On Tue, 21 Oct 2014 01:40:45 +0200 Kai Engert <k...@kuix.de> wrote: > On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote: > > Do you claim that Firefox 34 will continue to fall back to SSL 3 when > > necessary? > > Yes. If I understand correctly, it seems that Firefox indeed still falls > back to SSL3, even with SSL3 disabled.
Has that been tested, as that seems pretty wrong if that's true?... It's not my understanding at all and would mean that those who have been turning SSLv3 off (via security.tls.version.min) haven't actually been protecting themselves from POODLE. > I found > https://bugzilla.mozilla.org/show_bug.cgi?id=1083058 > which intends to implement a preference to configure the oldest allowed > protocol version to fallback to, with a propose mininum of 1 (TLS1). I always took that patch to be useful for those who need SSLv3 enabled -- as in, if security.tls.version.min was 0, then that patch would effectively protect them from downgrade attacks against sites that support higher TLS versions. ~reed -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto