Closed
Bug 1487842
Opened 6 years ago
Closed 3 years ago
Remove weak TLS_DHE_RSA_* ciphers from Firefox for Android
Categories
(Firefox for Android Graveyard :: Android Sync, enhancement)
Firefox for Android Graveyard
Android Sync
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: nalexander, Unassigned)
Details
Per https://groups.google.com/d/msg/mozilla.dev.platform/XyQo24IO0oA/h5bfCqShAwAJ, Firefox (Gecko) will drop the ciphers - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - TLS_DHE_RSA_WITH_AES_256_CBC_SHA because they are considered too weak. For historical reasons Firefox for Android will handshake to Firefox Sync servers using these suites: https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#73 After discussion off-list, I confirmed that we should drop those suites from Firefox for Android.
|
Reporter | |
Comment 1•6 years ago
|
||
bobm: a) can you confirm these cipher suites aren't required for Sync 1.5? (I'd be shocked if they're in our current AWS configuration, but I've been shocked before.) b) can you confirm that we can also drop some old versions of TLS/SSLv3 from https://searchfox.org/mozilla-central/rev/05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/java/org/mozilla/gecko/background/common/GlobalConstants.java#94 c) are you aware of cipher suites requirements coming from SBrowser's use of Firefox Sync? (I'm not sure this is relevant any more.)
Flags: needinfo?(bobm)
|
||
Comment 2•6 years ago
|
||
(In reply to Nick Alexander :nalexander [he/him] from comment #1) > a) can you confirm these cipher suites aren't required for Sync 1.5? (I'd > be shocked if they're in our current AWS configuration, but I've been > shocked before.) In large sample (2/3 of sync traffic for a month) there are no CBC ciphers present. Which isn't surprising since they aren't in the allowed ciphers list configuration. > b) can you confirm that we can also drop some old versions of TLS/SSLv3 from > > https://searchfox.org/mozilla-central/rev/ > 05d91d3e02a0780f44599371005591d7988e2809/mobile/android/services/src/main/ > java/org/mozilla/gecko/background/common/GlobalConstants.java#94 0.05 percent of Sync traffic uses TLSv1. Most of that is from SBrowser: Firefox AndroidSync 1.@MOZ_APP_VERSION@.0 (Firefox) TLSv1 DHE-RSA-AES256-SHA SSLv3 traffic accounts for .00002% of Sync traffic. > c) are you aware of cipher suites requirements coming from SBrowser's use of > Firefox Sync? (I'm not sure this is relevant any more.) 0.03% Firefox AndroidSync 1.@MOZ_APP_VERSION@.0 (Firefox) TLSv1 DHE-RSA-AES256-SHA 0.000015% Firefox AndroidSync 1.40.0 (SBrowser) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 0.26% Firefox AndroidSync 1.40.0 (SBrowser) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 I'll share you a copy of the collated information I used to answer these questions, in case you'd like to do further investigation.
Flags: needinfo?(bobm)
|
||
Comment 3•3 years ago
|
||
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•