
Bug 1130693 – bookstore.*.edu – “Secure connection failed” - yuhong
https://bugzilla.mozilla.org/show_bug.cgi?id=1130693
======
Create
Guarding patrons' library activities is considered a core value of the
profession, written into the ALA's code of ethics: "We protect each library
user's right to privacy and confidentiality with respect to information sought
or received and resources consulted, borrowed, acquired or transmitted."

Over the years, the U.S. government has tested the limits of how far
librarians will go to defend that code. Near the end of the Cold War, FBI
agents asked New York City librarians to watch for patrons who might be
diplomats from foreign hostile powers trying to recruit intelligence agents or
gathering intelligence.

[http://boingboing.net/2014/10/12/librarians-on-the-
vanguard-...](http://boingboing.net/2014/10/12/librarians-on-the-vanguard-
of.html)

[http://www.washingtonpost.com/blogs/the-
switch/wp/2014/10/03...](http://www.washingtonpost.com/blogs/the-
switch/wp/2014/10/03/librarians-wont-stay-quiet-about-government-
surveillance/?Post+generic=%3Ftid%3Dsm_twitter_washingtonpost)

------
yuhong
Also look for "bookstore" in:
[https://bug1128227.bugzilla.mozilla.org/attachment.cgi?id=85...](https://bug1128227.bugzilla.mozilla.org/attachment.cgi?id=8560816)

------
yzzxy
I'm not sure what's notable about this bug - I think most of these sites are
run by the same company but that's the only point of interest I can find.

~~~
yuhong
I am looking for contact information.

------
aftbit
What's going on here?

~~~
ytch
Following the bug comment[1][2],

In Firefox 36, they will disable TLS downgrade with
"security.tls.version.fallback-limit", but Those website: bookstore.*.edu use
the same server and can only use TLS 1.0 [3]. So Firefox 37 will whitelist
them to use old protocols/ciphers (TLS 1.0, RC4 and so on).

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1128227#c17](https://bugzilla.mozilla.org/show_bug.cgi?id=1128227#c17)
[2]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1084025](https://bugzilla.mozilla.org/show_bug.cgi?id=1084025)
[3]
[https://www.ssllabs.com/ssltest/analyze.html?d=bookstore.hac...](https://www.ssllabs.com/ssltest/analyze.html?d=bookstore.hacc.edu)

~~~
nailer
Why white list them, rather than showing a warning about the insecure cyphers?

