Re: Proposal: Disable SSLv3 in Firefox ESR 31

Florian, On 10/16/2014 12:50, Florian Weimer wrote: Neither. I'm talking about the out-of-protocol insecure version negotiation for TLS implemented in Firefox. That's a broader scope than bug 689814, which is strictly about fallback to SSL 3.0. +1 This fallback needs to get removed, yesterday

Re: Announcing Mozilla::PKIX, a New Certificate Verification Library

On Monday, April 7, 2014 6:33:50 PM UTC-4, Kathleen Wilson wrote: > All, > > > > We have been working on a new certificate verification library for > > Gecko, and would greatly appreciate it if you will test this new library > > and review the new code. > > > > Background > > > > NSS c

Re: Proposal: Disable SSLv3 in Firefox ESR 31

* Reed Loden: > On Thu, 16 Oct 2014 20:27:24 +0200 > Florian Weimer wrote: > >> * Richard Barnes: >> >> > If there are any objections or comments on that proposal, please >> > raise them in this thread. >> >> A lot of this has already been hashed out on the IETF TLS WG mailing >> list, with a s

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 16 Oct 2014 20:27:24 +0200 Florian Weimer wrote: > * Richard Barnes: > > > If there are any objections or comments on that proposal, please > > raise them in this thread. > > A lot of this has already been hashed out on the IETF TLS WG mailing > list, with a slightly different perspecti

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 2014-10-16 at 20:27 +0200, Florian Weimer wrote: > A lot of this has already been hashed out on the IETF TLS WG mailing > list, with a slightly different perspective. > > Why is disabling SSL 3.0 acceptable, but getting rid of the broken > fallback which will keep endangering users for a l

Re: Proposal: Disable SSLv3 in Firefox ESR 31

* Richard Barnes: > If there are any objections or comments on that proposal, please > raise them in this thread. A lot of this has already been hashed out on the IETF TLS WG mailing list, with a slightly different perspective. Why is disabling SSL 3.0 acceptable, but getting rid of the broken f

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 2014-10-16 at 10:31 -0700, Richard Barnes wrote: > By now, you've probably heard about the POODLE attacks on SSLv3, and > our decision to disable SSLv3 by default in Firefox 34 [1]. Several > people have proposed that we also make this change in Firefox ESR 31. > > So I wanted to propos

Proposal: Disable SSLv3 in Firefox ESR 31

Hey all, By now, you've probably heard about the POODLE attacks on SSLv3, and our decision to disable SSLv3 by default in Firefox 34 [1]. Several people have proposed that we also make this change in Firefox ESR 31. So I wanted to propose that we also disable SSLv3 by default in ESR 31 at ab