This makes me anxious, but I'm not sure if my anxiety is valid. I didn't know it was okay to disable TLS 1.0/1.1 this early. Correct me if I'm wrong, but this will affect all HTTPS web requests and web serving, as well as mail delivery and receipt from Debian sid. I'm not sure I want to only be able to surf ~90% of the encrypted web[1] and I'm not sure I'm ready to drop support for Android 4.3[2] or stock Windows 7/IE (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto. I have mail in my inbox (from eg. Amazon Pay) received over TLS 1.0. As far as I understand, supporting outdated protocols like TLS 1.0 is only a problem if there is a downgrade attack that can force a server and client that speak TLS 1.2 to communicate over TLS 1.0. Otherwise, it should be fine to support TLS 1.0 to speak to older clients, while giving newer clients the option to speak over TLS 1.2.
Hopefully this announcement is correct in the assumption that support for TLS 1.2 will be high enough when Buster is released.
I'm pretty certain you're being sarcastic, but on Debian, most of the users stick to the "stock", packaged ones, instead of building their own. Indeed you can build nginx with custom ssl, but most of the Debian users won't fiddle with this.
Browsing shouldn't be affected as it doesn't use OpenSSL. However, I share your concerns. The target is the next stable (two years), but many of us are running unstable or testing.
Browsers use TLS, but I don't think many of them use OpenSSL's implementation. Firefox uses NSS, and Chrome uses BoringSSL (which is related but not affected by this change).
Last year I disabled TLS 1.0/1.1 on my personal server and encountered problems. Turns out Mono (Keepass2Android) and Qt (QBittorrent) libraries on Android for some reason had not enabled higher-than-TLS-1.0 support, although AFAIK they supported it at the time.
So yeah, I ended up reenabling TLS 1.0/1.1 on a system on which I had full control over the clients connecting to it. Given the difficulty and nature of current attacks, I figured the low risks to me personally weren't worth the inconvenience.
I commend the Debian project for making the push for this, but I wonder if the world is ready to be TLS 1.2+ only.
I predict hereby that this change won't last long.
While cryptographically it's the right move (everything below TLS 1.2 with an AEAD is cryptographically broken), this disables connectivity with half of the Internet. There is a huge number of hosts out there running on legacy hardware that won't do anything beyond TLS 1.0.
We're talking Debian Unstable. That change is at least 2 years out if you're running Testing on your servers or 4 years with Stable. I think that's a reasonable goal.
> That change is at least 2 years out if you're running Testing on your servers or 4 years with Stable. I think that's a reasonable goal.
That's not how the Debian release process works. If everything goes well, that package may hit testing next week[0]; and it may very well be that the next stable release will be in two years.
If everything goes well, then this change will not have been particularly noteworthy... it is going into Unstable now, and if it causes problems then that is exactly how it works.
Packages are not promoted into (out of?) testing unless they don't have open issues reported against them. If this concerns you, then the right thing to do is to file an issue. Keep it open long enough and this won't make it into the next stable release.
Speaking of, disabling TLS 1.0 is a great way to reduce traffic from unwanted bots. (although I still run TLS 1.1)
If necessary, someone will create a dotdeb-equivalent for an openssl version with TLS 1.0. This is a "dammed if you do, dammed if you don't" type of thing. If they don't disable it, at the next big security issue, everyone will blame openssl/distributions for being negligent.
It's not just about hosts. In developing countries, old generation mobile phones running Android 4.x are extremely common. Google's own metrics show 26% of Android phones are pre-5.0, and that's without the unknown number that don't have Google Services installed.
EDIT: Seems the last version of Android 4 does support TLS 1.2, but there's still a non-zero amount of users on older versions.
Looks like this breaks fetching OpenGraph assets for some popular services, does anyone know which are not compatible? I went TLS 1.2 only a while ago for a personal site, but only tested with Twitter (which does work).
I don’t know. We have customers connect to us with their internal systems they haven’t touched in ages. I can’t possibly tell them that they need to update their infrastructure two years (Debian has a two year release cycle and has released this year) from now.
And then there are some end-users behind enterprise middle-boxes which don’t support anything beyond TLS 1.1 and I have a feeling it’s going to be difficult to communicate to them that they need to change the configuration.
This means that we'll have to package our own FTP and HTTP servers in the future. Not a big deal, but certainly not something I'm looking forward to.
Oh and our mail relay I probably have to build myself too or just disable TLS. You have no idea what shitty SSL configurations are used out there by the various systems trying to send us email.
Grumble. At this point, I might as well run Linux from scratch when most of the daemons we run won't be able to talk to a seizable chunk of the clients connecting to us any more.
In other words: if you set up Debian out of the box today, its default packages will talk to 99% of clients out there on the internet. If you set up Debian in 2019, about 30% of the clients out there won’t be able to talk to you.
And the fix won’t just be a configuration change; it will require you to manually build every single daemon you make use of.
I think introducing some friction here is a good idea, pre 1.2 tls/ssl are objectively broken, insecure protocols.
Unless some of these people experience some pain and fix their shit, they will never upgrade, and by extension keeping everyone that wishes to communicate with them vulnerable as well (due to BAD_GUY being able to force protocol downgrades)
Is it the right solution to accommodate them (not to mention by default out of the box which means it hurts your users without them being aware of it or able to make an informed choice) and pretend it isn't a problem, and thus putting yourself at risk too?
For the same reasons i think its highly irresponsible people like FreeBSD patch in garbage like null cipher support into ssh. It is broken let the people who have to use it for whatever weird reason deal with the burden of their broken shit, don't force it on everyone else and weaken their security.
sure. Disable it by default, but leave it compiled in, so an admin can re-enable it by changing a config setting instead of recompiling half a distro.
> and thus putting yourself at risk too
I'm not at risk if some big restaurant chain orders their supplies over TLS 1.1 instead of TLS 1.2. I'm not at risk if their email server sends us support tickets over TLS 1.1 instead of 1.2.
However, my business is at risk if they can't order their supplies and if I then can't receive the support email telling me so.
> patch in garbage like null cipher support into ssh
there's a huge difference there: null-ciphers are completely pointless and no known client out there only supports null-ciphers.
But about 30% of the internet doesn't support TLS 1.2.
Its unfortunate that this situation causes you problems, but there is literally no other way that some people will ever upgrade their shit, you could wait 10 years and they will still be using tls1.1.
Its important to at least make it harder than flip some switch and forget about it forever, or nothing is going to change.
I agree that there is the absolute need for advocacy. I agree that we need to get rid of old TLS. But I disagree that it’s up to the OSes to make this a compile time issue.
If Debian comes out in 2019 in a state where 30% of the internet can’t talk to it without recompiling the daemon packages, then people will switch to „more compatible“ distros.
I have the infrastructure to quickly deploy patched packages, so for me this is just an annoyance (also because these self-built packages I have to security-patch myself, which is actually putting me at risk), but others don’t. For them this will be a reason to switch distros
thing is chrome and firefox are almost certainly going to disable it well before then, and thats gonna make a shitload of people enable it, not everyone granted, but its going to be a lot lower than 30%
(Edit: this reply is a reply to a your comment before your edit that stated I was at risk because of non-mitigatable issues in 1.1)
My 1.1 supporting customers are at risk. I'm not at risk.
If they take the (unwise) decision that the risk of their connections being eavesdropped is less significant that the amount of work it takes to update their internal network, than its their decision. I am absolutely not in the position to do advocacy there.
And neither are other companies who have to serve enterprise customers.
„But allowing 1.1 will allow attackers to force secure 1.2 supporting clients to downgrade“ you might say. To which I reply: why are they still supporting 1.1? If they are security conscious enough to update their infrastructure to support 1.2, they can disable anything else when talking to me.
Then the regulations need to have a mechanism to be updated in the case of new knowledge. If the regulations have no process to be updated then that is a more fundamental problem to solve.
After all, Debian is set to give the process of change 2 years. That is plenty of time for updating the regulation and processes.
Any joker can start a company and declare any regulation they like. I could require that all software be written in COBOL by moustachioed developers standing on one foot.
If I did that, I think Debian would not change their software to meet my bizarre "company regulations"
When I talk to my virtual machines over the loopback device, I have to encrypt and then decrypt the traffic. That is pointless. I wish my SSH supported the null cipher.
If it supported the null cipher by default, users would be a single misconfiguration away from losing all security. By forcing the few who have a legitimate need for a null cipher to patch and recompile, this risk is reduced.
It's the same reason reputable crypto libraries avoid implementing things like the TLS null cipher suites (they exist), and also why the new TLS 1.3 protocol has only PFS suites and AEAD.
Would it really be necessary to rebuild all daemons? It seems to me that it would be sufficient to drop in a custom libssl that doesn't disable the old protocols.
At a previous job they finally deprecated RC4-MD5, long after almost everyone had stopped using it.
About a week later they had to re-enable it, because it turned out a few major customers had some old SPARC (IIRC?) boxes that used the service. The extra overhead of non RC4-MD5 ciphers was crippling them. There was some seriously frantic back and forth with the customer to get the situation resolved and figure out a timeline to finally, finally, finally deprecate RC4-MD5.
> At this point, I might as well run Linux from scratch...
You might as well learn the Debian tooling and run a system with the OpenSSL package patched with a build-time change.
On Ubuntu, that'd be the same as maintaining a PPA with one source package in it. On Debian, it's effectively the same except that you'll need reprepro or a script around apt-ftparchive instead.
This is far easier than your hyperbole of running Linux from scratch.
I am confused with your two years figure. With a two year release cycle in two years testing will become stable, but this change is in unstable which will become testing in two years.
I also have disabled all versions before TLS 1.2, any key exchange other than x25519 (I wanted to avoid the NSA curves) and all encryption/mac algorithms other than Chacha20-poly1305. It works just fine with the last Firefox ESR and Chromium that way.
The main issue is lack of authenticated encryption and in consequence padding oracles.
It turned out that fixing them thoroughly is extremely difficult. Again and again new variants of these attacks have been found and existing countermeasures have turned out to be insufficient. While these attacks are of low impact (involves timing and that's hard to pull off remotely), it's certainly not something you want in the most important crypto protocol.
TLS 1.0 has additional issues, notably the BEAST attack.
All of that can be mitigated, but it's ugly and complicated and you really just want authenticated encryption (AES-GCM or Chacha20-Poly1305), which is only available in TLS 1.2.
A good TLS 1.1 server implementation implementing all the fixes should be "fine". While a good TLS 1.0 client implementation should prevent the BEAST from working.
Note that all of these could run without problems if both side support the encrypt-then-MAC extension (https://tools.ietf.org/html/rfc7366).
It's a lot of "if" though, hence why we prefer TLS 1.2 which has no problems (so far). But usually when nothing do, it is still better to have something than nothing.
Is there a plugin or setting for Firefox or Chrome that would give me stats on server protocol support for my own interactions?
I'm pretty sure the preference is newer versions of TLS where available. So would be interesting to see if this would have any impact on ones own browsing habits (ignoring the fact that FF has its own TLS lib so wouldn't be using OpenSSL anyway).
On mobile since I can't edit. It doesn't show it directly by default but it's configurable. You can add $PROTOCOL to the cipher display in it's preferences for this.
Chromes decision to hide data about secure connections from users is ridiculous. 4 clicks to view a certificate - and that's if you know the magic combination on how to get there.
I mentioned in another comment but may as well put it here too. chrome://flags/#show-cert-link has a workaround that puts it back in a more easily accessible location in the dropdown from top left (where the site permissions currently are)
Hopefully this announcement is correct in the assumption that support for TLS 1.2 will be high enough when Buster is released.
[1]: https://www.ssllabs.com/ssl-pulse/ [2]: https://www.ssllabs.com/ssltest/clients.html