Open Bug 665859 Opened 10 years ago Updated 5 months ago

Change default of security.ssl.treat_unsafe_negotiation_as_broken to true

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

People

(Reporter: KaiE, Unassigned)

References

(Depends on 2 open bugs, Blocks 2 open bugs)

Details

(Whiteboard: [psm-backlog]) 

Regarding CVE-2009-3555, I think the time has come to go one step further.
Let's drop security indicators (identity button) if a site is unpatched.

This is already implemented. This behaviour can be changed by flipping a preference. The identity button will indicate a plain page, and page info will indicate a page with mixed content.

security.ssl.treat_unsafe_negotiation_as_broken currently defaults to false.

I propose to change the default to true.
Blocks: 535649
What percentage (roughly) of SSL sites will this break the security indicators for?

Gerv
(In reply to comment #1)
> What percentage (roughly) of SSL sites will this break the security
> indicators for?

According to http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-and-vulnerable-sites the overall percentage of unpatched servers is:

45 %
I think it is highly unlikely that we would make a change which removes the SSL indicators from Facebook, Amazon and Yahoo.

I'm not sure how we can apply more pressure to get people to fix this, but breaking half the SSL web in our browser isn't it IMO.

Gerv
Duplicate of this bug: 903397
(In reply to Kai Engert (:kaie) from comment #2)
> According to
> http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-
> and-vulnerable-sites the overall percentage of unpatched servers is:
> 
> 45 %

Is there any new/more recent Data avaiable as of now?
(In reply to XtC4UaLL [:xtc4uall] from comment #5)
> Is there any new/more recent Data avaiable as of now?

https://www.trustworthyinternet.org/ssl-pulse/
Renegotiation Support:
Secure renegotiation 133,476 87.1%
Insecure renegotiation 7,340 4.8%
Both 2,059 1.3%
No support 10,382 6.8%

Survey is of top 200k SSL supporting sites.
(In reply to Dave Garrett from comment #6)
> Survey is of top 200k SSL supporting sites.

Well, that's what it says on the page anyway. It appears that survey is of a bit over 150k, based on those numbers.
I would like to continue here:

Secure renegotiation 136,161 92.8%
Insecure renegotiation 3,944 2.7%
Both 1,454 1%
No support 5,149 3.5%

I'm using security.ssl.require_safe_negotiation now for a while and I don't have that much problems.
I think it's a good time to change, since we also land other warnings for SHA-1, RC4, SSL3, DHE < 1024 etc.
Depends on: 1122695
Blocks: 1029832
Depends on: 883674
Component: Security: UI → Security: PSM
Whiteboard: [psm-backlog]
Depends on: 1305561
6 years now. It is time to stop pretending websites are secure by showing non-degraded security indicator. Flip security.ssl.treat_unsafe_negotiation_as_broken to true.
Depends on: 1353705
Blocks: 1353705
No longer depends on: 1353705
https://www.ssllabs.com/ssl-pulse/ indicates that this is still an issue of significant magnitude, at least in their survey.  I think that we'd need a shield study for this.

https://www.ssllabs.com/ssl-pulse/ now says 0.3% (463 sites) have insecure negotiation and 0.1% (163 sites) have "both".
Is that significant, or is it similar to https://bugzilla.mozilla.org/show_bug.cgi?id=665859#c10 ?

Rather than a shield study (or perhaps as well), would it make sense for security.ssl.require_safe_negotiation==FALSE to show some sort of warning of problem sites ? At present there is little to alert site admins to this issue, unless someone happens to set this flag.

https://www.ssllabs.com/ssltest/analyze.html?d=un.org&s=157.150.185.49

https://www.ssllabs.com/ssl-pulse/

Monthly Scan: June 03, 2020
Total sites surveyed: 139,071
Secure renegotiation: 137,396 98.8%
Insecure renegotiation: 288 0.2%
Both: 110 0.1%
No support: 1,277 0.9%

You need to log in before you can comment on or make changes to this bug.