Closed Bug 1508390 Opened 6 years ago Closed 6 years ago

Update SSL ciphers on accounts.firefox.com and *.accounts.firefox.com

Categories

(Cloud Services :: Server: Firefox Accounts, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jbuck, Unassigned)

References

Details

This is a bug to track the progress of removing weak ciphers TLS negotiation from accounts.firefox.com and *.accounts.firefox.com. Our primary blocker was a requirement to keep weak ciphers available for older versions of Samsung SBrowser until 2018-11-01. This date has now passed, so we can get this done!

You can set TLS 1.2 as minimum TLS version.
Firefox supports TLS 1.2 with ECDHE-RSA-AES128-GCM-SHA256 since 2014 (Firefox 27, bug 861266 + bug 937789).
Only TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 are needed as supported ciphersuites. No plain RSA please. TLS 1.3 would be nice to have. Thank you :)
https://www.hardenize.com/report/accounts.firefox.com/1547142095#www_tls

This change has been deployed. We are using the 2016-08 ciphers from https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html . We'll evaluate how our clients perform before making changes like TLSv1.2 minimum version.

We haven't received any bug reports or complaints in a week, so I think we're in the clear

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.