Closed Bug 1686131 Opened 5 years ago Closed 5 years ago

Remove TLS 1.3 support.

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: u677327, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Checked the supported protocols.

Actual results:

I found that TLS 1.3 is supported.

Expected results:

TLS 1.3 support should be removed because it’s less secure than TLS 1.2.

  • It has an insecure handshake called 0-RTT that allows replay attacks and will likely lead to vulnerabilities in the confidentiality of data.

  • It includes a 64-bit security strength cipher of TLS_AES_128_GCM_SHA256 which is insecure and it’s difficult for most users to disable.

  • Persistent session identifiers are not supported, which are the strongest method for preventing session hijacking. The state media conspiracy theory against them is that they're used for tracking, but the solution is to stop visiting websites that track you, not disable important security features. The motivation behind the lack of support is likely to benefit the NSA’s QUANTUM-INSERT hacking program.

  • DHE key exchange is not supported, which is more secure than ECDHE and more trusted than the backdoor’d NIST curves used for ECDHE. The state media conspiracy theory against it is that improper implementation is insecure, but that applies to all cryptography. The motivation behind the lack of support is likely to benefit the NSA’s BULLRUN decryption program.

These issues show that the 9-figure influence operations of the NSA to weaken security standards are having more success than in previous years and that standards organizations can’t be trusted.

This bug will likely be prematurely closed due to the powerful media efforts against secure encryption but I’m sure it will be reopened in the future.

A web browser like Firefox doesn't work in isolation -- it's useless if there are no servers to visit. Browsers and servers have to agree on the protocols, and thus standards. Firefox has little choice but to implement the standards that are agreed to and others implement, and though we can argue for specific changes while they are in the process of being standardized we don't always get our way. We were only able to unilaterally remove support for SSLv3 years too late because a serious practical attack was demonstrated, and there were enough servers supporting newer versions of TLS that this was a practical choice -- though it did break our user's ability to get to many websites for a while. Similarly, even though similar shortcommings were known in TLS 1.0 it was only possible to deprecate support for that through a years-long industry coordination effort this past summer.

If changes are needed in TLS 1.3 the best forum for that is the IETF standards body (https://ietf.org/blog/tls13/). Members of that forum come from around the world and respond quickly when shortcomings are demonstrated. Or alternatively, a good public demonstration gets wide press and action, as demonstrated through the POODLE, BEAST, and similar.

You can disable TLS 1.3 by opening about:config and setting the preference security.tls.version.max to 3. This can also be set via Group Policy in an enterprise installation. Unfortunately as long as that is the standard and actively used by websites our users want to visit we will need to support it by default, unless the standard changes or practical attacks are demonstrated that encourage web servers to migrate to a different protocol.

Sorry to fulfill your last sentence prophecy, but this is a practical choice for interoperability and not because of "powerful media efforts"

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.