Closed
Bug 1499759
Opened 6 years ago
Closed 6 years ago
Prefer other ciphers over 3DES
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1227524
People
(Reporter: mat.jonczyk, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:62.0) Gecko/20100101 Firefox/62.0 Steps to reproduce: I visited the website ppuslugi.mf.gov As can be seen on https://www.ssllabs.com/ssltest/analyze.html?d=ppuslugi.mf.gov.pl this website (as of the time of writing) prefers the 3DES cipher: # TLS 1.2 (suites in server-preferred order) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 Actual results: Firefox connected to the website over 3DES, as can be seen in Page Info -> Security tab. Expected results: Firefox should have used the AES cipher, either AES128 or AES256 variant. As can be read on https://sweet32.info/#impact - Web servers and VPNs should be configured to prefer 128-bit ciphers. According to our scans, about 1.1% of the top 100k web server from Alexa, and 0.5% of the top 1 million, support AES but prefer to use 3DES. - Web browsers should offer 3DES as a fallback-only cipher, to avoid using it with servers that support AES but prefer 3DES.
Updated•6 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•6 years ago
|
||
I propose that Firefox would use 3DES only as a last resort - i.e. that it would ignore the server-preferred cipher order and do not use 3DES when the server supports other, better ciphers (like AES). But when the server supports only 3DES (or if 3DES is the best cipher that the server can offer), Firefox would use it. This way, website compatibility problems could be avoided. This was the intent of the bug from the beginning - please excuse me for not writing clearly before. So, please remove the DUPLICATE tag.
Whatever we do regarding deprecating 3DES we can do in the bug we already have.
You need to log in
before you can comment on or make changes to this bug.
Description
•