Closed Bug 1576790 Opened 5 years ago Closed 5 years ago

Enable TLS downgrade sentinel detection

Categories

(Core :: Security: PSM, enhancement, P2)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- fixed

People

(Reporter: mt, Assigned: mt)

References

(
URL
)

Details

(Whiteboard: [psm-backlog] [sci-exclude])

Attachments

(1 file)

Bug 1576790 - Enable version downgrade sentinel in TLS, r?keeler
47 bytes, text/x-phabricator-request
Details | Review

The downgrade check in TLS 1.3 is an important part of the protocol, providing a safeguard against attacks that exploit our willingness to negotiate older versions of the protocol.

We disabled this feature out of caution in the initial TLS 1.3 deployment. We knew that some middleboxes were forwarding TLS ServerHello messages, but then negotiating TLS 1.2. Enabling the check would have broken in those cases where the certificate used by the middlebox was in the trust store.

We've been running this in Nightly for a while and have seen no problems. Our telemetry doesn't record a good value for this, but I'm seeing absolutely no reports of the error that would we would expect to receive (bucket 3 on SSL_TLS1[23]_INTOLERANCE_REASON_P{OST|RE} or SSL_VERSION_FALLBACK_INAPPROPRIATE).

Chrome are in the process of re-enabling the check, and report 0.02% breakage as a result. Apple also report no issues from the Catalina beta.

Therefore, I'm going to propose that for Firefox 71 we turn the feature on for everyone. security.tls.hello_downgrade_check can be set to true by default.

Priority: -- → P2
Whiteboard: [psm-backlog]
Whiteboard: [psm-backlog] → [psm-backlog] [sci-exclude]

This change enables the version downgrade sentinel across all channels. We
don't have good telemetry on this, but Chrome reports 0.02%, which is low enough
to just make the change without additional validation on our end.

This only really affects intercepting middleboxes that forward the real server's
ServerHello.random. That's a terrible idea, and, as above, the evidence
suggests that this is now rare enough to have those boxes break connections.
The pref will remain for those cases where problems persist.

Pushed by mthomson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/df10f6e28030 Enable version downgrade sentinel in TLS, r=keeler

https://hg.mozilla.org/mozilla-central/rev/df10f6e28030

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Assignee: nobody → mt

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox71: --- → ?

Sounds like this needs a Beta uplift request per #c0.

status-firefox70: affectedwontfix
status-firefox71: ?affected
Flags: needinfo?(mt)

I think that we are OK with waiting for another release on this. We've just had reports of problems in bug 1590870, so accelerating this through to Beta and Release probably isn't the best choice. We haven't made any commitments, so we can afford to be "flexible" (i.e., allow those on-path attackers their freedom to make bad decisions) a little longer.

Flags: needinfo?(mt)
Regressions: 1590870
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: