1140867 - SSL on aus2-community.mozilla.org is horribly outdated (Seamonkey update server)

Status: RESOLVED FIXED

(SeaMonkey :: Release Engineering, defect)

Description

[Torsten Kaiser]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32.1
Build ID: 20150208103530

Steps to reproduce:

Due to POODLE and the related incidents I am rather pleased that Seamonkey still offers an GUI for enabling / disabling the different TLS versions.
But: After restricting Seamonkey to only use TLS1.2 its integrated updater broke.

Pointing https://www.ssllabs.com/ssltest/ at aus2-community.mozilla.org revealed the cause: The SSL configuration of that server is horrible outdated and does not support TLS1.2. And much worse: It still support SSLv2! (And SSLv3...)

Because I don't know if there are additional checks after the download of a new Seamonkey version, I'm marking this as an security bug, because an attacker can use the FREAK-Attack to impersonate the update server and supply an manipulated update.


Actual results:

Qualy report on aus2-community.mozilla.org:
Overall Rating: F
This server supports SSL 2, which is obsolete and insecure. Grade set to F.
This server supports insecure Diffie-Hellman (DH) key exchange parameters. Grade set to F.
This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F.
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.

https://www.ssllabs.com/ssltest/analyze.html?d=aus2-community.mozilla.org&hideResults=on


Expected results:

Similar SSL support like the Firefox server.
Qualy report on aus4.mozilla.org:
Overall Rating: A-
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.

... the only thing Qualy complains about is, that IE will not get Forward Secrecy, which seems to be acceptable for an Server that probably only ever sees Mozilla products. ;-)

https://www.ssllabs.com/ssltest/analyze.html?d=aus4.mozilla.org&hideResults=on

Comment 1

[Justin Wood (:Callek)]

Bug 960665 is unrelated....
Bug 1119950 should solve this, but since we have cert pinning in SeaMonkey is not an instant deploy.

We'll need to also verify against this issue at time of preparing to deploy (shouldn't be hard, but is certainly warranted).

Comment 2

[Justin Wood (:Callek)]

p.s. for drive-by's, only SeaMonkey uses aus2-community, and it is a community run server, MoCo just helps us with the cert stuff relating to it.

Comment 3

[Justin Wood (:Callek)]

fwiw this got marked core-sec, but looks like it was because it was the only remaining restriction group for this component. It needs a restriction but is *not* a "product sec" that needs any sort of tracking

Comment 4

[:Gavin Sharp [email: gavin@gavinsharp.com]]

Not an issue that's useful to hide.

Comment 5

[Edmund Wong (:ewong)]

Kinda surprised this was de-classified..  while I understand it isn't a priority server,
it's still a server within the community lan and while I am trying to migrate off
this server, it's taking some time. 

 Can this be moved to a different security flag aside for core?

thanks

Comment 6

[:Gijs (he/him)]

(In reply to Edmund Wong (:ewong) from comment #5)
> Kinda surprised this was de-classified..

I mean, the server info is trivially publicly available, so in that sense hiding the bug has limited value.

>  Can this be moved to a different security flag aside for core?

Core release track is the only one I can see on bugs in the SeaMonkey product.

Comment 7

[Edmund Wong (:ewong)]

well.. this is fixed..  though, ftr, aus2 no longer points to a Moco system.