[tptacek]

Huge props to the Chromium team for doing this; it's an excellent precedent.

SSLv3 is broken, and the only reason it's been so well-supported is that the browsers were unwilling to break web servers; the operators of those servers can't be counted on to fix them, and users direct their ire at the browser vendors. But apparently there's a red line across which the browsers won't make up for broken server configurations, and POODLE crossed it.

[aroch]

Just to add, Firefox announced two weeks ago that SSLv3 would be disabled by default in Firefox v34[1], around late November.

[1] https://blog.mozilla.org/security/2014/10/14/the-poodle-atta...

[TD-Linux]

It's been turned off in Nightly for a while, and I've noticed several sites broken because of it - most notably, the T-Mobile payment website.

[cpeterso]

For interested T-Mobile users, here's the Mozilla tech evangelism bug trying to reach T-Mobile about their broken site:

https://bugzilla.mozilla.org/show_bug.cgi?id=1042380

[justcommenting]

this is good news--Firefox leaving users vulnerable to well-known attacks by default for just a few months is actually a major improvement (not being sarcastic).

mozilla security engineers have a history of making excuses of the "let's continue doing this incredibly unsafe thing in Firefox in the name of legacy compatibility" variety. i'm thinking of folks like julien vehent & brian smith here, but kudos to the rest of the mozilla security team for finally starting to move beyond the tortured logic of defaults that leave all ff users vulnerable.

[pix64]

You do realize Chrome 40 is also coming out in November, yes?

http://www.chromium.org/developers/calendar

[justcommenting]

i do - my comment was about security team attitudes

[yuhong]

It also helps that POODLE is in the news too.

[ohyesyodo]

I will say huge props when they actually remove it. Not when they just remove the fallback.