* Reed Loden: > On Thu, 16 Oct 2014 20:27:24 +0200 > Florian Weimer <f...@deneb.enyo.de> wrote: > >> * Richard Barnes: >> >> > If there are any objections or comments on that proposal, please >> > raise them in this thread. >> >> A lot of this has already been hashed out on the IETF TLS WG mailing >> list, with a slightly different perspective. >> >> Why is disabling SSL 3.0 acceptable, but getting rid of the broken >> fallback which will keep endangering users for a long time to come is >> not? > > Are you talking about implementing TLS_FALLBACK_SCSV (bug 1036737) or > disabling the insecure TLS version fallback to SSLv3 (bug 689814)?
Neither. I'm talking about the out-of-protocol insecure version negotiation for TLS implemented in Firefox. That's a broader scope than bug 689814, which is strictly about fallback to SSL 3.0. I suspect you think it is necessary based on bogus telemetry. There will be some breakage, but I doubt it will be more than the fallout from disabling SSL 3.0 by default. And the long-term benefits are so much greater. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
