2

As of Firefox 39, Mozilla has dropped support for SSL3 and RC4... and whitelisted 519 (!) non-compliant sites: (https://mxr.mozilla.org/mozilla-release/source/security/manager/ssl/src/IntolerantFallbackList.inc), including such juicy ones as:

login.chicagopolice.org
partnerweb.vmware.com
www2.bancobrasil.com.br
www.publicjobs.ie
www.londonstockexchange.com
www.americanairlines.com
starbucks.com

(and a bunch of others - financial institutions, media companies, whatever rocks the boat).

How should the users be made aware of the remaining security holes?

Bugzilla discussion for ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1128227

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • 1
    I'm voting to close this down: there is no answer to that question that isn't a direct consequence of your own activities. – Stephane Jul 06 '15 at 07:52
  • 3
    I'm afraid that it isn't solving the fundamental problem: this question cannot be answered without taking into account the environment. At best it could trigger a discussion but that isn't what this site is for. – Stephane Jul 06 '15 at 07:57
  • The fundamental problem is with Mozilla. Do they charge money for leaving the sites available through Firefox? – Deer Hunter Jul 06 '15 at 08:03
  • Related: https://security.stackexchange.com/questions/23646/should-we-force-user-to-https-on-website (same province/question modality) – Deer Hunter Jul 06 '15 at 09:07
  • 3
    Actually the release notes were wrong.RC4 is STILL GLOBALLY ENABLED. It's a bug. See [this tweet](https://twitter.com/selecadm/status/617100745909870592) (Archived [here](https://archive.is/hyK60).) – StackzOfZtuff Jul 06 '15 at 09:15

0 Answers0