Open Bug 1764671 Opened 3 years ago Updated 1 year ago

Disabling SHA1 and RSA ciphers will give false sense of upgrade for the browser and add-ons

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: bo0od, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Go to about:config In Firefox 91.8.0esr and disable/turn off: (same result tested in normal FF, and in Nightly FF)

SHA1:

security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.rsa_des_ede3_sha

RSA:

security.ssl3.rsa_aes_128_gcm_sha256
security.ssl3.rsa_aes_256_gcm_sha384
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_256_gcm_sha384
security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256

Related Issues:

#1725787

Actual results:

After that if you have any outdated Addon or outdated FF version they wont be upgraded to the latest version because it say there is no new version and im running the latest version.

Two main issues:

  • FF/Mozilla servers doesnt use more/all secure ciphers in TLS 1.3/1.2.
  • FF/Addons internal/auto upgrade give false sense of safety when it cant connect to mozilla servers due to ciphers compatibility issue.

Expected results:

  • Upgrade FF/Mozilla servers to use more/all secure ciphers in TLS 1.3/1.2
  • Dont give false sense message if FF/Addons cant connect to mozilla servers

I dont expect SHA1 and RSA to be kept from the near future, But why is a different topic..

Component: Untriaged → Security

The severity field is not set for this bug.
:sgalich, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)

I've managed to reproduce this issue on Firefox 99 and Firefox ESR 91.8 on Windows 10 x64 by turning off the prefs SHA1 and RSA mentioned in Comment 0 . Once the prefs are turned back on, the issue is not reproducible anymore.
It's worth mentioning that this is not reproducible on Nightly 101.0a1 or other earlier versions.
Setting this as NEW to have the developer's opinion about it.

Severity: -- → S3
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Ever confirmed: true
Flags: needinfo?(sgalich)

Although it appears that the addons server supports TLS 1.3, the observed behavior (Two main issues) remains consistent as described above.

You need to log in before you can comment on or make changes to this bug.