Tiles server supports weak 1024-bit Diffie-Hellman (DH)



4 years ago
3 years ago


(Reporter: shahmeerbond, Assigned: relud)


Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)




4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76

Steps to reproduce:

The webserver tiles.services.mozilla.com supports a highly outdated Diffie Hellman Key exchange service
It is also known as the Logjam attaack

I did several tests and verified this
Here is the POC

Actual results:

The webserver supports the key exchange

Expected results:

It should be upgraded


4 years ago
Component: General → Tiles: Ops
Product: Mozilla Services → Content Services


4 years ago
Assignee: nobody → dthornton
The server does support one ciphersuite that uses 1024-bit DH keys. That's where Firefox currently draws the line of "acceptable" -- it's weak if your adversary is the NSA but probably OK otherwise so we allow that connection. The "Logjam attack" proper is the downgrading of keys to 512 bits and that's not possible here. Weak keys are just weak keys.

Weak keys (especially super-weak keys due to a Logjam attack) allow for passive eavesdropping, not tampering. What is the traffic between Firefox and the Tiles server? I assume this is encrypted primarily for integrity reasons, not privacy. Or do we send user info on the pipe? From our privacy policy it doesn't sound terribly revealing:

   Tiles are a feature of Firefox displayed on new tab pages. In order to provide
   the tiles feature, Firefox sends to Mozilla data relating to the tiles such as
   number of clicks, impressions, your IP address, locale information and tile
   specific data (e.g., position and size of grid).

On top of that, the tiles service is Firefox specific, and Firefox will never choose the ciphersuite with the weak DH keys. In practice there's no privacy problem here at all.

If you want to increase your TLS grade on the Qualys scanner (and similar) just delete that suite from the list the server offers -- we're not using it.
Group: cloud-services-security
Ever confirmed: true
Summary: Weak Diffie-Hellman (DH) → Tiles server supports weak 1024-bit Diffie-Hellman (DH)


3 years ago
Last Resolved: 3 years ago
Resolution: --- → FIXED
Daniel, you resolved this fixed but with no further data. How was this fixed?
Flags: sec-bounty?
Flags: needinfo?(dthorn)

Comment 3

3 years ago
The security policy on the ELB has been changed to one that no longer includes the logjam vulnerable cipher.
Flags: needinfo?(dthorn)
Minusing for the bounty because 1024 bit ciphers are the low end of acceptability for ciphers but not inherently vulnerable. This isn't a dangerous security issue.
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.