From owner-freebsd-gecko@FreeBSD.ORG Wed Oct 15 02:15:14 2014 Return-Path: Delivered-To: gecko@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5E74D3C; Wed, 15 Oct 2014 02:15:14 +0000 (UTC) Received: from exodus.zi0r.com (exodus.zi0r.com [71.179.14.195]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "exodus.zi0r.com", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 98D55973; Wed, 15 Oct 2014 02:15:14 +0000 (UTC) Received: from exodus.zi0r.com (localhost [127.0.0.1]) by exodus.zi0r.com (Postfix) with ESMTP id 682323A0D1; Tue, 14 Oct 2014 22:08:17 -0400 (EDT) X-Virus-Scanned: amavisd-new at zi0r.com Received: from exodus.zi0r.com ([127.0.0.1]) by exodus.zi0r.com (exodus.zi0r.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id dGBesWpgTlZQ; Tue, 14 Oct 2014 22:08:16 -0400 (EDT) Received: from exodus.zi0r.com (syn.zi0r.com [71.179.14.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by exodus.zi0r.com (Postfix) with ESMTPSA id D11773A0C3; Tue, 14 Oct 2014 22:08:14 -0400 (EDT) Date: Tue, 14 Oct 2014 22:08:13 -0400 From: Ryan Steinmetz To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Subject: Re: POODLE SSLv3 vulnerability Message-ID: <20141015020813.GA5814@exodus.zi0r.com> References: <86iojmgn40.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline In-Reply-To: <86iojmgn40.fsf@nine.des.no> User-Agent: Mutt/1.5.23 (2014-03-12) Content-Transfer-Encoding: quoted-printable Cc: gecko@freebsd.org, ports-secteam@freebsd.org, chromium@freebsd.org X-BeenThere: freebsd-gecko@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Gecko Rendering Engine issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2014 02:15:14 -0000 On (10/15/14 03:03), Dag-Erling Sm=F8rgrav wrote: >Summary: Google researchers have discovered a plaintext recovery attack >against SSL 3.0 with no known mitigation. > >I would like us to ship Firefox with SSL 3.0 disabled by default. This >means setting security.tls.version.min to 1, or, in terms of code, >changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in >security/manager/ssl/src/nsNSSComponent.cpp. I assume that other >Mozilla ports use the same code and require the same changes. > >Note that this does not preclude the user from changing the setting back >to 0 in about:config. > >I would also like to do the same for Chrome, but I don't know the exact >procedure and I am unable to find out or test, since Chrome has been >broken for several months. > FireFox devs will be disabling SSLv3 by default in the November release o= f Firefox: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-en= d-of-ssl-3-0/ In the interim, they've released an addon to force TLS only: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ It might be less surprising if we bundle the addon with the current installation. -r >DES >--=20 >Dag-Erling Sm=F8rgrav - des@des.no >_______________________________________________________ >Please think twice when forwarding, cc:ing, or bcc:ing >ports-security-team messages. Ask if you are unsure. --=20 Ryan Steinmetz PGP: 9079 51A3 34EF 0CD4 F228 EDC6 1EF8 BA6B D028 46D7