Confirmed users
563
edits
Security:Renegotiation: Difference between revisions
→Action: Update to current situation
(update scope to latest developments and add discussion) |
(→Action: Update to current situation) |
||
| Line 45: | Line 45: | ||
==Action== | ==Action== | ||
In order to ascertain that SSL/TLS sessions are protected, | In order to ascertain that SSL/TLS sessions are protected, Internet deployments using SSL/TLS must be upgraded to support the new protocol enhancement described in RFC 5746. | ||
Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. Mozilla | Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. By now the stable software versions made available by Mozilla support it, too. | ||
Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act. | Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act. | ||
| Line 53: | Line 53: | ||
As of February 2010, it would be useless to show a warning indicator to Firefox users in the chrome, because users would be shown warnings for 99·9% of SSL/TLS sites. It would cause confusion among users, and would teach them to ignore this warning, and possibly other similar-looking warnings. | As of February 2010, it would be useless to show a warning indicator to Firefox users in the chrome, because users would be shown warnings for 99·9% of SSL/TLS sites. It would cause confusion among users, and would teach them to ignore this warning, and possibly other similar-looking warnings. | ||
We'd like to wait until a significant percentage of the web has been upgraded to the new protocol version, before we start to show | We'd like to wait until a significant percentage of the web has been upgraded to the new protocol version, before we start to show warnings for those servers that still haven't upgraded. | ||
(<strong>Update</strong>: Unfortunately, as of December 2010, we feel this milestone has still not been reached. Too many servers still haven't upgraded.) | |||
However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems. | However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems. | ||
| Line 59: | Line 61: | ||
Therefore Firefox (and other Mozilla products) log information about “potentially vulnerable” servers to the Error console using the message "<site> : server does not support RFC 5746, see CVE-2009-3555". | Therefore Firefox (and other Mozilla products) log information about “potentially vulnerable” servers to the Error console using the message "<site> : server does not support RFC 5746, see CVE-2009-3555". | ||
You still get this warning for many servers. Please use this information to discover which sites have not yet been upgraded, and who can not be verified by the client to be immune against the attack. | |||
A test server that supports the new protocol version can be accessed at https://ssltls.de/ | A test server that supports the new protocol version can be accessed at https://ssltls.de/ | ||