Page MenuHomePhabricator

Start warning and deprecation process for all legacy TLS
Open, MediumPublic

Description

TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.

TLS 1.1 and 1.0 support is being removed from the major browsers on early 2020 as announced:

Event Timeline

Restricted Application added a project: Operations. · View Herald TranscriptNov 12 2019, 5:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Vgutierrez moved this task from Triage to TLS on the Traffic board.Nov 12 2019, 5:19 AM

Change 550391 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] varnish: Update sec-warning message

https://gerrit.wikimedia.org/r/550391

Vgutierrez triaged this task as Medium priority.Nov 12 2019, 5:32 AM
ssingh added a subscriber: ssingh.Nov 12 2019, 1:12 PM

Change 550391 merged by BBlack:
[operations/puppet@production] varnish: Update sec-warning message

https://gerrit.wikimedia.org/r/550391

Change 550856 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews

https://gerrit.wikimedia.org/r/550856

Change 550868 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%

https://gerrit.wikimedia.org/r/550868

Change 550869 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%

https://gerrit.wikimedia.org/r/550869

Change 550870 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%

https://gerrit.wikimedia.org/r/550870

Change 550856 merged by Vgutierrez:
[operations/puppet@production] vcl: Use synthetic warning for 1% of TLSv1/TLSv1.1 pageviews

https://gerrit.wikimedia.org/r/550856

Mentioned in SAL (#wikimedia-operations) [2019-11-15T09:47:01Z] <vgutierrez> Use a synthetic warning for 1% of TLSv1/TLS1v.1 pageviews - T238038

Change 552488 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] browsersec: cover bot traffic better

https://gerrit.wikimedia.org/r/552488

Change 552488 merged by BBlack:
[operations/puppet@production] browsersec: cover bot traffic better

https://gerrit.wikimedia.org/r/552488

Change 550868 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 4%

https://gerrit.wikimedia.org/r/550868

Change 550869 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 10%

https://gerrit.wikimedia.org/r/550869

Change 550870 merged by BBlack:
[operations/puppet@production] vcl: Bump TLSv1/TLSv1.1 pageview replacement to 100%

https://gerrit.wikimedia.org/r/550870

TheDJ added a subscriber: TheDJ.EditedDec 10 2019, 10:12 AM

Question. https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations

Windows 7: I know it CAN support TLS 1.2, but I can't figure out if Microsoft released a patch to enable it by default.. This influences if IE11 is still a supported browser on Windows 7 (effectively, as we can't ask people to modify their registry).

If the patch exists, we should amend the advice there for people to update windows completely, if it does not exist, we should advise a different browser probably.

Ahecht added a subscriber: Ahecht.Dec 10 2019, 3:11 PM

Currently, the user experience for someone seeing an error message such as the one at https://en.wikipedia.org/sec-warning is quite poor. To find out what they actually have to do (besides "contact IT", which is going to get them nowhere), a user has to scroll past a large list of languages they don't read, find the tiny link to https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations, and then find the tiny section on that page that applies to them.

Instead, the page should prominently display a warning in the langage of the wiki that the person is visiting (so english for https://en.wikipedia.org/sec-warning), then it should display the appropriate recommendation from https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations for the OS and browser in the user's user agent string, then it should have a link to the recommendations page for more information. If there is a desire to include additional languages, they should be "below the fold", so to speak.

TheDJ added a comment.EditedDec 10 2019, 4:32 PM

@Ahecht this check doesn't care about specific browsers, because their behavior is not consistent. It only cares about which ACTUAL protocol you are using. Doing user-agents checks for this doesn't scale and is very sensitive to mistakes.

I do agree that moving some of the advice higher up in the sec-warning page would seem useful to me, but making it multi lingual and vary on the language, it just doesn't scale (effort to results wise).

I would advise to open a separate ticket for changes to sec-warning. This task is about one specific change, but sec-warning is continuously in use and used for each of these changes. As such it has little to do with this particular change.

TheDJ added a comment.Dec 12 2019, 9:12 AM

BTW. We no longer have the cipher stats grafana board ? Too bad, that one was hella interesting.

Reedy added a subscriber: Reedy.

Question. https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations

Windows 7: I know it CAN support TLS 1.2, but I can't figure out if Microsoft released a patch to enable it by default.. This influences if IE11 is still a supported browser on Windows 7 (effectively, as we can't ask people to modify their registry).

If the patch exists, we should amend the advice there for people to update windows completely, if it does not exist, we should advise a different browser probably.

From memory, you can change it under browser options in IE11... But whether that's locked down in their cases... :)

BBlack added a subscriber: BBlack.Dec 12 2019, 1:34 PM

BTW. We no longer have the cipher stats grafana board ? Too bad, that one was hella interesting.

The old cipher stats graphs (the original ones) were interesting and slightly-inaccurate in subtle ways. At some point while we were converting all of our internal metrics tooling to new software on the inside, the cipher stats graph became so inaccurate and misleading that we stopped using it entirely and nobody ever really figured out how to fix it (and then eventually removed it, to avoid people looking at bad data to draw conclusions). We're now using the internal analytics infrastructure to track this stuff with much greater accuracy (and the ability to really drill into intersection questions like "Which UAs in Country X are using TLSv1.1 with DHE?"), but unfortunately for this particular case it's not publicly exposed.

Change 556674 had a related patch set uploaded (by BBlack; owner: BBlack):
[operations/puppet@production] sec-warning: handle non-GET better

https://gerrit.wikimedia.org/r/556674

Change 556674 merged by BBlack:
[operations/puppet@production] sec-warning: handle non-GET better

https://gerrit.wikimedia.org/r/556674

Speaking of stats - though on TLS versions rather than ciphers - do we have numbers on how many connections/requests/users were using TLS 1.0/1.1?

Change 558735 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] varnish: Minor wording update for browsersec/sec-warning

https://gerrit.wikimedia.org/r/558735

Change 558735 merged by BBlack:
[operations/puppet@production] varnish: Minor wording update for browsersec/sec-warning

https://gerrit.wikimedia.org/r/558735

Change 562779 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Disable TLSv1.0/1.1 support on the caching layer

https://gerrit.wikimedia.org/r/562779

Nux added a subscriber: Nux.Jan 13 2020, 11:46 PM

Question. https://wikitech.wikimedia.org/wiki/HTTPS/Browser_Recommendations

Windows 7: I know it CAN support TLS 1.2, but I can't figure out if Microsoft released a patch to enable it by default.. This influences if IE11 is still a supported browser on Windows 7 (effectively, as we can't ask people to modify their registry).

TLS 1.2 is supported by default on Windows 7 in IE 11. I just tested on a VM that has last updates from 2018-07 and TLS works fine.

If you are interested in supported cipher suites, then they are listed here:
https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%207&key=143

BTW. I don't see any date here. When will TLS 1.0 be disabled?

Change 562779 merged by Vgutierrez:
[operations/puppet@production] ATS: Disable TLSv1.0/1.1 support on the caching layer

https://gerrit.wikimedia.org/r/562779

Mentioned in SAL (#wikimedia-operations) [2020-01-16T15:04:47Z] <vgutierrez> rolling restart of ats-tls. This effectively disables TLSv1/1.1 across the caching cluster - T238038

TheDJ removed a subscriber: TheDJ.Jan 29 2020, 11:19 PM