Confirm, emeritus
969
edits
Changes
make it clear that disabling session renegotiation is something that has to happen on the SERVER
==Scope==
In order to allow the attack to work, a SSL/TLS protocol feature must be enabled which is called <cite>session renegotiation</cite>must be enabled on the server.
One way to protect against the attack is to disable this featuresession renegotiation on the server. Hopefully ,most Internet servers that do not yet support RFC 5746 have followed the recommendation and disabled the renegotiation feature.
<strong>Unfortunately, when using the present, flawed SSL/TLS protocol version, it is not possible to determine whether a site is protected or vulnerable(i.e whether session renegotiation is enabled or disabled on the server).</strong>
Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server it communicates with is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.
