Inacceptable changes in latest version 39
Dear Sirs,
by disabling SSLv3 you make it impossible to do my work.
I try to log in to our routers via https, and I receive the error: ssl_error_unsupported_version
Until now I always had the possibility of changing the settings. I learned that this is not possible anymore.
All security discussions are well-known and accepted as our own risk.
Instead of serving my customer I have to deal with this unnecessary problems, (downgrade to the the previous version, writing angry emails), which costs me my time and nervs.
Background: there is equipment we are administering remotely, management is done via https. with out of date SSL implementation. This equipment cannot be changed or updated.
It is a bad, bad idea to simply remove functionality without offering a workaround.
UL
Modified by ul66115
All Replies (6)
I suspect you are seeing the ramifications of a serious security flaw that was fixed in Firefox 39. http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/
https://www.reddit.com/r/firefox/comments/3coba7/firefox_39_completely_breaks_older_sslv3_pages/
The "simple" SSLv3 flaw discovery revelation is going on a year old and the subsequent fix was in Firefox 34. https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
See if this posting helps you. https://support.mozilla.org/en-US/questions/1070117#answer-748673
"Instead of serving my customer I have to deal with this unnecessary problems, ..." I wouldn't worry about that, if their server gets "hit" and is exploited - they'll blame you for not advising them better about their lax security, and these "unnecessary problems" will be the least of your worries when you're looking for a new job. Proactive vs reactive ....
There are routers out there managed over http and https.
You think that you can increase security by crippling Firefox? I expect that I can use a new version of Firefox (with appropriate settings) the same way I did i previous versions, otherwise I can't use it, sorry!
Who pays for exchanging ~2000 routers, just because Mozilla decided to disable sslv3? It should be exactlxy as safe or unsafe as using html, but it should work!
UL66115
Modified by ul66115
hello, not mozilla alone but the IETF decided that SSLv3 is to be deprecated: https://tools.ietf.org/html/rfc7568
if you have a special usecase to manage routers through the unsecure protocol then it's best to set-up a portable version of firefox 38 esr just for that purpose... http://portableapps.com/apps/internet/firefox-portable-esr
Hello,
thank you for your reply.
Why this paternalism? "Deprecated" does not mean unsupported.
The only acceptable way is to explicitely allow sslv3 via about:config.
I will not install different versions of Firefox, when I can use different profiles with different settings, as I do now.
I know there are many users who agree with me.
Please listen to us, we're just poor little administrators trying to do our job ;-)
UL66115
While this is an unfortunate side effect, SSLv3 is a protocol that was released in 1996 (nearly 20 years ago) and has had multiple updates since then (TLS 1, 1.1, 1.2 and soon 1.3). When you own technology that does not support modern security standards, you need to accept that fact that the rest of the world is not standing still. If there really are no firmware updates for your routers, and you can't convince the customer to update them (if they only support SSLv3 than I can't imagine what other security holes this network has) then I'd suggest you download a portable Apps version of Firefox 38 and use it to only access the router, and use modern browsers for everything else.
to cite from the document (which is setting standards for browser vendors): "SSLv3 MUST NOT be used. Negotiation of SSLv3 from any version of TLS MUST NOT be permitted." - meaning that SSLv3 will become unsupported in all modern browsers...