
Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google) - superkuh
https://www.ghacks.net/2020/03/21/mozilla-re-enables-tls-1-0-and-1-1-because-of-coronavirus-and-google/
======
fcatalan
I was in charge of ensuring the TLS 1.2 compliance of hundreds of old sites in
my organization. 2 weeks ago I was well on track to have it finished in time.
Now I'm tasked to just keep up essential systems that are straining under the
work from home onslaught, with two suddenly homeschooled kids needing my
support

I'm also so overstressed and worried that can only sleep on Xanax and have an
asthma flare-up that looks like covid19 symptoms at times, adding to the
anxiety.

This will be a good and needed change, but it can wait.

~~~
kul_
Why do you have to do it alone? Cant you ask for another colleague to help you
out on this?

~~~
user5994461
If you were to ask a room full of developers what are TLS versions or TLS
ciphers and which ones should be disabled? You'd be luckly if any of them
raise their hands.

Consider an old organization with hundreds of old systems, that can be fairly
critical. Nobody understand or is willing to do the work. To their credit, TLS
and cryptography is really difficult.

So don't be surprised that things will be fixed... after they're noticeably
broken.

------
jefftk
_" We reverted the change for an undetermined amount of time to better enable
access to critical government sites sharing COVID19 information."_

This makes a lot of sense. Normally, browsers moving together to turn down an
old and insecure protocol would push the last few sites to update, but with
everything being a mess because of the coronavirus this isn't a good time.

(Disclosure: I work for Google)

------
JensRex
>"The preference change will be remotely applied to Firefox 74"

No thanks. How do they do this, and how do I stop people from being able to
remotely "manage" my Firefox install?

~~~
labawi
While I agree with the pragmatic choice of keeping older TLS enabled a while
longer, I am very much at unease of Firefox remote updates and management
(pushing code fixes as studies etc), disrespecting preferences in local
configs and proliferation of services and multitude of background service
connections.

Mozilla, please, I want a browser that _I_ , as a "power user" can manage. Not
an idiot-proof remotely managed on-prem SaaS.

Note: I and I'm sure many others would donate meaningful amount of money, if
it could be restricted to categories of use, such as Firefox development or
Rust development. You don't have to become a service vendor to wean off
Google.

~~~
UncleMeat
> Mozilla, please, I want a browser that I, as a "power user" can manage. Not
> an idiot-proof remotely managed on-prem SaaS.

Then you need to accept that Firefox will linger at a very low number of users
and many of those users will be left with insecure browsers because they fail
to update them properly. Maybe that's a fine thing, but that's the world you
need to accept if Firefox is explicitly targeting power users.

~~~
labawi
It's not either or. They could make it easy do disable all various background
activity, document users prefs and respect provided settings (perhaps with
different branding), accept targeted donations etc.

Firefox is already providing automatic updates. Would it be so bad to release
a point version (do they even to that anymore) instead of a remote preference
change?

Still, it's not exclusive - they could do both, while providing a clear power
user mode, where you may need to update, because they don't do such
shenanigans.

It's not an idle offer - I'm offering 1k€ to properly document user prefs and
not second guess their setting (could be a compile time switch, possibly with
altered branding, but on a supported/LTS versions). Anyone want to set up a
gofund me or something?

------
shock
I have Firefox 74.0 with studies disabled and yet TLS 1.0 and 1.1 are enabled.
I don't understand how Mozilla turned them on if I had studied disabled since
the Mr. Robot incident.

~~~
tmp12
I was also curious. It appears they used Normandy. From the Mozilla website:
"Normandy Pref Rollout is a feature that allows Mozilla to change the default
value of a preference for a targeted set of users, without deploying an update
to Firefox. This document focuses on the use of Pref Rollout as a mechanism to
enable feature flagging in Firefox."

And I see a new Firefox about:config preference:
app.normandy.startupRolloutPrefs.security.tls.version.min

~~~
shock
Thanks for the pointer. I've set 'app.normandy.enabled' to false, hopefully
that is the last way someone can change something on my computer without my
knowledge.

------
Russtopia
And this highlights how Google and the Chrome ecosystem is strangling web
tech. The fact they were afraid of making a move that isn't in lockstep with
Chrome means Chrome has too damn much influence.

~~~
jrockway
Decade-old versions of TLS are flat-out bad for users. TLS 1.0 is from 1999!

The points of standards are to get the entire industry to adopt them. When the
browser vendors come together and agree to all do the same thing, that's not
one vendor flexing its muscles, that's standards working as intended.

~~~
cat199
> Decade-old versions of TLS are flat-out bad for users. TLS 1.0 is from 1999!

no, _bad standards_ are flat-out bad for users.

lots of text files being written in ascii, for example, and 'ASCII is from
1963!'

~~~
kevin_thibedeau
Time to get on the ball and upgrade to Latin-1.

~~~
user5994461
You mean latin-9 hopefully. The one with the euro sign.

~~~
kevin_thibedeau
That may be too difficult. These things take time.

------
jamsb
Alternative title ... Mozilla re-enables state-sponsored hacking groups

------
rkagerer
Seems to indicate it wasn't as urgent to disable these as professed. I think
browser vendors are sometimes a little too quick to break things, glad to see
this pragmatism.

~~~
user5994461
I assure you the browsers were not quick to disable TLS 1.0. They've dragged
down their feet as long as they could and beyond.

TLS 1.0 and previous protocols have been prohibited from usage since around
2017 by PCI DSS and most regulations. Any company that gets a basic security
audit or self-submit their website to
[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/) would
have been red flagged for using TLS 1.0 for years.

I've worked on the TLS upgrade in some financial institutions that notoriously
always lag behind and even them have been ready for a while.

At this stage websites stuck on TLS 1.0 are either unmaintained for years or
purposefully trying to support a Windows XP and Java 7 audience.

~~~
psadauskas
> At this stage websites stuck on TLS 1.0 are either unmaintained for years or
> purposefully trying to support a Windows XP and Java 7 audience.

Or are using Heroku Automated Certificate Management
[https://help.heroku.com/G0YVUNPG/how-do-i-disable-support-
fo...](https://help.heroku.com/G0YVUNPG/how-do-i-disable-support-for-
tls-1-0-or-1-1-on-a-heroku-app)

~~~
43920
As long as you support 1.2 as well (which Heroku does), you're fine; this is
about sites that _only_ support 1.0 or 1.1.

