Kai Engert (:KaiE:) Reporter
	Description • 13 years ago

Regarding CVE-2009-3555, I think the time has come to go one step further.
Let's drop security indicators (identity button) if a site is unpatched.

This is already implemented. This behaviour can be changed by flipping a preference. The identity button will indicate a plain page, and page info will indicate a page with mixed content.

security.ssl.treat_unsafe_negotiation_as_broken currently defaults to false.

I propose to change the default to true.

	Gervase Markham [:gerv]
	Comment 1 • 13 years ago

What percentage (roughly) of SSL sites will this break the security indicators for?

Gerv

	Kai Engert (:KaiE:) Reporter
	Comment 2 • 13 years ago

(In reply to comment #1)
> What percentage (roughly) of SSL sites will this break the security
> indicators for?

According to http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-and-vulnerable-sites the overall percentage of unpatched servers is:

45 %

	Gervase Markham [:gerv]
	Comment 3 • 13 years ago

I think it is highly unlikely that we would make a change which removes the SSL indicators from Facebook, Amazon and Yahoo.

I'm not sure how we can apply more pressure to get people to fix this, but breaking half the SSL web in our browser isn't it IMO.

Gerv

	(mostly gone) XtC4UaLL [:xtc4uall]
	Comment 5 • 11 years ago

(In reply to Kai Engert (:kaie) from comment #2)
> According to
> http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-
> and-vulnerable-sites the overall percentage of unpatched servers is:
> 
> 45 %

Is there any new/more recent Data avaiable as of now?

	Dave Garrett
	Comment 6 • 10 years ago

(In reply to XtC4UaLL [:xtc4uall] from comment #5)
> Is there any new/more recent Data avaiable as of now?

https://www.trustworthyinternet.org/ssl-pulse/
Renegotiation Support:
Secure renegotiation 133,476 87.1%
Insecure renegotiation 7,340 4.8%
Both 2,059 1.3%
No support 10,382 6.8%

Survey is of top 200k SSL supporting sites.

	Dave Garrett
	Comment 7 • 10 years ago

(In reply to Dave Garrett from comment #6)
> Survey is of top 200k SSL supporting sites.

Well, that's what it says on the page anyway. It appears that survey is of a bit over 150k, based on those numbers.

	sjw
	Comment 8 • 9 years ago

I would like to continue here:

Secure renegotiation 136,161 92.8%
Insecure renegotiation 3,944 2.7%
Both 1,454 1%
No support 5,149 3.5%

I'm using security.ssl.require_safe_negotiation now for a while and I don't have that much problems.
I think it's a good time to change, since we also land other warnings for SHA-1, RC4, SSL3, DHE < 1024 etc.

	u570621
	Comment 9 • 8 years ago

6 years now. It is time to stop pretending websites are secure by showing non-degraded security indicator. Flip security.ssl.treat_unsafe_negotiation_as_broken to true.

	Martin Thomson [:mt:]
	Comment 10 • 6 years ago

https://www.ssllabs.com/ssl-pulse/ indicates that this is still an issue of significant magnitude, at least in their survey.  I think that we'd need a shield study for this.

	Darkspirit
	Comment 11 • 6 years ago

Found a culprit: https://www.ssllabs.com/ssltest/analyze.html?d=isp.netscape.com

	Darkspirit
	Comment 12 • 6 years ago

https://www.ebay-kleinanzeigen.de/