Page MenuHomePhabricator
Create Task
Maniphest T258405

Deprecate TLSv1.2 weak ciphersuites
Closed, ResolvedPublic
Actions

Description

Currently we still support three different ciphersuites that are considered weak:

  • ECDHE-ECDSA-AES128-SHA (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
  • ECDHE-RSA-AES128-SHA (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
  • DHE-RSA-AES128-SHA (TLS_DHE_RSA_WITH_AES_128_CBC_SHA)

ciphersuites using CBC block mode instead of GCM are considered weak since the disclosure of several attacks against CBC during 2019, specifically Zombie POODLE and GoldenPOODLE, a nice introduction to those attacks can be found here: https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/

Details

Show related patches Customize query in gerrit

Related Objects

Event Timeline

Vgutierrez created this task.Jul 20 2020, 2:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 20 2020, 2:05 PM
Vgutierrez moved this task from Backlog to TLS on the Traffic board.Jul 20 2020, 2:05 PM
Vgutierrez triaged this task as Medium priority.Jul 20 2020, 2:13 PM
MoritzMuehlenhoff subscribed.Jul 20 2020, 2:14 PM
gerritbot added a comment.Jul 20 2020, 2:58 PM

Change 614763 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for ECDHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/614763

gerritbot added a project: Patch-For-Review.Jul 20 2020, 2:58 PM
gerritbot added a comment.Jul 21 2020, 2:59 PM

Change 614763 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for ECDHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/614763

Stashbot added a comment.Jul 21 2020, 3:01 PM

Mentioned in SAL (#wikimedia-operations) [2020-07-21T15:01:12Z] <vgutierrez> show a synthetic warning for traffic using ECDHE-RSA-AES128-SHA - T258405

Maintenance_bot removed a project: Patch-For-Review.Jul 21 2020, 3:10 PM
gerritbot added a comment.Aug 24 2020, 12:44 PM

Change 622138 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable ECDHE-ECDSA-AES128-SHA support

https://gerrit.wikimedia.org/r/622138

gerritbot added a project: Patch-For-Review.Aug 24 2020, 12:44 PM
gerritbot added a comment.Aug 24 2020, 3:02 PM

Change 622138 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable ECDHE-RSA-AES128-SHA support

https://gerrit.wikimedia.org/r/622138

Stashbot added a comment.Aug 24 2020, 3:04 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-24T15:04:03Z] <vgutierrez> rolling restart of ats-tls to disable ECDHE-RSA-AES128-SHA - T258405

Maintenance_bot removed a project: Patch-For-Review.Aug 24 2020, 3:10 PM
Vgutierrez updated the task description. (Show Details)Aug 24 2020, 3:39 PM
gerritbot added a comment.Aug 25 2020, 10:01 AM

Change 622321 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for DHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/622321

gerritbot added a project: Patch-For-Review.Aug 25 2020, 10:01 AM
gerritbot added a comment.Aug 26 2020, 1:02 PM

Change 622321 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for DHE-RSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/622321

Stashbot added a comment.Aug 26 2020, 1:06 PM

Mentioned in SAL (#wikimedia-operations) [2020-08-26T13:06:01Z] <vgutierrez> serve a synthetic warn page to DHE-RSA-AES128-SHA users - T258405

Maintenance_bot removed a project: Patch-For-Review.Aug 26 2020, 1:10 PM
BBlack mentioned this in T192559: Establish timeline and methodology for upcoming deprecation of non-forward-secret ciphers and TLSv1.0.Sep 23 2020, 4:52 PM
gerritbot added a comment.Sep 29 2020, 8:45 AM

Change 630768 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Turn DHE-RSA-AES128-SHA support off

https://gerrit.wikimedia.org/r/630768

gerritbot added a project: Patch-For-Review.Sep 29 2020, 8:45 AM
gerritbot added a comment.Sep 29 2020, 11:21 AM

Change 630768 merged by Vgutierrez:
[operations/puppet@production] ATS: Turn DHE-RSA-AES128-SHA support off

https://gerrit.wikimedia.org/r/630768

Stashbot added a comment.Sep 29 2020, 11:28 AM

Mentioned in SAL (#wikimedia-operations) [2020-09-29T11:28:38Z] <vgutierrez> disabling DHE-RSA-AES128-SHA support - T258405

Vgutierrez updated the task description. (Show Details)Sep 29 2020, 1:32 PM
gerritbot added a comment.Oct 1 2020, 8:37 AM

Change 631399 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for 2% of ECDHE-ECDSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/631399

gerritbot added a comment.Oct 1 2020, 1:43 PM

Change 631399 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for 2% of ECDHE-ECDSA-AES128-SHA pageviews

https://gerrit.wikimedia.org/r/631399

Stashbot added a comment.Oct 1 2020, 1:43 PM

Mentioned in SAL (#wikimedia-operations) [2020-10-01T13:43:54Z] <vgutierrez> use synthetic warning for 2% of ECDHE-ECDSA-AES128-SHA pageviews - T258405

Vgutierrez mentioned this in T262946: Bump Firefox version in basic support to 3.6 or newer.Oct 6 2020, 1:44 PM
gerritbot added a comment.Oct 6 2020, 2:00 PM

Change 632490 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 5%

https://gerrit.wikimedia.org/r/632490

gerritbot added a comment.Oct 6 2020, 2:44 PM

Change 632490 merged by Vgutierrez:
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 5%

https://gerrit.wikimedia.org/r/632490

gerritbot added a comment.Oct 13 2020, 1:55 PM

Change 633739 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 10%

https://gerrit.wikimedia.org/r/633739

gerritbot added a comment.Oct 14 2020, 12:45 PM

Change 633739 merged by Vgutierrez:
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 10%

https://gerrit.wikimedia.org/r/633739

Stashbot added a comment.Oct 14 2020, 12:46 PM

Mentioned in SAL (#wikimedia-operations) [2020-10-14T12:46:41Z] <vgutierrez> Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 10% - T258405

gerritbot added a comment.Oct 20 2020, 2:00 PM

Change 635302 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 100%

https://gerrit.wikimedia.org/r/635302

gerritbot added a comment.Oct 21 2020, 9:58 AM

Change 635302 merged by Vgutierrez:
[operations/puppet@production] vcl: Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 100%

https://gerrit.wikimedia.org/r/635302

Stashbot added a comment.Oct 21 2020, 9:59 AM

Mentioned in SAL (#wikimedia-operations) [2020-10-21T09:59:17Z] <vgutierrez> Bump ECDHE-ECDSA-AES128-SHA pageview replacement to 100% - T258405

AntiCompositeNumber subscribed.Oct 26 2020, 6:17 PM

We're getting a few OTRS tickets about this, a note in Tech News or on wikitech-l would have been appreciated.

Urbanecm added a project: User-notice.Oct 26 2020, 6:20 PM
Urbanecm subscribed.

User-notice is definitely warranted

RhinosF1 subscribed.Oct 26 2020, 7:49 PM
gerritbot added a comment.Oct 28 2020, 10:48 AM

Change 636901 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Turn ECDHE-ECDSA-AES128-SHA support off

https://gerrit.wikimedia.org/r/636901

gerritbot added a comment.Oct 28 2020, 10:53 AM

Change 636902 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ssl_ciphersuite: Remove CBC based cipher suites

https://gerrit.wikimedia.org/r/636902

gerritbot added a comment.Oct 29 2020, 8:38 AM

Change 636901 merged by Vgutierrez:
[operations/puppet@production] ATS: Turn ECDHE-ECDSA-AES128-SHA support off

https://gerrit.wikimedia.org/r/636901

Stashbot added a comment.Oct 29 2020, 8:54 AM

Mentioned in SAL (#wikimedia-operations) [2020-10-29T08:54:39Z] <vgutierrez> turn off ECDHE-ECDSA-AES128-SHA support on the main caching cluster - T258405

Quiddity subscribed.Oct 29 2020, 6:54 PM

@Urbanecm /anyone: do you have a suggestion on how to phrase this in Tech News? I'm not sure how to summarize it, based on what is above.
I searched Tech News archives, and it seems the last times we mentioned TLS or old browsers were in 2020-01 and in 2018-06.
You can also add it directly (this week's issue) yourself! :)

Quiddity moved this task from To Triage to Announce in next Tech/News on the User-notice board.Oct 29 2020, 6:55 PM
Urbanecm added a comment.Oct 29 2020, 7:11 PM

@Quiddity What about this: "You can no longer read Wikimedia wikis if your browser use old TLS versions. This is because it is a security problem for everyone. It can lead to downgrade attacks. Since October 29, 2020, users who use old TLS versions will not be able to connect to Wikimedia projects. A list of recommended browsers is available. All modern operating systems and browsers are always able to reach Wikimedia projects."?

Tried to base on https://meta.wikimedia.org/wiki/Tech/News/2020/03's entry.

Quiddity added a comment.Oct 29 2020, 7:21 PM

Perfect, thank you!

Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Oct 29 2020, 7:25 PM
TheDJ subscribed.EditedOct 29 2020, 7:42 PM

We should probably also update https://wikitech.wikimedia.org/wiki/HTTPS with the new status quo

Jdforrester-WMF mentioned this in T266866: Remove "Basic" support (Grade C) for browsers without TLS 1.2+ (MediaWiki core and WMF infra).Oct 30 2020, 4:40 PM
Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Nov 4 2020, 2:47 PM
BBlack subscribed.Nov 5 2020, 2:43 PM
In T258405#6589763, @TheDJ wrote:

We should probably also update https://wikitech.wikimedia.org/wiki/HTTPS with the new status quo

Technically, an increase of the standards employed at our edge (what we're doing in this ticket) doesn't necessarily imply an increase in the standards on that page (which also apply to the third parties we delegate some hostnames to). Usually our requirements of third parties lag our standards for ourselves a bit, in the name of being reasonably-achievable (not that we've ever had full compliance anyways). I think the current edits can stand and we'll see how compliance goes over time, but just keep in mind that technically, updating that page to higher standards is a separate matter with different considerations.

AntiCompositeNumber added a comment.Nov 5 2020, 7:05 PM

I think it would be useful to have a page or section outlining the de facto requirements for connecting to the flagship Wikimedia sites. https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations is part of that, but since it's user-facing it doesn't really tell the whole story. That sort of technical documentation would be useful for developers and tech ambassadors to know what our current configuration is/should be without having to trawl rOPUP.
We're also in the unique position of being a heavily-trafficked website that also cares deeply about user privacy, so I think being clear and transparent about what we think is adequate security at the moment is important.

Vgutierrez closed this task as Resolved.Nov 16 2020, 3:48 PM
Vgutierrez claimed this task.
Vgutierrez updated the task description. (Show Details)
Ladsgroup edited projects, added User-notice-archive; removed User-notice.Aug 13 2022, 1:54 PM
gerritbot added a comment.Sep 27 2022, 10:18 AM

Change 835571 had a related patch set uploaded (by Vgutierrez; author: Vgutierrez):

[operations/puppet@production] varnish: Remove ECDHE-ECDSA-AES128-SHA sinkhole

https://gerrit.wikimedia.org/r/835571

gerritbot added a comment.Oct 3 2022, 9:45 AM

Change 835571 merged by Vgutierrez:

[operations/puppet@production] varnish: Remove ECDHE-ECDSA-AES128-SHA sinkhole

https://gerrit.wikimedia.org/r/835571

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits