Opened 5 years ago

Closed 5 years ago

#6740 closed enhancement (fixed)

provide opt-out from security.ssl.require_safe_negotiation=true ?

Reported by: tagnaq Owned by: ioerror
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Keywords:
Cc: sukhbir Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Should we provide an opt-out option for poor yahoo [1] (and potentially others) users?
(This might be anyway a requirement for a successfull AMO review...)

Also: Is yahoo the only one (throughout the big freemailers) that doesn't support secure reneg.?
What is currently the overall situation? How many freemailers/users are we excluding with this setting [2]?

[1] https://lists.torproject.org/pipermail/tor-talk/2012-August/025411.html
[2] https://github.com/ioerror/torbirdy/blob/master/components/torbirdy.js#L127
https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by sukhbir

We couldn't test Yahoo with TorBirdy because their free service doesn't allow POP/IMAP access. I am guessing, had this been an issue with other free mailers, we would have probably heard from someone else by now.

As far as the AMO review is concerned, even if we allow the user to toggle this single preference, this would just be one of the many security and network related preferences the AMO wants us to have an opt-out for, so let's not worry about that yet ;)

So the question is, given that this is an important security setting, should we have a special case for free mailer services such as Yahoo or should we force the user to upgrade to a more secure service?

comment:2 Changed 5 years ago by tagnaq

Hi Jake,

thanks for CC'ing security@… [1], did you get any answer?

https://lists.torproject.org/pipermail/tor-talk/2012-September/025426.html

comment:3 Changed 5 years ago by sukhbir

Resolution: fixed
Status: newclosed

$ openssl s_client -connect smtp.mail.yahoo.com:465
Secure Renegotiation IS supported

Looks like Yahoo fixed this :)

We didn't have this issue with any of the other freemailers (no other reports), so calling this ticket fixed.

Note: See TracTickets for help on using tickets.