NoOp schrieb:
I'm not sure I fully understand (or probably ever will)...
<https://bugzilla.mozilla.org/show_bug.cgi?id=665814>
{(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0
(facilitated by websockets -76)]
doesn't seem to indicate java, but instead nss as being the issue. So,
"to be clear": is it a java or nss issue?
Java uses its own TLS stack, which is vulnerable as described in the bug
on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90
mentions that this has been split off into
https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows
sockets to any site, which can trigger the attack, and Oracle has not
yet made any comments that they even intend to work on the problem.
The NSS stack is vulnerable in theory, but under our control, so we can
fix it, and will do so. To trigger the attack, HTTPS connection need to
be made in a certain way, though, and we have no code in Firefox or
SeaMonkey right now that does that. Websockets protocol -76 was a way to
trigger that, but we have not been implementing this protocol version
since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer
protocol version of Websockets which cannot trigger that attack.
So, NSS is basically vulnerable, but we don't have any code that opens
network connections in a way that would actually allow the attack. We
still will fix NSS in future versions so that any change in how we're
doing connections will also not expose us to the attack. (Note that
Chrome is using NSS as well, and they're in the same situation as us
here and will ship probably exactly the same fix in the future.)
We can't fix Java, and Java applets are exploitable as things stand, so
our only possibility is to reduce/block usage of the vulnerable
versions, which are all we know about right now, and Oracle has not made
any commitment to fixing the problem in future versions.
I hope that explains the problem enough.
Robert Kaiser
--
Note that any statements of mine - no matter how passionate - are never
meant to be offensive but very often as food for thought or possible
arguments that we as a community should think about. And most of the
time, I even appreciate irony and fun! :)
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey