[tor-bugs] #21431 [Applications/Tor Browser]: Clean-up system extensions shipped in Firefox 52
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 25 09:52:28 UTC 2017
#21431: Clean-up system extensions shipped in Firefox 52
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, TorBrowserTeam201702 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------------+--------------------------
Comment (by cypherpunks):
disableSHA1rollout add-on removed from the tree
https://bugzilla.mozilla.org/show_bug.cgi?id=1341734
Off-topic (the reason of removal):
> In reaction to Google’s announcement of the first practical SHA-1
collision, Mozilla has remotely disabled the SHA-1 support for all Firefox
users on February 24, 2017
https://www.fxsitecompat.com/en-CA/docs/2016/sha-1-certificates-issued-by-
public-ca-will-no-longer-be-accepted/
So, Mozilla doesn't treat Firefox ESR owners as Firefox users! And they
stay unpatched.
Your fix for #18042 has
{{{
// 2 = allow SHA-1 only before 2016-01-01
pref("security.pki.sha1_enforcement_level", 2);
}}}
({{{ OnlyBefore2016 = 2}}} in CertVerifier.h) which has been
transformed for esr52 into
{{{
// There used to be a policy that only allowed SHA1 for certificates
issued
// before 2016. This is no longer available. If a user has selected
this
// policy in about:config, it now maps to Forbidden.
UsedToBeBefore2016ButNowIsForbidden = 2,
}}}
so it is the proper fix for esr52, but not for esr45.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21431#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list