Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google) (ghacks.net)
54 points by superkuh on March 22, 2020 | hide | past | favorite | 33 comments

I was in charge of ensuring the TLS 1.2 compliance of hundreds of old sites in my organization. 2 weeks ago I was well on track to have it finished in time. Now I'm tasked to just keep up essential systems that are straining under the work from home onslaught, with two suddenly homeschooled kids needing my support

I'm also so overstressed and worried that can only sleep on Xanax and have an asthma flare-up that looks like covid19 symptoms at times, adding to the anxiety.

This will be a good and needed change, but it can wait.

Why do you have to do it alone? Cant you ask for another colleague to help you out on this?

If you were to ask a room full of developers what are TLS versions or TLS ciphers and which ones should be disabled? You'd be luckly if any of them raise their hands.

Consider an old organization with hundreds of old systems, that can be fairly critical. Nobody understand or is willing to do the work. To their credit, TLS and cryptography is really difficult.

So don't be surprised that things will be fixed... after they're noticeably broken.

Im of a three person team that completed a similar but smaller company (~30 ish sites,400 heads) and it was just short of a nightmare to even get buy in from devs and maintainers. And even after flipping the switch we found issues, soft killed site wide connectivity a couple times, it was not a pleasant experience. However I dont recall a time in ~11 years in which Id learned more quite as fast as I did.

"We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information."

This makes a lot of sense. Normally, browsers moving together to turn down an old and insecure protocol would push the last few sites to update, but with everything being a mess because of the coronavirus this isn't a good time.

(Disclosure: I work for Google)

>"The preference change will be remotely applied to Firefox 74"

No thanks. How do they do this, and how do I stop people from being able to remotely "manage" my Firefox install?

While I agree with the pragmatic choice of keeping older TLS enabled a while longer, I am very much at unease of Firefox remote updates and management (pushing code fixes as studies etc), disrespecting preferences in local configs and proliferation of services and multitude of background service connections.

Mozilla, please, I want a browser that I, as a "power user" can manage. Not an idiot-proof remotely managed on-prem SaaS.

Note: I and I'm sure many others would donate meaningful amount of money, if it could be restricted to categories of use, such as Firefox development or Rust development. You don't have to become a service vendor to wean off Google.

> Mozilla, please, I want a browser that I, as a "power user" can manage. Not an idiot-proof remotely managed on-prem SaaS.

Then you need to accept that Firefox will linger at a very low number of users and many of those users will be left with insecure browsers because they fail to update them properly. Maybe that's a fine thing, but that's the world you need to accept if Firefox is explicitly targeting power users.

It's not either or. They could make it easy do disable all various background activity, document users prefs and respect provided settings (perhaps with different branding), accept targeted donations etc.

Firefox is already providing automatic updates. Would it be so bad to release a point version (do they even to that anymore) instead of a remote preference change?

Still, it's not exclusive - they could do both, while providing a clear power user mode, where you may need to update, because they don't do such shenanigans.

It's not an idle offer - I'm offering 1k€ to properly document user prefs and not second guess their setting (could be a compile time switch, possibly with altered branding, but on a supported/LTS versions). Anyone want to set up a gofund me or something?

Always disable studies. It will also prevent the next Mr. Robot ad extension (or anything like that) from being automatically installed.

Is it just being pushed as an update? I don’t understand the semantic difference between an update and a study.

If you opt out of them enabling legacy protocols how would you let them disable legacy protocols?

By issuing a new release with updated defaults via the standard distribution channels. Remotely applied preference change implies a more direct intervention - it means you can't vet firefox to have certain behavior, as they may whimsically change your preferences.

Good for most consumers. Not necessarily so, if you are managing it.

I think they just push it as a "study" try turning those off

I have Firefox 74.0 with studies disabled and yet TLS 1.0 and 1.1 are enabled. I don't understand how Mozilla turned them on if I had studied disabled since the Mr. Robot incident.

I was also curious. It appears they used Normandy. From the Mozilla website: "Normandy Pref Rollout is a feature that allows Mozilla to change the default value of a preference for a targeted set of users, without deploying an update to Firefox. This document focuses on the use of Pref Rollout as a mechanism to enable feature flagging in Firefox."

And I see a new Firefox about:config preference: app.normandy.startupRolloutPrefs.security.tls.version.min

Thanks for the pointer. I've set 'app.normandy.enabled' to false, hopefully that is the last way someone can change something on my computer without my knowledge.

And this highlights how Google and the Chrome ecosystem is strangling web tech. The fact they were afraid of making a move that isn't in lockstep with Chrome means Chrome has too damn much influence.

Decade-old versions of TLS are flat-out bad for users. TLS 1.0 is from 1999!

The points of standards are to get the entire industry to adopt them. When the browser vendors come together and agree to all do the same thing, that's not one vendor flexing its muscles, that's standards working as intended.

> Decade-old versions of TLS are flat-out bad for users. TLS 1.0 is from 1999!

no, bad standards are flat-out bad for users.

lots of text files being written in ascii, for example, and 'ASCII is from 1963!'

Time to get on the ball and upgrade to Latin-1.

You mean latin-9 hopefully. The one with the euro sign.

That may be too difficult. These things take time.


Why? Is Let's Encrypt hospitalized with Coronavirus?

The peoplw implementing for their sites may well be off work for various reasons at the moment.

Alternative title ... Mozilla re-enables state-sponsored hacking groups

Seems to indicate it wasn't as urgent to disable these as professed. I think browser vendors are sometimes a little too quick to break things, glad to see this pragmatism.

I’m not sure anyone ever indicated that it was urgent... it’s taken a long time for them to take this step!

There’s an element of carrot and stick here, the browser vendors sometimes have to push people in the right direction. I think they’ve made the right call both in pushing for deprecation and altering their plans when circumstances have changed.

I assure you the browsers were not quick to disable TLS 1.0. They've dragged down their feet as long as they could and beyond.

TLS 1.0 and previous protocols have been prohibited from usage since around 2017 by PCI DSS and most regulations. Any company that gets a basic security audit or self-submit their website to https://www.ssllabs.com/ssltest/ would have been red flagged for using TLS 1.0 for years.

I've worked on the TLS upgrade in some financial institutions that notoriously always lag behind and even them have been ready for a while.

At this stage websites stuck on TLS 1.0 are either unmaintained for years or purposefully trying to support a Windows XP and Java 7 audience.

> At this stage websites stuck on TLS 1.0 are either unmaintained for years or purposefully trying to support a Windows XP and Java 7 audience.

Or are using Heroku Automated Certificate Management https://help.heroku.com/G0YVUNPG/how-do-i-disable-support-fo...

As long as you support 1.2 as well (which Heroku does), you're fine; this is about sites that _only_ support 1.0 or 1.1.

In the interest of security you can't wait for every last site to upgrade. But yes, reverting this is the right priority for the moment.

years after fatal flaws are known is "urgent"?

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact