POODLE SSLv3 vulnerability
Dag-Erling Smørgrav
des at des.no
Wed Oct 15 01:04:02 UTC 2014
Summary: Google researchers have discovered a plaintext recovery attack
against SSL 3.0 with no known mitigation.
I would like us to ship Firefox with SSL 3.0 disabled by default. This
means setting security.tls.version.min to 1, or, in terms of code,
changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in
security/manager/ssl/src/nsNSSComponent.cpp. I assume that other
Mozilla ports use the same code and require the same changes.
Note that this does not preclude the user from changing the setting back
to 0 in about:config.
I would also like to do the same for Chrome, but I don't know the exact
procedure and I am unable to find out or test, since Chrome has been
broken for several months.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-gecko
mailing list