Bug#611461: iceweasel still does insecure ssl renegotiation?!
Stefan Fritsch
sf at sfritsch.de
Sat Jan 29 17:47:38 UTC 2011
On Saturday 29 January 2011, Christoph Anton Mitterer wrote:
> It seems that iceweasel still is vulnerable to the SSL
> renegotiation attack, as simply is configured per default to allow
> the vulnerable renegotiation:
This has to be balanced between compatibility and security. Currently
less than 50% of the servers on the internet are patched. So it is
sensible to not deny renegotiation for unpatched servers.
Patched servers usually won't allow insecure renegotiation, anyway.
There are also many servers that don't allow renegotiation at all. So
the problem is mostly about the browser knowing if the remote server
is secure.
> security.ssl.require_safe_negotiation;true
FWIW, this setting is about negotiation, not about _re_negotiation.
You probably want to change
security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref
instead.
It will take a lot longer until security.ssl.require_safe_negotiation
can be switched on by default. Look at how long it took for SSLv2 to
disappear.
More information about the pkg-mozilla-maintainers
mailing list