Open Bug 1367617 Opened 3 years ago Updated 2 months ago

Increase minimum DH key size in TLS handshakes to 2048 bits

Categories

(Core :: Security: PSM, defect, P2)

55 Branch
defect

Tracking

()

People

(Reporter: WdFCRTsSDyWZ, Unassigned)

References

()

Details

(Keywords: parity-chrome, parity-edge, parity-safari, Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170523030206

Steps to reproduce:

Point Firefox to: https://dh1024.badssl.com/


Actual results:

It connected as a secure connection, even though the connection may not be private, because the site is incorrectly configured using an ephemeral Diffie-Hellman key exchange over a 1024-bit group.


Expected results:

It should have refused the connection and displayed something like:

"This site can’t provide a secure connection
dh1024.badssl.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Component: Untriaged → Security: PSM
Product: Firefox → Core
Looks like Chrome bumped the minimum DH key size, so we probably can too.
Priority: -- → P2
Summary: Firefox incorrectly connects to site with DH-1024. → increase minimum DH key size in TLS handshakes
Whiteboard: [psm-backlog]
Highly related tests (that Chrome also passes by rejecting connection):
https://dh-small-subgroup.badssl.com/
https://dh-composite.badssl.com/
Any progress on this issue? https://dh1024.badssl.com/ still shows a perfectly green extra secure lock on it despite using very vulnerable cryptography in latest Firefox beta.
I can reproduce this issue with Nightly 63, while Chrome Dev 69 protects me.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: parity-chrome
Edge 18 and Safari 11.1 also block dh1024. The 2015 Logjam paper [1] recommends:

"If you have a web or mail server, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group."

"If you’re a sysadmin or developer make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit."

Firefox's minimum DH key size (SSL_DH_MIN_P_BITS) is 1023 bits [2], so we are (nearly) following the authors' (2015) advice for clients to reject keys smaller than 1024 bits.

[1] https://weakdh.org/
[2] https://searchfox.org/mozilla-central/rev/e52cd92858800a69b74cb97d26d9bdb960d611ca/security/nss/lib/nss/nssoptions.h#19
Keywords: parity-safari
Summary: increase minimum DH key size in TLS handshakes → Increase minimum DH key size in TLS handshakes to 2048 bits
This probably basically just a dupe of bug 1227519. Other browsers completely disable DH. We haven't had a update in the other bug for a while, so maybe this is now possible.
If you would increase SSL_DH_MIN_P_BITS to 2048 bits, a few people might need to manually disable DHE cipher suites to be able to connect to their crap devices. It's easy to disable a cipher suite in Firefox. Other browsers are already protecting against small DH keys. It should be done rather soon and before bug 1227519.
If you would disable DHE cipher suites by default, some people might fall back to plain RSA without reason. Plain RSA should be disabled first.

https://searchfox.org/mozilla-central/rev/e52cd92858800a69b74cb97d26d9bdb960d611ca/security/manager/ssl/nsNSSCallbacks.cpp#866

https://mzl.la/2O906TA
Windows (Ping count: 8.89k - in comparison: that's 0.018% of Windows ECC ping count)
- 1024 bits: 42.35k samples (66.74%)
- 2048 bits: 18.8k samples (29.62%)
- 4096 bits: 2.3k samples (3.63%)

https://mzl.la/2O8IM0H
MacOS (Ping count: 1.43k)
- 1024 bits: 2.69k samples (52.88%)
- 2048 bits: 2.4k samples (47.06%)
- 4096 bits: 1 sample (0.02%)

https://mzl.la/2KmwvUo
Linux (Ping count: 525)
- 1024 bits: 873 samples (37.12%)
- 2048 bits: 1.47k samples (62.41%)
- 4096 bits: 8 samples (0.34%)

https://mzl.la/2O743bi
ECC in contrast:
Windows (Ping count: 4.74M)
- unknown: 362.69M samples (34%) - X25519?
- P-256    695.23M samples (65.17%)
- P-384:     5.88M samples (0.55%)
- P-512:     2.95M samples (0.28%)
See Also: → 1496639
Has this bug been forgotten about? It is a very serious security issue that all other browsers have fixed many years ago.
You need to log in before you can comment on or make changes to this bug.