Establish deprecation date for DHE cipher suites in Firefox
Categories
(Core :: Security: PSM, task, P1)
Tracking
()
People
(Reporter: ht16cq+b33nskirkppis, Assigned: jan)
References
(Blocks 1 open bug)
Details
(Keywords: site-compat, Whiteboard: [psm-deprecation][psm-assigned])
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Steps to reproduce: This is similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1227519 but for Firefox as a whole, not just WebRTC. Firefox is the last browser vulnerable to DHE problems. It's time to change that. Additionally, this also fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1367617 Easy test site is https://dh1024.badssl.com/ This site still gives a fully green secure lock in Firefox 63 beta.
|
||
Comment 1•6 years ago
|
||
This issue will definitely be treated as an enhancement. I will set its component as (Core) Security: PSM and hope it's correct. Note1:I have to mention that the page (https://dh1024.badssl.com/) has a secured connection, has a yellow background on all browser versions and has the text: " dh-1024.badssl.com This site uses an ephemeral Diffie-Hellman key exchange over a 1024-bit group. " Note2: Also, the page can not be opened on Chrome or EDGE browsers.
|
Reporter | |
Comment 2•6 years ago
|
||
Has this bug been forgotten about? It is a very serious security issue that all other browsers have fixed many years ago.
I think "very serious" is overstating it slightly, and pasting the same comment multiple times in multiple bugs is not really useful. The WeakDH paper (https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf) estimates the computational effort required to pre-compute a 1024-bit Diffie Hellman group at 45 million CPU core-years and a cost of hundreds of millions of dollars. I'm sure that in time the support will be removed, but I don't think it necessarily overrides other priorities. Perhaps support for the DHE key exchange in general could be dropped at the same time as TLS 1.0 is dropped (March 2020: https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/).
|
|
Reporter | |
Comment 5•5 years ago
|
||
Any thoughts on fixing this?
|
|
Reporter | |
Comment 6•4 years ago
|
||
Firefox has now removed support for TLSv1.0 and TLSv1.1. How about fixing this as well? It remains one of the biggest and oldest (5 years) vulnerabilities in Firefox.
|
Assignee | |
Comment 8•4 years ago
•
|
||
Firefox does not support AEAD DHE by reason. Requiring 2048 bit DHE could prevent connections to ancient devices. It's "better" to use 2048 bit plain RSA instead of using 1024 bit DHE or being unable to connect. Chrome, Android, Googlebot, Edge, Safari and Servo do not support DHE anymore.
Telemetry: Ciphersuites 21 and 23 on SSL_CIPHER_SUITE_FULL.
|
|
Assignee | |
Comment 9•4 years ago
|
||
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Turns out we're moving forward with this, so since this patch still applies cleanly, I'm going to check it in.
|
||
Comment 11•4 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ca83702c2741 Disable DHE ciphers by default. r=keeler
|
||
Comment 12•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 13•4 years ago
|
||
Posted a site compatibility note for the change.
Comment on attachment 9132327 [details]
Bug 1496639 - Disable DHE ciphers by default. r?keeler
Beta/Release Uplift Approval Request
- User impact if declined: DHE-based ciphersuites are deprecated and don't sufficiently protect our users. We want this to get into the next ESR, hence the uplift request.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): A canary run in bug 1643286 showed no regressions, and Chrome has already disabled these ciphersuites, so this should be safe.
- String changes made/needed:
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 16•4 years ago
|
||
[Tracking Requested - why for this release]:
|
||
Comment 17•4 years ago
|
||
firefox-esr68 --- unaffected
ESR 68 does have DHE suites enabled by default, so shouldn't that be "wontfix" or "affected" rather than "unaffected"?
|
|
||
Comment 18•4 years ago
|
||
(In reply to hotaru from comment #17)
firefox-esr68 --- unaffected
ESR 68 does have DHE suites enabled by default, so shouldn't that be "wontfix" or "affected" rather than "unaffected"?
It should indeed be wontfix, as I don't think anyone would take kindly to pulling ciphersuites out in point releases of ESR 68u nless they were completely broken. But we do intend to make this change for ESR 78.
|
||
Updated•4 years ago
|
|
|
||
Comment 19•4 years ago
|
||
Comment on attachment 9132327 [details]
Bug 1496639 - Disable DHE ciphers by default. r?keeler
approved for 78.0b9
|
|
||
Comment 20•4 years ago
|
||
Is this worth a mention in release notes for fx78? Please set the relnote-firefox flag to "?" in that case.
Release Note Request (optional, but appreciated)
[Why is this notable]: Disabling DHE ciphersuites could have a compatibility impact
[Affects Firefox for Android]: yes
[Suggested wording]: As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.
[Links (documentation, blog post, etc)]:
|
|
||
Comment 22•4 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 23•4 years ago
•
|
||
Updated the site compatibility note.
Description
•