Closed Bug 1496639 Opened 6 years ago Closed 4 years ago

Establish deprecation date for DHE cipher suites in Firefox

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Version:
62 Branch
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
relnote-firefox --- 78+
firefox-esr68 --- wontfix
firefox77 --- wontfix
firefox78 --- fixed
firefox79 --- fixed

People

(Reporter: ht16cq+b33nskirkppis, Assigned: jan)

References

(Blocks 1 open bug)

Details

(Keywords: site-compat, Whiteboard: [psm-deprecation][psm-assigned])

Attachments

(1 file)

Bug 1496639 - Disable DHE ciphers by default. r?keeler
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Steps to reproduce: This is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1227519 but for Firefox as a whole, not just WebRTC. Firefox is the last browser vulnerable to DHE problems. It's time to change that. Additionally, this also fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1367617 Easy test site is https://dh1024.badssl.com/ This site still gives a fully green secure lock in Firefox 63 beta.
This issue will definitely be treated as an enhancement. I will set its component as (Core) Security: PSM and hope it's correct. Note1:I have to mention that the page (https://dh1024.badssl.com/) has a secured connection, has a yellow background on all browser versions and has the text: " dh-1024.badssl.com This site uses an ephemeral Diffie-Hellman key exchange over a 1024-bit group. " Note2: Also, the page can not be opened on Chrome or EDGE browsers.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
status-firefox62: --- → affected
status-firefox63: --- → affected
status-firefox64: --- → affected
status-firefox-esr60: --- → affected
Component: Untriaged → Security: PSM
Ever confirmed: true
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
See Also: → 1367617, 1227519
Version: 60 Branch → 62 Branch
Priority: -- → P3
Whiteboard: [psm-deprecation]
Has this bug been forgotten about? It is a very serious security issue that all other browsers have fixed many years ago.
I think "very serious" is overstating it slightly, and pasting the same comment multiple times in multiple bugs is not really useful. The WeakDH paper (https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) estimates the computational effort required to pre-compute a 1024-bit Diffie Hellman group at 45 million CPU core-years and a cost of hundreds of millions of dollars. I'm sure that in time the support will be removed, but I don't think it necessarily overrides other priorities. Perhaps support for the DHE key exchange in general could be dropped at the same time as TLS 1.0 is dropped (March 2020: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/).

Any thoughts on fixing this?

Firefox has now removed support for TLSv1.0 and TLSv1.1. How about fixing this as well? It remains one of the biggest and oldest (5 years) vulnerabilities in Firefox.

See Also: 1367617

Firefox does not support AEAD DHE by reason. Requiring 2048 bit DHE could prevent connections to ancient devices. It's "better" to use 2048 bit plain RSA instead of using 1024 bit DHE or being unable to connect. Chrome, Android, Googlebot, Edge, Safari and Servo do not support DHE anymore.

Telemetry: Ciphersuites 21 and 23 on SSL_CIPHER_SUITE_FULL.

Type: enhancement → task
status-firefox62: affected → ---
status-firefox63: affected → ---
status-firefox64: affected → ---
status-firefox-esr60: affected → ---
Assignee: nobody → jan
Status: NEW → ASSIGNED
Assignee: jan → nobody
Status: ASSIGNED → NEW
See Also: → 1227521
Keywords: site-compat

Turns out we're moving forward with this, so since this patch still applies cleanly, I'm going to check it in.

Assignee: nobody → jan
Priority: P3 → P1
Whiteboard: [psm-deprecation] → [psm-deprecation][psm-assigned]
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ca83702c2741 Disable DHE ciphers by default. r=keeler

https://hg.mozilla.org/mozilla-central/rev/ca83702c2741

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

Posted a site compatibility note for the change.

Comment on attachment 9132327 [details]
Bug 1496639 - Disable DHE ciphers by default. r?keeler

Beta/Release Uplift Approval Request

  • User impact if declined: DHE-based ciphersuites are deprecated and don't sufficiently protect our users. We want this to get into the next ESR, hence the uplift request.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): A canary run in bug 1643286 showed no regressions, and Chrome has already disabled these ciphersuites, so this should be safe.
  • String changes made/needed:
Attachment #9132327 - Flags: approval-mozilla-beta?
status-firefox78: --- → affected

[Tracking Requested - why for this release]:

status-firefox77: --- → wontfix
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → affected
tracking-firefox78: --- → ?
tracking-firefox-esr78: --- → ?

firefox-esr68 --- unaffected

ESR 68 does have DHE suites enabled by default, so shouldn't that be "wontfix" or "affected" rather than "unaffected"?

(In reply to hotaru from comment #17)

firefox-esr68 --- unaffected

ESR 68 does have DHE suites enabled by default, so shouldn't that be "wontfix" or "affected" rather than "unaffected"?

It should indeed be wontfix, as I don't think anyone would take kindly to pulling ciphersuites out in point releases of ESR 68u nless they were completely broken. But we do intend to make this change for ESR 78.

status-firefox-esr68: unaffectedwontfix

Comment on attachment 9132327 [details]
Bug 1496639 - Disable DHE ciphers by default. r?keeler

approved for 78.0b9

Attachment #9132327 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Is this worth a mention in release notes for fx78? Please set the relnote-firefox flag to "?" in that case.

Flags: needinfo?(jjones)
Flags: needinfo?(dkeeler)

Release Note Request (optional, but appreciated)
[Why is this notable]: Disabling DHE ciphersuites could have a compatibility impact
[Affects Firefox for Android]: yes
[Suggested wording]: As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.
[Links (documentation, blog post, etc)]:

relnote-firefox: --- → ?
Flags: needinfo?(jjones)
Flags: needinfo?(dkeeler)
See Also: → 1644528

Updated the site compatibility note.

added to the 78 release notes draft

relnote-firefox: ?78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: