Redirecting you to
Podcast Mar 30, 2020

Root Causes 79: Firefox Reinstates Support for Deprecated TLS Versions

To enable broadest possible access to valuable information about the COVID-19 epidemic, Firefox has chosen to reinstate support for web sites using TLS 1.0 and 1.1. Join us to learn about this move, why Firefox has made it, and what that says about the state of web site security today.

  • Original Broadcast Date: March 30, 2020

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, we're going to discuss a recent news item that, you know, sometimes there are breaking events in the world of PKI and we want to get them while they're going on, just report what they are and offer a little color and the news item today, this actually, the original article that I spotted was from March 20, in Bleeping Computer and the gist of it is that Firefox, which had deprecated its support for old versions of TLS, TLS 1.0. and 1.1, has decided to re-enable that support, to re-allow those versions to work in Firefox, and the reason for that is it turns out that apparently, and I didn't know this, a large number of important and valid COVID-19 information resources, especially from government, are still using those old versions of TLS and the Firefox team has decided that it's more important to give people access to that information then it is to deny the security flaws that exist with those old versions of TLS. So, interesting development, not something I would have anticipated and what do you think of that, Jay?

  • Jason Soroko

    Wow, that's - - I can definitely see the logic behind it but it certainly comes at a bad time because of the events that we're going through right now, because of the phishing attacks, because of the fear of man in the middle, because of the fact that a lot of bad guys are going to do a lot of bad things at a bad time, this kind of compounds it in a way. Because there are an awful lot of security vulnerabilities in those older protocols.

  • Tim Callan

    There are for sure. You know and it was - - I don't think either of us disagrees, that it was the right thing to do for Firefox to get rid of those, like in a normal world.

  • Jason Soroko

    Oh, yeah.

  • Tim Callan

    And part of what the browsers recognize is, to some degree, things like old security protocols won't ever go away until they force them to. Right? That that stuff will always exist out there in the wild until the browsers say, you know what, I'm just going to make your website stop resolving. And so. they recognize that that's one of the things that they do, it's one of the roles they play in the ecosystem. And so, they were moving on, you know, what everyone thought was a very reasonable path to do that. And I, you know, and I get your point, which is, on the one hand, yes, we do want to give people information that, you know, access to information. But on the other hand, the security vulnerabilities didn't suddenly go away and knowledge of those security vulnerabilities among the people who would exploit them for bad ends, didn't suddenly go away, either.

  • Jason Soroko

    As I browse the web, I browse government websites and university websites as well and I do find, never mind just obsolete TLS protocols, but I also find, there's a lot of sites, a lot of important web pages that are being served without SSL at all. And of course, in most of the browsers now you'll get some sort of an indicator not secure or whatever the browser is choosing to show when there's, you're going over, you know, Port 80, no SSL connection and it's just, it's unusual to me, because I don't see it all that often anymore, but I do see it often in government. I do see it often in universities. I don't know if it's because they're working on a shoestring budget. I know for a fact they've got people internally that are often way more than smart enough to understand the consequences. You know, the fact that that was the reason for the impetus, Tim, there’s got to be something done about this.

  • Tim Callan

    Yeah, it's disappointing and alarming, right? I mean, government sites, do lots of critical things. And, you know, government has a lot of information, right? Like, they're the people who have everybody's tax records. Um, it's not a good group to turn out to be, you know, in the back of the class in terms of IT security.

  • Jason Soroko

    Yeah, that's exactly right. Although that's what we see. I mean, you would expect that from you know, small businesses who are hosting website on their own not quite sure how to how to do it, but governments and universities? Come on, guys. Maybe one of the arguments if we had somebody on, you know, I'll play their role for a moment is, look, you know, there's a whole lot of pages that we serve, that are just informational. You know. They don't do tax records. They don't do the things that are critical. They don't they don't have PII on them. They just serve, you know, information, and therefore, whether there's a cert there or not, big deal. And if the browsers want to put not secure, that's their business? Well, I don't know. I think, to have a heterogeneous environment where, you know, some of your systems operate with TLS, with SSL, and some don't, I think it would be a lot better if you just thought about your websites in such a way where everything you serve, should be with a modern protocol and a publicly trusted certificate and just be done with it. I think that that should be best practice. But of course, I'm biased.

  • Tim Callan

    Yeah. I mean - - and that would be I get all of that. I guess the question I would ask is, at the end of the day, though, I mean, is there really a material cost difference in serving TLS, 1.2, or 1.3, as opposed to 1.1? Like, does that mean that you're running old hardware or old server OS that's incapable of running those? Is that why that happens? And if so, what other security vulns are sitting in there?

  • Jason Soroko

    Well, this is exactly right because if you did enact the policy of making sure you're up to date and everything was secured, no matter what, you, you would end up having to look very closely at your technical debt.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And that, unfortunately, I think is the problem. I'm sure that these government workers and university IT people they've got tons to do. But I think that this is important enough to keep your, you know, to keep up with the Joneses and to keep up with technology and to not put vulnerabilities out to your - - to your public. I remember not that long ago, being told by, you know, I have issues with my feet and my doctor told me, oh, just go to this government website and fill out a form and we'll get some funding for this little thing we're going to make for you. So, I did that. And of course, being a security professional, I just shook my head because the site, first, you know, not only was not served with SSL, but it was served with, you know, a PDF file that had, you know, was using a version with known vulnerabilities.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And it just blew my mind that the instructions on the government website said, oh, when you get all these error messages that warn about security, just ignore that, because it'll just work and all we want is the form filled out. And so, unfortunately, and I don't think it's just technical debt. I think that there's also cultural problems.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And I don't think that's everywhere. I mean, there's obviously some good people out there, hey, you know, I sympathize with you, if your budgets close to zero, you know, and you're struggling to make decisions about where to put your resources and time. But on the other hand, this is not a small deal. If your technical debt is such that you can't put an SSL certificate on your website, that's of a vintage that is circa in last 10 years, I mean, goodness, you have bigger problems than just lack of resources.

  • Tim Callan

    Yeah. So, agreed on all of that and, you know, maybe that's really the long and the short of it, you know, I thought we were gonna start out talking about Firefox, and we're mostly talking about why did this even have to happen in the first place? I think Firefox, it feels like Firefox did the right thing and made the right choice. Right? And surely, they'll reinstitute those blocks later down the road and surely that'll be trivially easy for them to do when the time comes.

  • Jason Soroko

    I think that decision came hand in hand with a lot of news agencies who took the paywall off COVID-19 information that, you know, in journalism, which I think was a great move. This I think went hand in hand with it as a decision just to make sure people were getting information that they needed. There's no question. You know, in the middle of a pandemic, you got to do what you got to do.

  • Tim Callan

    Yep.

  • Jason Soroko

    It's just as a security professional site, guys, we got to tighten this up.

  • Tim Callan

    Yeah, yeah. I mean, this certainly was one of those lesser evil situations for Firefox and, you know, but yeah, it does bring - - it does highlight something that's got to be fixed down the road for sure.

  • Jason Soroko

    That pretty much covers I think what the news item was, Tim, but was there any other browsers that followed suit or was it just Firefox?

  • Tim Callan

    I haven't, you know, I was thinking about that exact question while we were talking. I haven't seen an announcement from anyone else, but then the other thing is, I'm not sure the other browsers got around to deprecating that support yet. In which case, maybe they just put the brakes on that, you know, everybody was planning to, but oftentimes we see Firefox leading the way on this kind of thing. And so, it wouldn't be surprising if Firefox were the first one to put that into effect. And if that's the case, then it might be that the other major browsers who intended to do that had a, you know, sprint on the roadmap for that this year, just kind of said, well, you know, put a hold button on that for now. And we’ll do that when it makes sense. That's worth a little bit of looking into, but that couldn't be how it all went down.

  • Jason Soroko

    Why don't we have a future podcast. I mean, thank you for the news item today. We'd like to talk about things in a timely manner but why don't we get together our facts and figures about what the state of TLS versioning is across the major browsers and then as a kicker bonus in the podcast, we'll also talk about what does it take as - - if you're serving a website, what does it take to be compliant with the latest and greatest versions and to keep your ship tight?

  • Tim Callan

    I love it.

  • Jason Soroko

    I think that'll be a good future podcast.

  • Tim Callan

    I love it. So, we'll do that for a future podcast and think this is a good place to leave this today. So, thank you, Jay, for the insights.

  • Jason Soroko

    Thank you, Tim.

  • Tim Callan

    Thank you, Listeners. This has been Root Causes.