Bug 901393 (tls-everything)

[TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices

ASSIGNED
Assigned to

Status

task
ASSIGNED
6 years ago
Last month

People

(Reporter: ulfr, Assigned: April)

Tracking

(Depends on 10 bugs, Blocks 2 bugs)

Details

()

Attachments

(5 attachments)

Reporter

Description

6 years ago
Tracking bug for the review of SSL enabled servers across the board.
Reporter

Comment 1

6 years ago
Some stats:
 - 1153 mozilla sites support SSL
preferred ciphersuites are:
 - 1073 RC4-SHA
 - 17 RC4-MD5
 - 54 DHE-RSA-AES256-SHA
 - 3 AES128-GCM-SHA256
 - 1 EDH-RSA-DES-CBC3-SHA
(and 5 lookup failures)

Note that some results, such as AES128-GCM-SHA256, come from CDNs we use and terminate the SSL.
Reporter

Comment 2

6 years ago
Posted file results.csv
Test of 2995 mozilla domains, 1153 of which have SSL enabled on port 443.
The 2nd column is the 1st preferred ciphersuite, the 3rd column is the 2nd preferred ciphersuite.
Reporter

Updated

6 years ago
Depends on: 904077
Reporter

Comment 3

6 years ago
Citrix's Netscaler has added TLS1.2, waiting on a stable v11 to deploy it. ECDHE is on their roadmap.

Need to add conf recommendation for Netscaler to the mana page.
Reporter

Updated

6 years ago
Depends on: 914065
Reporter

Updated

6 years ago
Group: infrasec
Brian Smith has been doing some work on which ciphersuites we _should_ prefer in Firefox, and I assume that also carries over to the server side. See the discussion in mozilla.dev.security.

Gerv
Reporter

Comment 5

6 years ago
Yep, I've been following the thread from the start, and found a good amount of useful information in there. But the AES landscape is changing, and it seems that BEAST might not be as big of an issue anymore.

That, and the security levels provided by AES-256 vs AES-128, will influence the next version of the recommended ciphersuite. I suspect it will be very close to the one proposed by Brian. The major difference being that we don't want to disable too many ciphers, we just want to put them further down the list.
Reporter

Comment 6

6 years ago
Added PFS keysize detection to cipherscan:

$ ./CiphersScan.sh www.mozilla.org:443
prio  ciphersuite           protocol  pfs_keysize
1     RC4-SHA               TLSv1.1
2     RC4-MD5               TLSv1.1
3     AES256-SHA            TLSv1.1
4     DHE-RSA-AES256-SHA    TLSv1.1   DH,1024bits
5     DES-CBC3-SHA          TLSv1.1
6     EDH-RSA-DES-CBC3-SHA  TLSv1.1   DH,1024bits
7     AES128-SHA            TLSv1.1
8     DHE-RSA-AES128-SHA    TLSv1.1   DH,1024bits
9     (NONE)



$ ./CiphersScan.sh login.persona.org:443
prio  ciphersuite         protocol  pfs_keysize
1     DHE-RSA-AES256-SHA  TLSv1     DH,1024bits
2     AES256-SHA          TLSv1
3     CAMELLIA256-SHA     TLSv1
4     DHE-RSA-AES128-SHA  TLSv1     DH,1024bits
5     AES128-SHA          TLSv1
6     CAMELLIA128-SHA     TLSv1
7     RC4-SHA             TLSv1
8     (NONE)



$ ./CiphersScan.sh minion-dev.mozillalabs.com:443
prio  ciphersuite                  protocol  pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2   ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2   ECDH,P-256,256bits
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2   DH,2048bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2   DH,2048bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2   ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1.2   ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2   ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1.2   ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2   DH,2048bits
10    DHE-RSA-AES128-SHA           TLSv1.2   DH,2048bits
11    DHE-RSA-AES256-SHA256        TLSv1.2   DH,2048bits
12    AES128-GCM-SHA256            TLSv1.2
13    AES256-GCM-SHA384            TLSv1.2
14    ECDHE-RSA-RC4-SHA            TLSv1.2   ECDH,P-256,256bits
15    RC4-SHA                      TLSv1.2
16    DHE-RSA-AES256-SHA           TLSv1.2   DH,2048bits
17    DHE-RSA-CAMELLIA256-SHA      TLSv1.2   DH,2048bits
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1.2
20    CAMELLIA256-SHA              TLSv1.2
21    DHE-RSA-CAMELLIA128-SHA      TLSv1.2   DH,2048bits
22    AES128-SHA256                TLSv1.2
23    AES128-SHA                   TLSv1.2
24    CAMELLIA128-SHA              TLSv1.2
25    (NONE)
Reporter

Updated

6 years ago
Depends on: 922060
Reporter

Updated

6 years ago
Depends on: 922299
Reporter

Comment 8

6 years ago
Made public today at https://wiki.mozilla.org/Security/Server_Side_TLS
Hacker New discussion follows: https://news.ycombinator.com/item?id=6549962
Group: mozilla-corporation-confidential
Reporter

Updated

6 years ago
Depends on: 927336
Reporter

Comment 10

6 years ago
Some ciphers scanning results

* 'AllMozillaScan-20131120.txt' is a list of 911 Mozilla domains with their ciphers preferences.

* Based on the list above, and using the ciphers pref as a fingerprint, 'ZLB_websites.txt' is a list of 786 websites that are terminated on the ZLBs. Generated with:
    pcregrep -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > ZLB_websites.txt

* 'Non_ZLB_websites.txt' is the inverse of the list above, and contains 125 websites that are not hosted behind the ZLBs. Generated with:
    pcregrep -v -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > Non_ZLB_websites.txt

I'm particularly interested in the Non-ZLB websites. I'll dig through these in the future. It would be good to know exactly where they live and how they are maintained.
Reporter

Comment 12

6 years ago
Posted file ZLB_websites.txt
Reporter

Comment 13

6 years ago
Reporter

Updated

6 years ago
Depends on: 956714
Reporter

Updated

5 years ago
Duplicate of this bug: 998820
Reporter

Updated

5 years ago
Depends on: 999395
Reporter

Updated

5 years ago
Depends on: 910752
Reporter

Updated

5 years ago
Depends on: 882317
Reporter

Updated

5 years ago
Depends on: 1000952

Comment 15

5 years ago
I'm still wondering and scarred why it takes so much time to change the ciphersuites.
a) it's security and privacy related (passwords, emails, data reports...)!
b) Mozilla has in comparison to other big networks a quite bad configuration
c) I'm sure, it's a huge work to change it on every server, but one year is much time. I know that I can't compare this, but on smaller networks where I'm involved it takes us just a few hours.
d) On our network it was a big discussion about RC4, BEAST, fallbacks for older browsers, Forward Secrecy, but before you discuss the details, it would be good to activate secure ciphers and TLS 1.2. If there are still some issues than just on pages with sensitive informations. This would improve the security for modern browsers a lot. And you got still the fallbacks. And then a discussion about different security areas and the advantages and disadvantages between different ciphers.
Reporter

Comment 16

5 years ago
Yes, upgrading major infrastructures components is *that* hard. But we're making progress, and OCSP Stapling is now enabled on mozilla.org.
Status: NEW → ASSIGNED
Reporter

Comment 17

5 years ago
I updated the guidelines today to deprecate RC4 for good. We'll use 3DES for backward compatible sites.
I also added a non-backward compatible ciphersuite that enforces PFS.

Next step is to add certificates guidelines.
Reporter

Updated

5 years ago
Depends on: 1064387
Reporter

Updated

5 years ago
Depends on: 1077557
Reporter

Updated

5 years ago
Depends on: 1077566
Reporter

Updated

5 years ago
Depends on: 1077634
Reporter

Updated

5 years ago
Depends on: 1081953
Reporter

Updated

5 years ago
Depends on: 927045
Reporter

Updated

5 years ago
Depends on: 889749
Reporter

Updated

5 years ago
Depends on: 1117888
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified
Group: mozilla-employee-confidential

Comment 18

4 years ago
Do we already have a bug for HSTS and HPKP on (all) Mozilla sites?
If we would implement preloaded HSTS, we could remove the HTTP redirect on some relevant hosts. Modern browsers would still connect over https and older clients can still connect over http (the redirect is insecure anyway) and get redirected over JS/meta refresh (if necessary/possible), based on their UA.
This would solve the issue, that old clients can't connect to mozzilla.org to download Firefox, when they can't handle modern encryption/certificates. At the same time we can provide strong encryption, that is not vulnerable to any downgrade attack for modern browsers.
(This problematic was discussed in bug 1068949, in the context of (not) replacing weak SHA-1 certificates.)
Reporter

Comment 19

4 years ago
:sjw - the plan for supporting old clients must include HTTPS support. We're doing some work in that area that I'm hoping we can announce in the following weeks.
HSTS is gradually being deployed. HPKP will have to wait a bit since we may use letsencrypt on a few sites and we don't want to be tied to a pining just yet. I don't believe we have bugs to track those.
Reporter

Comment 20

4 years ago
I'm returning this tracker to the community pool. Feel free to pick it up if you're interested in tracking progress.
Assignee: jvehent → nobody
Status: ASSIGNED → NEW
Assignee: nobody → april
Status: NEW → ASSIGNED
Assignee

Updated

3 years ago
Depends on: 1246970
Assignee

Updated

3 years ago
Depends on: 1262243
Assignee

Updated

3 years ago
Depends on: 1249140
Assignee

Updated

3 years ago
Summary: [TRACKER] SSL/TLS ciphersuites recommendation & fix → [TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices

Updated

3 years ago
See Also: → 1309993
Assignee

Updated

3 years ago
Depends on: 1302420
Assignee

Updated

3 years ago
Depends on: 1310340
Assignee

Updated

3 years ago
Depends on: 1282128
Assignee

Updated

3 years ago
Alias: https-everything
Assignee

Updated

3 years ago
Alias: https-everything → tls-everything
Assignee

Updated

3 years ago
Duplicate of this bug: 1068762
Assignee

Updated

3 years ago
Depends on: 1310301

Updated

2 years ago
Depends on: 1334539

Updated

2 years ago
Depends on: 1338581

Updated

2 years ago
Depends on: 1343272
Depends on: 1306368
Blocks: 1246672
No longer depends on: 1282128
Assignee

Updated

2 years ago
Depends on: 1365378
Assignee

Updated

2 years ago
Depends on: 1403643
Assignee

Updated

2 years ago
Depends on: 1407779
Assignee

Updated

2 years ago
Blocks: 1351516

Comment 22

Last year
click.e.mozilla.org is missing in the attached lists. This HTTP-host is still preferring RC4, 3DES and non-FS ciphers.

Updated

Last year
Depends on: 1466919
Assignee

Updated

Last year
Depends on: 1468393
Depends on: 1475430
Depends on: 1475432
How about download.cdn.mozilla.net? Still available (and accessed according to the provider) over plain HTTP.
Reporter

Comment 24

7 months ago
(In reply to Daniel Stenberg [:bagder] from comment #23)
> How about download.cdn.mozilla.net? Still available (and accessed according
> to the provider) over plain HTTP.

This is a special case being discussed at https://bugzilla.mozilla.org/show_bug.cgi?id=1444399.

Updated

2 months ago
Depends on: 1549125

Updated

2 months ago
Depends on: 1549127

Updated

Last month
Depends on: 1551949

Updated

Last month
Depends on: 1551955

Updated

Last month
Depends on: 1551958

Updated

Last month
Depends on: 1551960

Updated

Last month
Depends on: 1551967
You need to log in before you can comment on or make changes to this bug.