[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iceweasel and web browsers vulnerabilty concerning poodle.

The maintainers should be reachable at:
Perhaps you should also ask them to package the DNSSEC validatioin plugin for Firefox:
I believe there will be no good security without DNSSEC/DANE, though methods like certificate-pinning do already provide some sort of defence against rogue certificates at least as long as they become issued by a different certification authority:
Basically the certificate verification workflow as it currently is, is seriously flawed:
* warnings on self-signed certificates while there is no warning on non-authenticated http access.
* the DNSSEC plugin does not protect you from references inside a site which are not secured by DNSSEC/DANE
  (afaik only the bloodhound browser does.)
* if https or dnssec/dane is activated it should display a warning as soon as a site does not provide
  encryption and a proper certificate
(perhaps some issues to be reported upstreams at bugzilla.mozilla.org)

... apart from the even more compelling issues like the poodle bug, of course.
I would personally also welcome a professional and soon fix/workaround for the poodle bug though it may just be one of many. Having to do all of it on your own is somewhat more error prone apart from the fact that only little users will know about it.

Am 16.10.14 um 22:17 schrieb Yves-Alexis Perez:
On jeu., 2014-10-16 at 10:28 -0500, Marco Galicia wrote:
*shoulnd't iceweasel be recompiled to include this option in the
complilation settings??*
You're not asking at the correct place, it's a bit unlikely the
maintainer read that list.

But in any case, Mozilla themselves intend to disable SSLv3 in future
Firefox releases.


Reply to: