Closed Bug 1316300 Opened 8 years ago Closed 7 years ago

Deprecate and remove: TLS CBC-mode ECDSA cipher suites

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: u570621, Assigned: emk)

References

Details

(Keywords: dev-doc-needed, site-compat, Whiteboard: [psm-backlog])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20100101

Steps to reproduce:

Catch up to chrome deprecating old/unused features related to security

https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/EE8XpDJytBs

https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/A-LcSmj5TBE
Assignee: nobody → nobody
Severity: normal → major
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: Trunk → trunk
Summary: Catch up to Chrome security → Deprecate and remove: TLS CBC-mode ECDSA cipher suites & TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms
The corresponding Chromium issue is not against BoringSSL, so Core/Security:PSM would be more appropriate our component.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: trunk → Trunk
Priority: -- → P3
Whiteboard: [psm-backlog]
Google finished the work on removing these. What is the progress on Mozilla's side?
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

https://reviewboard.mozilla.org/r/99254/#review100430

I'm a little unclear on how we would measure the compatibility impact of this. Just by monitoring changes in the SSL_TLS13_INTOLERANCE_REASON_* telemetry histograms?
Attachment #8819518 - Flags: review?(dkeeler)
Also, :mt - thoughts on this?
Flags: needinfo?(martin.thomson)
The only real benefit to removing these is space savings in the ClientHello - the exposure we had to export grade ciphers isn't made worse by supporting these cipher suites.  Key exchange and authentication with ECDHE and ECDSA is arguably stronger than RSA in all our supported cipher suites.  

There is a compatibility risk, though it's probably tiny for the reasons that David points out.

I don't think that we need to rush into fixing these.  That said, I'm OK with landing this in Firefox 53 as long as it rides the trains in the normal fashion.  That gives us a few extra weeks to shake out the problems.

FWIW, we're seeing very little of the CBC suites: https://mzl.la/2hFp7IL  The 128-bit variant is 1M out of 216B samples, 256-bit is even less.  We have no telemetry on signature algorithms.
Flags: needinfo?(martin.thomson)
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> I'm a little unclear on how we would measure the compatibility impact of
> this. Just by monitoring changes in the SSL_TLS13_INTOLERANCE_REASON_*
> telemetry histograms?

By monitoring changes in SSL_CIPHER_SUITE_FULL. Currently, we will negotiate ECDSA_CBC cipher suites when the servers prefer them, even if the servers support other cipher suites. By hiding ECDSA_CBC cipher suites behind the fallback, we will negotiate them only when the servers exclusively supports them. Only those servers will break when we remove ECDSA_CBC cipher suites.

Re-requesting review because :mt said it's OK to ride this on the train.
Attachment #8819518 - Flags: review?(dkeeler)
Comment on attachment 8819518 [details]
Bug 1316300 - Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello.

https://reviewboard.mozilla.org/r/99254/#review100820

Ok, I see how this will work. Hopefully TLS1.3 intolerance won't confuse the situation. r=me, but yeah, let's not uplift this or anything.
Attachment #8819518 - Flags: review?(dkeeler) → review+
Pushed by VYV03354@nifty.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/0c0edf04c56f
Remove ECDSA_CBC cipher suites from TLS 1.3 ClientHello. r=keeler
Assignee: nobody → VYV03354
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Blocks: 1325257
I didn't touch the signature algorithm issue. Due to MozReview's poor support for partial landing, it would be better to file a new bug for the remaining issue. Hence I filed it (bug 1325257).
Summary: Deprecate and remove: TLS CBC-mode ECDSA cipher suites & TLS 1.2 ECDSA with SHA-1 and SHA-512 signature algorithms → Deprecate and remove: TLS CBC-mode ECDSA cipher suites
https://hg.mozilla.org/mozilla-central/rev/0c0edf04c56f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: