Open Bug 1367617 Opened 3 years ago Updated 2 months ago
Increase minimum DH key size in TLS handshakes to 2048 bits
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170523030206 Steps to reproduce: Point Firefox to: https://dh1024.badssl.com/ Actual results: It connected as a secure connection, even though the connection may not be private, because the site is incorrectly configured using an ephemeral Diffie-Hellman key exchange over a 1024-bit group. Expected results: It should have refused the connection and displayed something like: "This site can’t provide a secure connection dh1024.badssl.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Looks like Chrome bumped the minimum DH key size, so we probably can too.
Priority: -- → P2
Summary: Firefox incorrectly connects to site with DH-1024. → increase minimum DH key size in TLS handshakes
Highly related tests (that Chrome also passes by rejecting connection): https://dh-small-subgroup.badssl.com/ https://dh-composite.badssl.com/
Any progress on this issue? https://dh1024.badssl.com/ still shows a perfectly green extra secure lock on it despite using very vulnerable cryptography in latest Firefox beta.
I can reproduce this issue with Nightly 63, while Chrome Dev 69 protects me.
Edge 18 and Safari 11.1 also block dh1024. The 2015 Logjam paper  recommends: "If you have a web or mail server, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group." "If you’re a sysadmin or developer make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit." Firefox's minimum DH key size (SSL_DH_MIN_P_BITS) is 1023 bits , so we are (nearly) following the authors' (2015) advice for clients to reject keys smaller than 1024 bits.  https://weakdh.org/  https://searchfox.org/mozilla-central/rev/e52cd92858800a69b74cb97d26d9bdb960d611ca/security/nss/lib/nss/nssoptions.h#19
This probably basically just a dupe of bug 1227519. Other browsers completely disable DH. We haven't had a update in the other bug for a while, so maybe this is now possible.
If you would increase SSL_DH_MIN_P_BITS to 2048 bits, a few people might need to manually disable DHE cipher suites to be able to connect to their crap devices. It's easy to disable a cipher suite in Firefox. Other browsers are already protecting against small DH keys. It should be done rather soon and before bug 1227519. If you would disable DHE cipher suites by default, some people might fall back to plain RSA without reason. Plain RSA should be disabled first. https://searchfox.org/mozilla-central/rev/e52cd92858800a69b74cb97d26d9bdb960d611ca/security/manager/ssl/nsNSSCallbacks.cpp#866 https://mzl.la/2O906TA Windows (Ping count: 8.89k - in comparison: that's 0.018% of Windows ECC ping count) - 1024 bits: 42.35k samples (66.74%) - 2048 bits: 18.8k samples (29.62%) - 4096 bits: 2.3k samples (3.63%) https://mzl.la/2O8IM0H MacOS (Ping count: 1.43k) - 1024 bits: 2.69k samples (52.88%) - 2048 bits: 2.4k samples (47.06%) - 4096 bits: 1 sample (0.02%) https://mzl.la/2KmwvUo Linux (Ping count: 525) - 1024 bits: 873 samples (37.12%) - 2048 bits: 1.47k samples (62.41%) - 4096 bits: 8 samples (0.34%) https://mzl.la/2O743bi ECC in contrast: Windows (Ping count: 4.74M) - unknown: 362.69M samples (34%) - X25519? - P-256 695.23M samples (65.17%) - P-384: 5.88M samples (0.55%) - P-512: 2.95M samples (0.28%)
Has this bug been forgotten about? It is a very serious security issue that all other browsers have fixed many years ago.
You need to log in before you can comment on or make changes to this bug.