Closed Bug 901393 (tls-everything) Opened 11 years ago Closed 4 years ago

[TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices

Categories

(Security Assurance :: General, task)

x86_64
Linux
task
Not set
normal

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: jvehent, Assigned: April)

References

(Depends on 1 open bug, )

Details

Attachments

(5 files)

Tracking bug for the review of SSL enabled servers across the board.
Some stats: - 1153 mozilla sites support SSL preferred ciphersuites are: - 1073 RC4-SHA - 17 RC4-MD5 - 54 DHE-RSA-AES256-SHA - 3 AES128-GCM-SHA256 - 1 EDH-RSA-DES-CBC3-SHA (and 5 lookup failures) Note that some results, such as AES128-GCM-SHA256, come from CDNs we use and terminate the SSL.
Attached file results.csv —
Test of 2995 mozilla domains, 1153 of which have SSL enabled on port 443. The 2nd column is the 1st preferred ciphersuite, the 3rd column is the 2nd preferred ciphersuite.
Depends on: 904077
Citrix's Netscaler has added TLS1.2, waiting on a stable v11 to deploy it. ECDHE is on their roadmap. Need to add conf recommendation for Netscaler to the mana page.
Depends on: 914065
Group: infrasec
Brian Smith has been doing some work on which ciphersuites we _should_ prefer in Firefox, and I assume that also carries over to the server side. See the discussion in mozilla.dev.security. Gerv
Yep, I've been following the thread from the start, and found a good amount of useful information in there. But the AES landscape is changing, and it seems that BEAST might not be as big of an issue anymore. That, and the security levels provided by AES-256 vs AES-128, will influence the next version of the recommended ciphersuite. I suspect it will be very close to the one proposed by Brian. The major difference being that we don't want to disable too many ciphers, we just want to put them further down the list.
Added PFS keysize detection to cipherscan: $ ./CiphersScan.sh www.mozilla.org:443 prio ciphersuite protocol pfs_keysize 1 RC4-SHA TLSv1.1 2 RC4-MD5 TLSv1.1 3 AES256-SHA TLSv1.1 4 DHE-RSA-AES256-SHA TLSv1.1 DH,1024bits 5 DES-CBC3-SHA TLSv1.1 6 EDH-RSA-DES-CBC3-SHA TLSv1.1 DH,1024bits 7 AES128-SHA TLSv1.1 8 DHE-RSA-AES128-SHA TLSv1.1 DH,1024bits 9 (NONE) $ ./CiphersScan.sh login.persona.org:443 prio ciphersuite protocol pfs_keysize 1 DHE-RSA-AES256-SHA TLSv1 DH,1024bits 2 AES256-SHA TLSv1 3 CAMELLIA256-SHA TLSv1 4 DHE-RSA-AES128-SHA TLSv1 DH,1024bits 5 AES128-SHA TLSv1 6 CAMELLIA128-SHA TLSv1 7 RC4-SHA TLSv1 8 (NONE) $ ./CiphersScan.sh minion-dev.mozillalabs.com:443 prio ciphersuite protocol pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits 3 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits 5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 6 ECDHE-RSA-AES128-SHA TLSv1.2 ECDH,P-256,256bits 7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits 8 ECDHE-RSA-AES256-SHA TLSv1.2 ECDH,P-256,256bits 9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits 10 DHE-RSA-AES128-SHA TLSv1.2 DH,2048bits 11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits 12 AES128-GCM-SHA256 TLSv1.2 13 AES256-GCM-SHA384 TLSv1.2 14 ECDHE-RSA-RC4-SHA TLSv1.2 ECDH,P-256,256bits 15 RC4-SHA TLSv1.2 16 DHE-RSA-AES256-SHA TLSv1.2 DH,2048bits 17 DHE-RSA-CAMELLIA256-SHA TLSv1.2 DH,2048bits 18 AES256-SHA256 TLSv1.2 19 AES256-SHA TLSv1.2 20 CAMELLIA256-SHA TLSv1.2 21 DHE-RSA-CAMELLIA128-SHA TLSv1.2 DH,2048bits 22 AES128-SHA256 TLSv1.2 23 AES128-SHA TLSv1.2 24 CAMELLIA128-SHA TLSv1.2 25 (NONE)
Group: mozilla-corporation-confidential
Depends on: 927336
Some ciphers scanning results * 'AllMozillaScan-20131120.txt' is a list of 911 Mozilla domains with their ciphers preferences. * Based on the list above, and using the ciphers pref as a fingerprint, 'ZLB_websites.txt' is a list of 786 websites that are terminated on the ZLBs. Generated with: pcregrep -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > ZLB_websites.txt * 'Non_ZLB_websites.txt' is the inverse of the list above, and contains 125 websites that are not hosted behind the ZLBs. Generated with: pcregrep -v -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > Non_ZLB_websites.txt I'm particularly interested in the Non-ZLB websites. I'll dig through these in the future. It would be good to know exactly where they live and how they are maintained.
Attached file AllMozillaScan-20131120.txt —
Attached file ZLB_websites.txt —
Attached file Non_ZLB_websites.txt —
Depends on: 956714
Depends on: 1000952
I'm still wondering and scarred why it takes so much time to change the ciphersuites. a) it's security and privacy related (passwords, emails, data reports...)! b) Mozilla has in comparison to other big networks a quite bad configuration c) I'm sure, it's a huge work to change it on every server, but one year is much time. I know that I can't compare this, but on smaller networks where I'm involved it takes us just a few hours. d) On our network it was a big discussion about RC4, BEAST, fallbacks for older browsers, Forward Secrecy, but before you discuss the details, it would be good to activate secure ciphers and TLS 1.2. If there are still some issues than just on pages with sensitive informations. This would improve the security for modern browsers a lot. And you got still the fallbacks. And then a discussion about different security areas and the advantages and disadvantages between different ciphers.
Yes, upgrading major infrastructures components is *that* hard. But we're making progress, and OCSP Stapling is now enabled on mozilla.org.
Status: NEW → ASSIGNED
I updated the guidelines today to deprecate RC4 for good. We'll use 3DES for backward compatible sites. I also added a non-backward compatible ciphersuite that enforces PFS. Next step is to add certificates guidelines.
Depends on: 1064387
Depends on: 1077557
Depends on: 1077634
Depends on: 927045
Depends on: 889749
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified
Group: mozilla-employee-confidential
Do we already have a bug for HSTS and HPKP on (all) Mozilla sites? If we would implement preloaded HSTS, we could remove the HTTP redirect on some relevant hosts. Modern browsers would still connect over https and older clients can still connect over http (the redirect is insecure anyway) and get redirected over JS/meta refresh (if necessary/possible), based on their UA. This would solve the issue, that old clients can't connect to mozzilla.org to download Firefox, when they can't handle modern encryption/certificates. At the same time we can provide strong encryption, that is not vulnerable to any downgrade attack for modern browsers. (This problematic was discussed in bug 1068949, in the context of (not) replacing weak SHA-1 certificates.)
:sjw - the plan for supporting old clients must include HTTPS support. We're doing some work in that area that I'm hoping we can announce in the following weeks. HSTS is gradually being deployed. HPKP will have to wait a bit since we may use letsencrypt on a few sites and we don't want to be tied to a pining just yet. I don't believe we have bugs to track those.
I'm returning this tracker to the community pool. Feel free to pick it up if you're interested in tracking progress.
Assignee: jvehent → nobody
Status: ASSIGNED → NEW
Assignee: nobody → april
Status: NEW → ASSIGNED
Summary: [TRACKER] SSL/TLS ciphersuites recommendation & fix → [TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices
Depends on: 1302420
Depends on: 1282128
Alias: https-everything
Alias: https-everything → tls-everything
Depends on: 1338581
Depends on: 1343272
Depends on: 1306368
No longer depends on: 1282128
Depends on: 1365378
Depends on: 1407779
Blocks: 1351516
Depends on: 1440934, 1440935, 1442994
click.e.mozilla.org is missing in the attached lists. This HTTP-host is still preferring RC4, 3DES and non-FS ciphers.
Depends on: 1475430
Depends on: 1475432
How about download.cdn.mozilla.net? Still available (and accessed according to the provider) over plain HTTP.
(In reply to Daniel Stenberg [:bagder] from comment #23) > How about download.cdn.mozilla.net? Still available (and accessed according > to the provider) over plain HTTP. This is a special case being discussed at https://bugzilla.mozilla.org/show_bug.cgi?id=1444399.
Depends on: 902602

Unfortunately we don't have the resources currently to continue driving this effort in Security Assurance (previously Enterprise Information Security). I'll close this out though the child tickets remain open with the teams seeking to get TLS enabled on their services and hopefully that will be completed through federated efforts across those various teams.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: