Closed
Bug 1139778
Opened 10 years ago
Closed 10 years ago
Hide 3DES from the first handshake
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: emk, Unassigned)
References
Details
Attachments
(2 files)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
keeler
:
review-
|
Details | Diff | Splinter Review |
I thought this would not make sense (see bug 1074130), but apparently I was wrong. See bug 1139756 why this helps.
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Comment 1•10 years ago
|
||
This is straightforward for beta.
Attachment #8574213 -
Flags: review?(dkeeler)
Reporter | ||
Comment 2•10 years ago
|
||
For Nightly and Aurora, we need more changes because we disabled fallback for non-whitelisted site.
This patch will restore the fallback almost everywhere, but it will not enable RC4 in the fallback handshake unless the site is whitelisted.
I will not land this if bug 1139756 and bug 1116893 is fixed early enough.
Reporter | ||
Updated•10 years ago
|
Attachment #8574216 -
Flags: review?(dkeeler)
Reporter | ||
Comment 3•10 years ago
|
||
(In reply to Masatoshi Kimura [:emk] from comment #2)
> This patch will restore the fallback
Only RC4 fallback will be restored. The version fallback will be still disabled.
Comment on attachment 8574216 [details] [diff] [review]
patch (nightly and aurora)
Review of attachment 8574216 [details] [diff] [review]:
-----------------------------------------------------------------
If I understand correctly, this is to work around a few servers that claim to support 3DES but if it's actually negotiated, they fail. I don't think it's worth the added complexity to handle these broken servers. I would support deprecating 3DES, but we could do that simply by flipping the enabled-by-default-bit (alternatively, we could treat it as a weak cipher like RC4).
Attachment #8574216 -
Flags: review?(dkeeler) → review-
Comment on attachment 8574213 [details] [diff] [review]
patch (beta only)
Review of attachment 8574213 [details] [diff] [review]:
-----------------------------------------------------------------
I would support doing this, but we should investigate the telemetry to see if it's reasonable and we shouldn't uplift straight to beta if we do so. It's probably not worth doing this while we're also deprecating SSL 3 and RC4. I imagine the added complexity would make that already difficult task even more difficult.
Attachment #8574213 -
Flags: review?(dkeeler)
Reporter | ||
Comment 6•10 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> I would
> support deprecating 3DES, but we could do that simply by flipping the
> enabled-by-default-bit (alternatively, we could treat it as a weak cipher
> like RC4).
The usage rate of 3DES is still too high to use whitelist [1].
[1] https://tools.ietf.org/agenda/91/slides/slides-91-saag-3.pdf#page=12
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•