Looking for comments about feasibility of breaking-up Firefox TLS/SSL-handling code into easily-removable sections.
I want to fully separate NSS code from code that handles: 1) MD5 signature handling 2) SHA1 signature handling 3) RSA key exchange 4) CBC mode 5) RC4 ciphers 6) SSLv3 7) TLSv1.0, TLSv1.1 8) SEED, IDEA, 3DES, Camellia cyphers 9) Secondary/Fallback handshake 10) Insecure TLS version feedback and likely others. The intention is to phase out and eventually remove support for all of the above. Disabling those technologies in browser options is insufficient. FREAK-like attacks will exploit holes in the disabling mechanism to reenable them. Alternatively, malware, misguided forks, or clueless users will change those settings for the worse. Removing code from the source code is the only secure way. This also helps code maintainability, review, and certifiability. To facilitate easier code removal, the code needs to be properly separated first - and that is the goal of this project. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
