On Thu, 16 Oct 2014 20:27:24 +0200 Florian Weimer <f...@deneb.enyo.de> wrote:
> * Richard Barnes: > > > If there are any objections or comments on that proposal, please > > raise them in this thread. > > A lot of this has already been hashed out on the IETF TLS WG mailing > list, with a slightly different perspective. > > Why is disabling SSL 3.0 acceptable, but getting rid of the broken > fallback which will keep endangering users for a long time to come is > not? Are you talking about implementing TLS_FALLBACK_SCSV (bug 1036737) or disabling the insecure TLS version fallback to SSLv3 (bug 689814)? The former is riding the release trains and should be in Firefox 35. The latter is no longer needed now that SSLv3 is disabled (though I guess it could still be implemented for those people who require SSLv3 still be enabled). ~reed -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto