Closed
Bug 1140867
Opened 10 years ago
Closed 6 years ago
SSL on aus2-community.mozilla.org is horribly outdated (Seamonkey update server)
Categories
(SeaMonkey :: Release Engineering, defect)
SeaMonkey
Release Engineering
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mozilla, Unassigned)
References
Details
(Keywords: sec-other)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32.1
Build ID: 20150208103530
Steps to reproduce:
Due to POODLE and the related incidents I am rather pleased that Seamonkey still offers an GUI for enabling / disabling the different TLS versions.
But: After restricting Seamonkey to only use TLS1.2 its integrated updater broke.
Pointing https://www.ssllabs.com/ssltest/ at aus2-community.mozilla.org revealed the cause: The SSL configuration of that server is horrible outdated and does not support TLS1.2. And much worse: It still support SSLv2! (And SSLv3...)
Because I don't know if there are additional checks after the download of a new Seamonkey version, I'm marking this as an security bug, because an attacker can use the FREAK-Attack to impersonate the update server and supply an manipulated update.
Actual results:
Qualy report on aus2-community.mozilla.org:
Overall Rating: F
This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server supports insecure Diffie-Hellman (DH) key exchange parameters. Grade set to F.
This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F.
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
https://www.ssllabs.com/ssltest/analyze.html?d=aus2-community.mozilla.org&hideResults=on
Expected results:
Similar SSL support like the Firefox server.
Qualy report on aus4.mozilla.org:
Overall Rating: A-
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.
... the only thing Qualy complains about is, that IE will not get Forward Secrecy, which seems to be acceptable for an Server that probably only ever sees Mozilla products. ;-)
https://www.ssllabs.com/ssltest/analyze.html?d=aus4.mozilla.org&hideResults=on
Comment 1•10 years ago
|
||
Bug 960665 is unrelated....
Bug 1119950 should solve this, but since we have cert pinning in SeaMonkey is not an instant deploy.
We'll need to also verify against this issue at time of preparing to deploy (shouldn't be hard, but is certainly warranted).
Flags: sec-review?
Comment 2•10 years ago
|
||
p.s. for drive-by's, only SeaMonkey uses aus2-community, and it is a community run server, MoCo just helps us with the cert stuff relating to it.
Assignee: server-ops-webops → nobody
Group: mozilla-employee-confidential → core-security
Component: WebOps: Product Delivery → Release Engineering
Product: Infrastructure & Operations → SeaMonkey
QA Contact: smani
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/700]
Version: other → unspecified
Comment 3•10 years ago
|
||
fwiw this got marked core-sec, but looks like it was because it was the only remaining restriction group for this component. It needs a restriction but is *not* a "product sec" that needs any sort of tracking
Updated•7 years ago
|
Group: core-security-release
Comment 5•7 years ago
|
||
Kinda surprised this was de-classified.. while I understand it isn't a priority server,
it's still a server within the community lan and while I am trying to migrate off
this server, it's taking some time.
Can this be moved to a different security flag aside for core?
thanks
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 6•7 years ago
|
||
(In reply to Edmund Wong (:ewong) from comment #5)
> Kinda surprised this was de-classified..
I mean, the server info is trivially publicly available, so in that sense hiding the bug has limited value.
> Can this be moved to a different security flag aside for core?
Core release track is the only one I can see on bugs in the SeaMonkey product.
Comment 7•6 years ago
|
||
well.. this is fixed.. though, ftr, aus2 no longer points to a Moco system.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•