Mozilla Security Blog
Categories: Security

Navigating the TLS landscape

Julien Vehent

1 response

A few weeks ago, we enabled Perfect Forward Secrecy on https://www.mozilla.org [1]. Simultaneously, we published our guidelines for configuring TLS on the server side. In this blog post, we want to discuss some of the SSL/TLS work that the Operations Security (OpSec) team has been busy with.

For operational teams, configuring SSL/TLS on servers is becoming increasingly complex. BEAST, LUCKY13, CRIME, BREACH and RC4 are examples of a fast moving security landscape, that made recommendations from a only few months ago already obsolete.

Mozilla’s infrastructure is growing fast. We are adding new services for Firefox and Firefox OS, in addition to an ever increasing number of smaller projects and experiments. The teams tasked with deploying and maintaining these services need help sorting through known TLS issues and academic research. So, for the past few months, OpSec has been doing a review of the state-of-the-art of TLS. This is in parallel and complementary to work by the Security Engineering team on cipher preferences in Firefox. The end goal being to support, at the infrastructure level, the security features championed by Firefox.

We published our guidelines at https://wiki.mozilla.org/Security/Server_Side_TLS. The document is a quick reference and a training guide for engineers. There is a strong demand for a standard ciphersuite that can be copied directly into configuration files. But we also wanted to publish the building blocks of this ciphersuite, and explain why a given cipher is prefered to another. These building blocks are the core of the ciphersuite discussion, and will be used as references when new attacks are discovered.

Another important aspect of the guideline is the need to be broad, we want people to be able to reach https://mozilla.org and access Mozilla’s services from anywhere. For this reason, SSLv3 is still part of the recommended configuration. However, ciphers that are deprecated, and no longer needed for backward compatibility are disabled. DSA ciphers are included in the list as well, even though almost no-one uses DSA certificates right now, but might in the future.

At the core of our effort is a strong push toward Perfect Forward Secrecy (PFS) and OCSP stapling.

PFS improves secrecy in the long run, and will become the de-facto cipher in all browsers. But it comes with new challenges: the handshake takes longer, due to the key exchange, and a new parameter (dhparam/ecparam) is needed. Ideally, the extra-parameter should provide the same level of security as the RSA key does. But we found that old client libraries, such as Java 6, are not compatible with larger parameter sizes. This is a problem we cannot solve server-side, because the client has no way to tell the server which parameter sizes it supports. As a result, the server will start the PFS handshake, and the client will fail in the middle of the handshake. Without a way for the handshake to fall back and continue, we have to use smaller parameter sizes until old libraries can be deprecated.

OCSP stapling is a big performance improvement. OCSP requests to third party resolvers block the TLS Handshake, directly impacting the user’s perception of page opening time. Recent web servers can now cache the OCSP response and serve it directly, saving the round trip to the client. OCSP stapling is likely to become an important feature of Browsers in the near future, because it improves performances, and reduces the cost of running worldwide OCSP responders for Certificate Authorities.

OpSec will maintain this document by keeping it up to date with changes in the TLS landscape. We are using it to drive changes in Mozilla’s infrastructure. This is not a trivial task, as TLS is only one piece of the complex puzzle of providing web connectivity to large websites. We found that very few products provide the full set of features we need, and most operating systems don’t provide the latest TLS versions and ciphers. This is a step forward, but it will take some time until we provide first class TLS across the board.

Feel free to use, share and discuss these guidelines. We welcome feedback from the security and cryptography communities. Comments can be posted on the discussion section of the wiki page, submitted to the dev-tech-crypto mailing list, posted on Bugzilla, or in #security on IRC. This a public resource, meant to improve the usage of HTTPS on the Internet.

[1] bug 914065

One comment on “Navigating the TLS landscape”

  1. Browser_Privacy wrote on

    These changes are a important step in the right direction, but failing to enable server-side TLS 1.2 for Firefox/Thunderbird update and add-on update checking for clients who have changed their settings to require TLS 1.2 remain important oversights in my view. I understand the compatibility concerns associated with old, bad configurations, but fail to see the downside of enabling TLS 1.2 by default in Thunderbird and Firefox by setting security.tls.version.max to 3. This is despite https://bugzilla.mozilla.org/show_bug.cgi?id=480514

    Some more details on server-side issues that deserve to be addressed…
    If users set security.tls.version.max and security.tls.version.min to 3 in about:config on both Firefox and Thunderbird to require TLS 1.2, users will not be notified of any updates to Firefox or Thunderbird. Below, I’ve flagged a few issues with specific Mozilla servers:
    addons.cdn.mozilla.net, which according to the Qualys SSL handshake simulation test is *not* forward secret and does *not* mitigate BEAST: https://www.ssllabs.com/ssltest/analyze.html?d=addons.cdn.mozilla.net
    versioncheck.addons.mozilla.org, which according to the Qualys SSL handshake simulation test is *not* forward secret, does *not* support TLS 1.2, allows client-initiated renegotiation, and leaves RC4 enabled!
    services.addons.mozilla.org weirdly fails the Qualys SSL test https://www.ssllabs.com/ssltest/analyze.html?d=services.addons.mozilla.org