[HTTPS-Everywhere] Fwd: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere --- RE: HTTPS Everywhere doesn't cover all Facebook sub domains
Chris Palmer
chris at eff.org
Fri May 6 12:47:03 PDT 2011
On May 6, 2011, at 12:04 PM, Peter Eckersley wrote:
> It turns out there are a lot of people out there who have accidentally
> misconfigured their Firefoxes to not support TLS/SSLv3. Removing SSLv2
> support altogether makes https://www.eff.org completely inaccessible to these
> people, but I guess that's a problem we're going to have to live with.
Well, last time we turned off SSL v2, we got about 7 or 8 tech support complaints in two weeks. I handled them, but I won't do it again because it's not a good use of my time. We could ignore them, or we could set up an error page saying, "Hey there, you're using SSL v2 somehow, even though your browser disables it by default. Stop that; here's how to fix it."
Does anyone know the Apache configuration file magic required to make Apache send an error page when people connect with SSL v2, and do send that error page only on SSL errors and not other pages?
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code
More information about the HTTPS-everywhere
mailing list