TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.
TLS 1.1 and 1.0 support is being removed from the major browsers on early 2020 as announced:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Vgutierrez | T238038 Start warning and deprecation process for all legacy TLS | |||
| Resolved | BCornwall | T240813 HTTPS/Browser Recommendations page on Wikitech is outdated | |||
| Resolved | jbond | T242991 Analyze the impact of removing TLSv1/v1.1 on puppetmasters |
Change 550391 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] varnish: Update sec-warning message
Change 550391 merged by BBlack:
[operations/puppet@production] varnish: Update sec-warning message
Change 550856 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews
Change 550868 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%
Change 550869 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%
Change 550870 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%
Change 550856 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews
Mentioned in SAL (#wikimedia-operations) [2019-11-15T09:47:01Z] <vgutierrez> Use a synthetic warning for 1% of TLSv1/TLS1v.1 pageviews - T238038
Change 552488 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: cover bot traffic better
Change 552488 merged by BBlack:
[operations/puppet@production] browsersec: cover bot traffic better
Change 550868 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%
Change 550869 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%
Change 550870 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%
Question. https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations
Windows 7: I know it CAN support TLS 1.2, but I can't figure out if Microsoft released a patch to enable it by default.. This influences if IE11 is still a supported browser on Windows 7 (effectively, as we can't ask people to modify their registry).
If the patch exists, we should amend the advice there for people to update windows completely, if it does not exist, we should advise a different browser probably.
Currently, the user experience for someone seeing an error message such as the one at https://en.wikipedia.org/sec-warning is quite poor. To find out what they actually have to do (besides "contact IT", which is going to get them nowhere), a user has to scroll past a large list of languages they don't read, find the tiny link to https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations, and then find the tiny section on that page that applies to them.
Instead, the page should prominently display a warning in the langage of the wiki that the person is visiting (so english for https://en.wikipedia.org/sec-warning), then it should display the appropriate recommendation from https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations for the OS and browser in the user's user agent string, then it should have a link to the recommendations page for more information. If there is a desire to include additional languages, they should be "below the fold", so to speak.
@Ahecht this check doesn't care about specific browsers, because their behavior is not consistent. It only cares about which ACTUAL protocol you are using. Doing user-agents checks for this doesn't scale and is very sensitive to mistakes.
I do agree that moving some of the advice higher up in the sec-warning page would seem useful to me, but making it multi lingual and vary on the language, it just doesn't scale (effort to results wise).
I would advise to open a separate ticket for changes to sec-warning. This task is about one specific change, but sec-warning is continuously in use and used for each of these changes. As such it has little to do with this particular change.
BTW. We no longer have the cipher stats grafana board ? Too bad, that one was hella interesting.
From memory, you can change it under browser options in IE11... But whether that's locked down in their cases... :)
The old cipher stats graphs (the original ones) were interesting and slightly-inaccurate in subtle ways. At some point while we were converting all of our internal metrics tooling to new software on the inside, the cipher stats graph became so inaccurate and misleading that we stopped using it entirely and nobody ever really figured out how to fix it (and then eventually removed it, to avoid people looking at bad data to draw conclusions). We're now using the internal analytics infrastructure to track this stuff with much greater accuracy (and the ability to really drill into intersection questions like "Which UAs in Country X are using TLSv1.1 with DHE?"), but unfortunately for this particular case it's not publicly exposed.
Change 556674 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] sec-warning: handle non-GET better
Change 556674 merged by BBlack:
[operations/puppet@production] sec-warning: handle non-GET better
Speaking of stats - though on TLS versions rather than ciphers - do we have numbers on how many connections/requests/users were using TLS 1.0/1.1?
Change 558735 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] varnish: Minor wording update for browsersec/sec-warning
Change 558735 merged by BBlack:
[operations/puppet@production] varnish: Minor wording update for browsersec/sec-warning
Change 562779 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLSv1.0/1.1 support on the caching layer
TLS 1.2 is supported by default on Windows 7 in IE 11. I just tested on a VM that has last updates from 2018-07 and TLS works fine.
If you are interested in supported cipher suites, then they are listed here:
https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=143
BTW. I don't see any date here. When will TLS 1.0 be disabled?
Change 562779 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLSv1.0/1.1 support on the caching layer
Mentioned in SAL (#wikimedia-operations) [2020-01-16T15:04:47Z] <vgutierrez> rolling restart of ats-tls. This effectively disables TLSv1/1.1 across the caching cluster - T238038
Looks like this can be closed, right @Vgutierrez?
[Edit] I misread the stupid task, sorry for the noise.