On Fri, Oct 21, 2016 at 3:05 AM, <keithgallis...@gmail.com> wrote: > My point for the above paragraph is that even if Mozilla stops security > updates for ESR 52, these computers will still need to get around on the > Internet. These machines will still need to do log ins and banking. The world > isn't the same as back in the day when Netscape 4 roamed the web or even in > 2008 when Mozilla dropped support for Windows 98 SE with 2.0.0.20. Part of > securing the web means making sure that every server has a digital > certificate with Let's Encrypt. But that part only works if the browser has > up to date TLS and digital certificates. What happens to Vista and XP on ESR > 52 or even OSX 10.6-10.8 on ESR 45 when a POODLE style attack drives everyone > from TLS 1.2 to TLS 1.3 with no fall back? What happens when older > certificates are found to have been compromised by a third party like a crime > syndicate or government intelligence agency? Do ESR 52 and ESR 45 get stuck > with corrupted certificates while the latest versions of Firefox get their > certificates refresh ed > ?
No. These machines should not be on the Internet anymore. If the operating system vendor is no longer supporting their product with security releases an out of date TLS stack is a minor problem compared to the remote code execution that's going to pwn the machine. - Kyle _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
