Closed Bug 901393 (tls-everything) Opened 11 years ago Closed 3 years ago

[TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: jvehent, Assigned: April)

References

(Depends on 1 open bug,
URL
)

Details

Attachments

(5 files)

public SSL endpoint with bad preferred cipher
6.95 KB, text/plain
Details
results.csv
192.87 KB, text/csv
Details
AllMozillaScan-20131120.txt
346.83 KB, text/plain
Details
ZLB_websites.txt
18.44 KB, text/plain
Details
Non_ZLB_websites.txt
3.13 KB, text/plain
Details 
Tracking bug for the review of SSL enabled servers across the board.
Some stats:
 - 1153 mozilla sites support SSL
preferred ciphersuites are:
 - 1073 RC4-SHA
 - 17 RC4-MD5
 - 54 DHE-RSA-AES256-SHA
 - 3 AES128-GCM-SHA256
 - 1 EDH-RSA-DES-CBC3-SHA
(and 5 lookup failures)

Note that some results, such as AES128-GCM-SHA256, come from CDNs we use and terminate the SSL.
Attached file results.csv 
Test of 2995 mozilla domains, 1153 of which have SSL enabled on port 443.
The 2nd column is the 1st preferred ciphersuite, the 3rd column is the 2nd preferred ciphersuite.
Depends on: 904077
Citrix's Netscaler has added TLS1.2, waiting on a stable v11 to deploy it. ECDHE is on their roadmap.

Need to add conf recommendation for Netscaler to the mana page.
Depends on: 914065
Group: infrasec
Brian Smith has been doing some work on which ciphersuites we _should_ prefer in Firefox, and I assume that also carries over to the server side. See the discussion in mozilla.dev.security.

Gerv
Yep, I've been following the thread from the start, and found a good amount of useful information in there. But the AES landscape is changing, and it seems that BEAST might not be as big of an issue anymore.

That, and the security levels provided by AES-256 vs AES-128, will influence the next version of the recommended ciphersuite. I suspect it will be very close to the one proposed by Brian. The major difference being that we don't want to disable too many ciphers, we just want to put them further down the list.
Added PFS keysize detection to cipherscan:

$ ./CiphersScan.sh www.mozilla.org:443
prio  ciphersuite           protocol  pfs_keysize
1     RC4-SHA               TLSv1.1
2     RC4-MD5               TLSv1.1
3     AES256-SHA            TLSv1.1
4     DHE-RSA-AES256-SHA    TLSv1.1   DH,1024bits
5     DES-CBC3-SHA          TLSv1.1
6     EDH-RSA-DES-CBC3-SHA  TLSv1.1   DH,1024bits
7     AES128-SHA            TLSv1.1
8     DHE-RSA-AES128-SHA    TLSv1.1   DH,1024bits
9     (NONE)



$ ./CiphersScan.sh login.persona.org:443
prio  ciphersuite         protocol  pfs_keysize
1     DHE-RSA-AES256-SHA  TLSv1     DH,1024bits
2     AES256-SHA          TLSv1
3     CAMELLIA256-SHA     TLSv1
4     DHE-RSA-AES128-SHA  TLSv1     DH,1024bits
5     AES128-SHA          TLSv1
6     CAMELLIA128-SHA     TLSv1
7     RC4-SHA             TLSv1
8     (NONE)



$ ./CiphersScan.sh minion-dev.mozillalabs.com:443
prio  ciphersuite                  protocol  pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2   ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2   ECDH,P-256,256bits
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2   DH,2048bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2   DH,2048bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2   ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1.2   ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2   ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1.2   ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2   DH,2048bits
10    DHE-RSA-AES128-SHA           TLSv1.2   DH,2048bits
11    DHE-RSA-AES256-SHA256        TLSv1.2   DH,2048bits
12    AES128-GCM-SHA256            TLSv1.2
13    AES256-GCM-SHA384            TLSv1.2
14    ECDHE-RSA-RC4-SHA            TLSv1.2   ECDH,P-256,256bits
15    RC4-SHA                      TLSv1.2
16    DHE-RSA-AES256-SHA           TLSv1.2   DH,2048bits
17    DHE-RSA-CAMELLIA256-SHA      TLSv1.2   DH,2048bits
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1.2
20    CAMELLIA256-SHA              TLSv1.2
21    DHE-RSA-CAMELLIA128-SHA      TLSv1.2   DH,2048bits
22    AES128-SHA256                TLSv1.2
23    AES128-SHA                   TLSv1.2
24    CAMELLIA128-SHA              TLSv1.2
25    (NONE)
Made public today at https://wiki.mozilla.org/Security/Server_Side_TLS
Hacker New discussion follows: https://news.ycombinator.com/item?id=6549962
Group: mozilla-corporation-confidential
Depends on: 927336
Some ciphers scanning results

* 'AllMozillaScan-20131120.txt' is a list of 911 Mozilla domains with their ciphers preferences.

* Based on the list above, and using the ciphers pref as a fingerprint, 'ZLB_websites.txt' is a list of 786 websites that are terminated on the ZLBs. Generated with:
    pcregrep -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > ZLB_websites.txt

* 'Non_ZLB_websites.txt' is the inverse of the list above, and contains 125 websites that are not hosted behind the ZLBs. Generated with:
    pcregrep -v -M "^===.+\n^prio.+\n1\s+DHE-RSA-AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n2\s+DHE-RSA-AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\s+DH,1024bits\n3\s+AES128-SHA\s+SSLv3,TLSv1,TLSv1.1\n4\s+AES256-SHA\s+SSLv3,TLSv1,TLSv1.1\n5\s+RC4-SHA\s+SSLv3,TLSv1,TLSv1.1" AllMozillaScan-20131120.txt | grep -E "^===" | awk '{print $2}' > Non_ZLB_websites.txt

I'm particularly interested in the Non-ZLB websites. I'll dig through these in the future. It would be good to know exactly where they live and how they are maintained.

    
    

    
  

      
      
      
      

        Attached file
          
        ZLB_websites.txt
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        Non_ZLB_websites.txt
      

    


  

    
  
Depends on: 956714

    
  
Depends on: 1000952

    
    

    
  
I'm still wondering and scarred why it takes so much time to change the ciphersuites.
a) it's security and privacy related (passwords, emails, data reports...)!
b) Mozilla has in comparison to other big networks a quite bad configuration
c) I'm sure, it's a huge work to change it on every server, but one year is much time. I know that I can't compare this, but on smaller networks where I'm involved it takes us just a few hours.
d) On our network it was a big discussion about RC4, BEAST, fallbacks for older browsers, Forward Secrecy, but before you discuss the details, it would be good to activate secure ciphers and TLS 1.2. If there are still some issues than just on pages with sensitive informations. This would improve the security for modern browsers a lot. And you got still the fallbacks. And then a discussion about different security areas and the advantages and disadvantages between different ciphers.

    
    

    
  
Yes, upgrading major infrastructures components is *that* hard. But we're making progress, and OCSP Stapling is now enabled on mozilla.org.

    
  
Status: NEW → ASSIGNED

    
    

    
  
I updated the guidelines today to deprecate RC4 for good. We'll use 3DES for backward compatible sites.
I also added a non-backward compatible ciphersuite that enforces PFS.

Next step is to add certificates guidelines.

    
  
Depends on: 1064387

    
  
Depends on: 1077557

    
  
Depends on: 1077634

    
  
Depends on: 927045

    
  
Depends on: 889749
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified
Group: mozilla-employee-confidential

    
    

    
  
Do we already have a bug for HSTS and HPKP on (all) Mozilla sites?
If we would implement preloaded HSTS, we could remove the HTTP redirect on some relevant hosts. Modern browsers would still connect over https and older clients can still connect over http (the redirect is insecure anyway) and get redirected over JS/meta refresh (if necessary/possible), based on their UA.
This would solve the issue, that old clients can't connect to mozzilla.org to download Firefox, when they can't handle modern encryption/certificates. At the same time we can provide strong encryption, that is not vulnerable to any downgrade attack for modern browsers.
(This problematic was discussed in bug 1068949, in the context of (not) replacing weak SHA-1 certificates.)

    
    

    
  
:sjw - the plan for supporting old clients must include HTTPS support. We're doing some work in that area that I'm hoping we can announce in the following weeks.
HSTS is gradually being deployed. HPKP will have to wait a bit since we may use letsencrypt on a few sites and we don't want to be tied to a pining just yet. I don't believe we have bugs to track those.

    
    

    
  
I'm returning this tracker to the community pool. Feel free to pick it up if you're interested in tracking progress.
Assignee: jvehent → nobody
Status: ASSIGNED → NEW
Assignee: nobody → april
Status: NEW → ASSIGNED

    
  
Summary: [TRACKER] SSL/TLS ciphersuites recommendation & fix → [TRACKER] TLS/SSL support for all Mozilla properties, with proper protocol and cipher suite choices

    
  
Depends on: 1302420

    
  
Depends on: 1282128

    
  
Alias: https-everything

    
  
Alias: https-everything → tls-everything

    
  
Depends on: 1338581

    
  
Depends on: 1343272
Depends on: 1306368
No longer depends on: 1282128

    
  
Depends on: 1365378

    
  
Depends on: 1407779

    
  
Blocks: 1351516

    
  
Depends on: 1440934, 1440935, 1442994

    
    

    
  
click.e.mozilla.org is missing in the attached lists. This HTTP-host is still preferring RC4, 3DES and non-FS ciphers.

    
  
Depends on: 1475430

    
  
Depends on: 1475432

    
    

    
  
How about download.cdn.mozilla.net? Still available (and accessed according to the provider) over plain HTTP.

    
    

    
  
(In reply to Daniel Stenberg [:bagder] from comment #23)
> How about download.cdn.mozilla.net? Still available (and accessed according
> to the provider) over plain HTTP.

This is a special case being discussed at https://bugzilla.mozilla.org/show_bug.cgi?id=1444399.

    
  
Depends on: 902602

    
    

    
  
Unfortunately we don't have the resources currently to continue driving this effort in Security Assurance (previously Enterprise Information Security). I'll close this out though the child tickets remain open with the teams seeking to get TLS enabled on their services and hopefully that will be completed through federated efforts across those various teams.


Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: