Confirm
563
edits
Changes
→Action: Update to current situation
==Action==
In order to ascertain that SSL/TLS sessions are protected, most Internet installations deployments using this protocol SSL/TLS must be upgraded to support the new protocol version (currently <cite>draft-rescorla-tls-renegotiation</cite>)enhancement described in RFC 5746.
Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. By now the stable software versions made available by Mozilla will include support in stable product versions as soon as possibleit, too.
Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act.
As of February 2010, it would be useless to show a warning indicator to Firefox users in the chrome, because users would be shown warnings for 99·9% of SSL/TLS sites. It would cause confusion among users, and would teach them to ignore this warning, and possibly other similar-looking warnings.
We'd like to wait until a significant percentage of the web has been upgraded to the new protocol version, before we start to show a warning warnings for those servers that still haven't upgraded. (few) <strong>Update</strong>: Unfortunately, as of December 2010, we feel this milestone has still not been reached. Too many servers that still haven't upgraded.)
However, while we wait for most of the web to upgrade, software testers need to know whether a site is vulnerable or not, and evangelists want to push server operators to upgrade their systems.
Therefore Firefox (and other Mozilla products) log information about “potentially vulnerable” servers to the Error console using the message "<site> : server does not support RFC 5746, see CVE-2009-3555".
A test server that supports the new protocol version can be accessed at https://ssltls.de/
