Huge props to the Chromium team for doing this; it's an excellent precedent.<p>SSLv3 is broken, and the only reason it's been so well-supported is that the browsers were unwilling to break web servers; the operators of those servers can't be counted on to fix them, and users direct their ire at the browser vendors. But apparently there's a red line across which the browsers won't make up for broken server configurations, and POODLE crossed it.
Why not go further?<p>I'd be all for very disturbing warnings for any version of TLS before 1.2, and somewhat scary warnings for low-security or non-PFS operational modes.<p>Basically, enough so that in a big company corporate would ring up the IT department to "fix the ssl site for giving an error", but not enough so that everyone clicks through the "ignorable warning".
The last update to Iceweasel in Debian stable disabled SSLv3 over a week ago. So far I've only encountered one website I frequent that will need intervention, but otherwise it was hardly noticeable.
Microsoft is planning the same: <a href="http://azure.microsoft.com/blog/2014/10/29/protecting-against-the-ssl-3-0-vulnerability/" rel="nofollow">http://azure.microsoft.com/blog/2014/10/29/protecting-agains...</a>
I have an old raid controller from 3ware. The management software runs on localhost, but for illadvised security reasons forces HTTPS. One day I was not able to connect anymore (with a browser running on that machine!) I had to hunt down an old version of Firefox to still be able to connect.<p>Therefore it is a bad idea to not provide a fallback. It's good if every login over the internet is proteceted by HTTPS and weak fallbacks are not used. But there are places where security is just irrelevant (like my localhost scenario, or legacy hardware in a trusted local network), where I'd rather have a way of doing a connection with any way possible, no matter how insecure. Old ciphers, old SSL, compatibility hacks etc.<p>I wish they would keep that code arount and make it possible to connect anyway
The only time Chrome's over-zealous security has even shown up for me is when it doesn't let me login to WiFi that requires a login page. Which happens a lot. Oh, and maybe once the site in question had an expired certificate and I had to use another browser to access it. Wonderful.
From the thread:<p>"While we're at it, can we add one of those glorious SSL failure screens to any sites that don't use HTTPS in a future version of Chrome?"<p>"We are working on something like that, but gentler."<p>YMMV, but: ugh.