this is good news--Firefox leaving users vulnerable to well-known attacks by default for just a few months is actually a major improvement (not being sarcastic).

mozilla security engineers have a history of making excuses of the "let's continue doing this incredibly unsafe thing in Firefox in the name of legacy compatibility" variety. i'm thinking of folks like julien vehent & brian smith here, but kudos to the rest of the mozilla security team for finally starting to move beyond the tortured logic of defaults that leave all ff users vulnerable.