Disable TLS 1.0 and 1.1 by default in Firefox 78
Categories
(Core :: Security: PSM, task)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox77 | --- | unaffected |
firefox78 | --- | verified |
firefox79 | --- | verified |
People
(Reporter: mt, Assigned: mt)
References
Details
(Keywords: site-compat)
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-release+
|
Details | Review |
The code currently keeps TLS 1.0 enabled in release versions. That's not good, because we planned to not have that in 78.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Pushed by mthomson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a53f3bd24c2c Disable TLS 1.0 in release channels, r=keeler
Assignee | ||
Comment 3•4 years ago
|
||
Comment on attachment 9154073 [details]
Bug 1643229 - Disable TLS 1.0 in release channels, r?keeler
Beta/Release Uplift Approval Request
- User impact if declined: Users get TLS 1.0 a little longer, which is likely better for compatibility, but not that great for their security. As we have agreed with other browsers to deprecate this protocol, and told them that it was happening in Firefox 78, it would not be good if this were declined.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce: https://tls-v1-0.badssl.com:1010/
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The web compatibility risk is fairly significant here. We have a mechanism to re-enable the protocol with one click. That mechanism is good but not perfect. It fails to capture the case where a subresource is blocked due to the change, but we have only seen one case where this was a problem and that has since been fixed on the server end.
- String changes made/needed: None
Comment 4•4 years ago
|
||
Being first movers on this seems like a risky thing to do. What's the reason for doing this in 78 rather than 79?
Comment 5•4 years ago
|
||
bugherder |
Comment 6•4 years ago
|
||
[Tracking Requested - why for this release]: The Firefox 78 uplift request is requested but not merged yet.
Updated•4 years ago
|
Comment 7•4 years ago
|
||
Comment on attachment 9154073 [details]
Bug 1643229 - Disable TLS 1.0 in release channels, r?keeler
Per Wennie, approved for 78 rc1.
Comment 8•4 years ago
|
||
bugherder uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Comment 9•4 years ago
|
||
The issue is verified fixed using Fx78.0RC and Fx79.0a1 on Windows 10, Ubuntu 18.04 and macOS 10.14. TLS 1.0 and 1.1 are disabled by default. Please note that no issues regarding the TLS disable have come up during our web-compat testing for the RC validation.
Description
•