loses. (But if I'm missing context that has been discussed elsewhere, it would be useful to link to it here.)
Attachment #8548200 - Flags: review?(dolske) → review-
Comment on attachment 8548199 [details] [diff] [review] Disable TLS intolerance fallback by default and introduce an XPCOM interface to enable the fallback Review of attachment 8548199 [details] [diff] [review]: ----------------------------------------------------------------- Sounds like we're not going to do this, so I'm cancelling review for now.
Attachment #8548199 - Flags: review?(dkeeler)
(In reply to Justin Dolske [:Dolske] from comment #4) > Comment on attachment 8548200 [details] [diff] [review] > Add a UI to enable TLS intolerance fallback > > Review of attachment 8548200 [details] [diff] [review]: > ----------------------------------------------------------------- > > I'm pretty dubious about the value of adding a checkbox. Users are not going > to understand what this means or the risks of enabling it. So this is > basically going to be read as "Firefox is broken, please make it work like > it's supposed to" and everybody loses. > > (But if I'm missing context that has been discussed elsewhere, it would be > useful to link to it here.) Most users, but it would make it easy for those who do pay attention to notify sites.
We did this in bug 1084025, so I'm going to go ahead and dup this to that.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: