Update SSL ciphers on accounts.firefox.com and *.accounts.firefox.com
Categories
(Cloud Services :: Server: Firefox Accounts, enhancement)
Tracking
(Not tracked)
People
(Reporter: jbuck, Unassigned)
References
Details
This is a bug to track the progress of removing weak ciphers TLS negotiation from accounts.firefox.com and *.accounts.firefox.com. Our primary blocker was a requirement to keep weak ciphers available for older versions of Samsung SBrowser until 2018-11-01. This date has now passed, so we can get this done!
Comment 1•6 years ago
|
||
You can set TLS 1.2 as minimum TLS version.
Firefox supports TLS 1.2 with ECDHE-RSA-AES128-GCM-SHA256 since 2014 (Firefox 27, bug 861266 + bug 937789).
Only TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 are needed as supported ciphersuites. No plain RSA please. TLS 1.3 would be nice to have. Thank you :)
https://www.hardenize.com/report/accounts.firefox.com/1547142095#www_tls
Reporter | ||
Comment 2•6 years ago
|
||
This change has been deployed. We are using the 2016-08 ciphers from https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html . We'll evaluate how our clients perform before making changes like TLSv1.2 minimum version.
Reporter | ||
Comment 3•6 years ago
|
||
We haven't received any bug reports or complaints in a week, so I think we're in the clear
Comment 4•6 years ago
|
||
YAY!
Description
•