On 09/30/2011 07:17 AM, Robert Kaiser wrote: > NoOp schrieb: >> I'm not sure I fully understand (or probably ever will)... >> <https://bugzilla.mozilla.org/show_bug.cgi?id=665814> >> {(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 >> (facilitated by websockets -76)] >> doesn't seem to indicate java, but instead nss as being the issue. So, >> "to be clear": is it a java or nss issue? > > Java uses its own TLS stack, which is vulnerable as described in the bug > on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 > mentions that this has been split off into > https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows > sockets to any site, which can trigger the attack, and Oracle has not > yet made any comments that they even intend to work on the problem. > > The NSS stack is vulnerable in theory, but under our control, so we can > fix it, and will do so. To trigger the attack, HTTPS connection need to > be made in a certain way, though, and we have no code in Firefox or > SeaMonkey right now that does that. Websockets protocol -76 was a way to > trigger that, but we have not been implementing this protocol version > since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer > protocol version of Websockets which cannot trigger that attack. > > So, NSS is basically vulnerable, but we don't have any code that opens > network connections in a way that would actually allow the attack. We > still will fix NSS in future versions so that any change in how we're > doing connections will also not expose us to the attack. (Note that > Chrome is using NSS as well, and they're in the same situation as us > here and will ship probably exactly the same fix in the future.) > > We can't fix Java, and Java applets are exploitable as things stand, so > our only possibility is to reduce/block usage of the vulnerable > versions, which are all we know about right now, and Oracle has not made > any commitment to fixing the problem in future versions. > > I hope that explains the problem enough. > > Robert Kaiser > >
It does indeed. Thanks for the details Robert. _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey