Add Forward Secrecy
OpenPublic

Description

Author: michael+wmbugs

Description:
Forward Secrecy capable ciphers are not currently available on wikipedia.org. The only ciphers available on wikipedia.org are:

  • SSL_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

source, https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org

None of which offer Forward Secrecy.

Could this please be added to wikipedia's servers?


Version: wmf-deployment
Severity: enhancement
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=33890
https://rt.wikimedia.org/Ticket/Display.html?id=7534

bzimport added a project: HTTPS.Via ConduitNov 22 2014, 2:13 AM
bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz53259.
bzimport created this task.Via LegacyAug 23 2013, 4:46 PM
Aklapper added a comment.Via ConduitAug 26 2013, 10:00 AM

Where can I find more information?
https://en.wikipedia.org/wiki/Perfect_forward_secrecy ?

Seb35 added a comment.Via ConduitAug 29 2013, 8:27 AM

The blog post [1] explains the "forward secrecy" property only adds a +15% in CPU load for ECDHE ciphers, but +300% for simple DHE ciphers. Probably the Operations team should carefully review this bug before activating it for performance reasons. Nowadays only Chromium and Firefox support FS, Opera only supports DHE ciphers and Internet Explorer don’t support FS; I don’t know for Safari.

This other blog post [2] (and blog) explains how Google configured FS: why they chosed ECDHE (this performance reason) and how they configured session tickets.

[1] http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html
[2] https://www.imperialviolet.org/2011/11/22/forwardsecret.html

bzimport added a comment.Via ConduitDec 11 2013, 9:56 AM

ondrej.sered wrote:

Google is already supporting Forward Secrecy for SSL connections.

The deployment of Forward Secrecy muss be done carefully, especialy when SSL session IDs are used. But SSL session IDs can help reduce the overhead of Forward Secrecy:

https://www.imperialviolet.org/2013/06/27/botchingpfs.html
http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html
http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html

There have been some questions about backdoors in ECDHE ciphers:

https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters

Nemo_bis added a comment.Via ConduitDec 20 2013, 10:37 AM

According to https://wikitech.wikimedia.org/wiki/HTTPS/Future_work this is in the plans already (second bullet), adjusting fields.

gerritbot added a comment.Via ConduitMay 22 2014, 5:11 AM

Change 132393 had a related patch set uploaded by MZMcBride:
Improve nginx TLS/SSL settings.

https://gerrit.wikimedia.org/r/132393

Nemo_bis added a comment.Via ConduitJun 27 2014, 11:19 PM

Giuseppe tested the settings, proving the load is not a problem, and thanks to this the change is now scheduled for next week!
https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20140701T1000

ori added a comment.Via ConduitJun 28 2014, 12:05 AM

The load may not be a problem for our servers, but I'd like to know whether there is a potential impact on user experience, and whether an attempt has been made to quantify it.

gerritbot added a comment.Via ConduitJul 1 2014, 10:04 AM

Change 132393 merged by Giuseppe Lavagetto:
Improve nginx TLS cipher list & session timeout

https://gerrit.wikimedia.org/r/132393

Matanya added a comment.Via ConduitJul 1 2014, 10:56 AM

The change is now live. Thanks Giuseppe!

JanZerebecki added a comment.Via ConduitJul 1 2014, 12:25 PM

For the potential impact on HTTPS clients Chris Steipp told me on IRC he looked into what I assume is EventLogging data and later told me that Oliver had done some analysis work on that. I wanted to ask Oliver if he could publish his queries (or SQL and R code or whatever he used), but haven't yet done so (feel free to do that). The idea was also to compare before and after deployment. It would be interesting if we could publish an aggregated and anonymized analysis of the before and after comparison.

Nemo_bis added a comment.Via ConduitJul 1 2014, 12:55 PM

(In reply to Jan Zerebecki from comment #11)

It would be interesting if we could publish an aggregated
and anonymized analysis of the before and after comparison.

You know about:

don't you?

JanZerebecki added a comment.Via ConduitJul 1 2014, 7:17 PM

None of those on gdash differentiate between HTTP and HTTPS. I do not have full graphite access, so the ability to create something that might help may exist.

Chmarkine added a comment.Via ConduitJul 4 2014, 11:35 AM

gerrit.wikimedia.org still does not support Forward Secrecy.

Chmarkine added a comment.Via ConduitJul 4 2014, 11:44 AM

wikitech.wikimedia.org also doesn't support Forward Secrecy.

More importantly, SSL Labs says Wikitech server is "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable".

Reedy added a comment.Via ConduitJul 4 2014, 12:05 PM

(In reply to chmarkine from comment #15)

wikitech.wikimedia.org also doesn't support Forward Secrecy.

More importantly, SSL Labs says Wikitech server is "vulnerable to the
OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable".

F to A- now

JanZerebecki added a comment.Via ConduitJul 4 2014, 3:26 PM

Yes and there are more sites that still lack forward secrecy. Now that there is an acceptable configuration with FS we can just apply that one to them. Some like wikitech and gerrit can probably use one that is less backwards compatible (like no SSL3, disable RC4, difficult: disable non-fs ciphers).

Chmarkine added a comment.Via ConduitJul 5 2014, 8:52 AM

I agree with Jan. I think disabling SSL3 and non-fs ciphers is feasible, because only IE 6-8 on XP do not support any FS ciphers, only IE 6 does not support TLS 1.0 or higher, and even IE 7 on Vista supports ECDHE.

Also ticket.wikimedia.org does not support PFS. So all together:

  • gerrit.wikimedia.org
  • wikitech.wikimedia.org
  • ticket.wikimedia.org

https://www.ssllabs.com/ssltest/analyze.html?d=ticket.wikimedia.org

Chmarkine added a comment.Via ConduitJul 5 2014, 9:22 AM

I just find more and more sites with no FS:

  • gerrit.wikimedia.org
  • wikitech.wikimedia.org
  • ticket.wikimedia.org
  • lists.wikimedia.org
  • dumps.wikimedia.org
  • graphite.wikimedia.org
  • gdash.wikimedia.org

Again, graphite.wikimedia.org, gdash.wikimedia.org and dumps.wikimedia.org are "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable".

lists.wikimedia.org is "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable", and lists.wikimedia.org does not support TLS 1.1 and TLS 1.2.

[1] https://www.ssllabs.com/ssltest/analyze.html?d=graphite.wikimedia.org (F)
[2] https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org (F)
[3] https://www.ssllabs.com/ssltest/analyze.html?d=dumps.wikimedia.org (F)
[4] https://www.ssllabs.com/ssltest/analyze.html?d=lists.wikimedia.org (B)

Dzahn added a comment.Via ConduitJul 8 2014, 6:11 PM

meanwhile dumps and lists have been fixed it seems

dumps.wikimedia.org
Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224).

lists.wikimedia.org
Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224).

Nemo_bis added a comment.Via ConduitJul 8 2014, 6:20 PM

It's a bit unpractical to have one comment for each domain. Jan and chmarkine, it would be IMHO more useful if you resurrected https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of which domains have https but lack PFS.

gerritbot added a comment.Via ConduitJul 8 2014, 6:40 PM

Change 144731 had a related patch set uploaded by Dzahn:
update SSL cipher list for gerrit to support PFS

https://gerrit.wikimedia.org/r/144731

gerritbot added a comment.Via ConduitJul 8 2014, 6:51 PM

Change 144734 had a related patch set uploaded by Dzahn:
update SSL cipher list for OTRS to support PFS

https://gerrit.wikimedia.org/r/144734

gerritbot added a comment.Via ConduitJul 8 2014, 6:57 PM

Change 144736 had a related patch set uploaded by Dzahn:
update SSL cipher list on wikitech to support PFS

https://gerrit.wikimedia.org/r/144736

Dzahn added a comment.Via ConduitJul 8 2014, 7:26 PM

all services behind the misc. varnish cluster should be fixed now. they were lacking an nginx restart on cp1043/cp1044, which i did now

this should have fixed all these:

doc
git
gdash
graphite
parsoid-tests
performance
integration
releases
legalpad
logstash
scholarships

gerritbot added a comment.Via ConduitJul 8 2014, 8:03 PM

Change 144731 merged by Dzahn:
update SSL cipher list for gerrit to support PFS

https://gerrit.wikimedia.org/r/144731

Chmarkine added a comment.Via ConduitJul 9 2014, 7:40 AM

(In reply to Nemo from comment #22)

It's a bit unpractical to have one comment for each domain. Jan and
chmarkine, it would be IMHO more useful if you resurrected
https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of
which domains have https but lack PFS.

I made such a list: https://wikitech.wikimedia.org/wiki/User:Chmarkine/HTTPS

It summarizes support status for Forward Secrecy and HSTS. It also shows protocol versions, whether HTTP redirects to HTTPS, links to SSL Labs and SSL Labs grades.

It is an incomplete list. Please feel free to update it or move it to main namespace, if you want!

Dzahn added a comment.Via ConduitJul 10 2014, 2:54 PM

also see the older wiki page that just focused on domains without https

https://wikitech.wikimedia.org/wiki/Httpsless_domains

Dzahn added a comment.Via ConduitJul 10 2014, 10:43 PM

chmarkine: very nice list, thanks!

I just wanted to add that even though i have those (partly pending) patches to enable it on gerrit,wikitech,otrs ..it will not actually work before Apache is also a 2.4 version. But do you agree i should merge already anyways,based on it being an improvement anyways? Then it would just automatically be supported as soon as Apache will be upgraded.

Chmarkine added a comment.Via ConduitJul 11 2014, 2:56 AM

(In reply to Daniel Zahn from comment #30)

chmarkine: very nice list, thanks!

I just wanted to add that even though i have those (partly pending) patches
to enable it on gerrit,wikitech,otrs ..it will not actually work before
Apache is also a 2.4 version. But do you agree i should merge already
anyways,based on it being an improvement anyways? Then it would just
automatically be supported as soon as Apache will be upgraded.

I agree! I think we should definitely merge them.

gerritbot added a comment.Via ConduitJul 11 2014, 6:03 PM

Change 144734 merged by Dzahn:
update SSL cipher list for OTRS to support PFS

https://gerrit.wikimedia.org/r/144734

gerritbot added a comment.Via ConduitJul 11 2014, 8:29 PM

Change 144736 merged by Dzahn:
update SSL cipher list on wikitech to support PFS

https://gerrit.wikimedia.org/r/144736

gerritbot added a comment.Via ConduitJul 15 2014, 6:39 PM

Change 146510 had a related patch set uploaded by Chmarkine:
update SSL ciphers for contacts.wm.org to support PFS

https://gerrit.wikimedia.org/r/146510

gerritbot added a comment.Via ConduitJul 16 2014, 4:56 PM

Change 146510 merged by Dzahn:
update SSL ciphers for contacts.wm.org to support PFS

https://gerrit.wikimedia.org/r/146510

gerritbot added a comment.Via ConduitJul 17 2014, 2:26 PM

Change 147110 had a related patch set uploaded by Chmarkine:
update SSL ciphers for Ganglia to support PFS

https://gerrit.wikimedia.org/r/147110

gerritbot added a comment.Via ConduitJul 17 2014, 3:34 PM

Change 147123 had a related patch set uploaded by Chmarkine:
update SSL ciphers for noc.wikimedia.org to support PFS

https://gerrit.wikimedia.org/r/147123

gerritbot added a comment.Via ConduitJul 17 2014, 3:54 PM

Change 147110 merged by Dzahn:
update SSL ciphers for Ganglia to support PFS

https://gerrit.wikimedia.org/r/147110

Dzahn added a comment.Via ConduitJul 17 2014, 4:39 PM

Why does ganglia still get a B from Qualys SSL Labs after the change, while others are fine?

gerritbot added a comment.Via ConduitJul 17 2014, 5:05 PM

Change 147123 merged by Dzahn:
update SSL ciphers for noc.wikimedia.org to support PFS

https://gerrit.wikimedia.org/r/147123

JanZerebecki added a comment.Via ConduitJul 17 2014, 6:26 PM

It is B for ganglia because that old of an libssl and apache do not support newer TLS versions. ganglia / nickel.wikimedia.org is still on Ubuntu Lucid.

gerritbot added a comment.Via ConduitJul 18 2014, 11:26 AM

Change 147185 had a related patch set uploaded by JanZerebecki:
racktables - update SSL cipher list

https://gerrit.wikimedia.org/r/147185

gerritbot added a comment.Via ConduitJul 18 2014, 11:29 AM

Change 147196 had a related patch set uploaded by JanZerebecki:
smokeping - update SSL cipher list

https://gerrit.wikimedia.org/r/147196

gerritbot added a comment.Via ConduitJul 18 2014, 11:37 AM

Change 147199 had a related patch set uploaded by JanZerebecki:
etherpad - update SSL cipher list

https://gerrit.wikimedia.org/r/147199

gerritbot added a comment.Via ConduitJul 18 2014, 11:49 AM

Change 147207 had a related patch set uploaded by JanZerebecki:
icinga - update SSL cipher list

https://gerrit.wikimedia.org/r/147207

gerritbot added a comment.Via ConduitJul 18 2014, 12:13 PM

Change 147208 had a related patch set uploaded by JanZerebecki:
generic_vhost (webserver) - update SSL ciphers

https://gerrit.wikimedia.org/r/147208

gerritbot added a comment.Via ConduitJul 18 2014, 12:17 PM

Change 147214 had a related patch set uploaded by JanZerebecki:
metrics - update SSL cipher list

https://gerrit.wikimedia.org/r/147214

gerritbot added a comment.Via ConduitJul 18 2014, 4:11 PM

Change 147196 abandoned by Dzahn:
smokeping - update SSL cipher list

https://gerrit.wikimedia.org/r/147196

gerritbot added a comment.Via ConduitJul 18 2014, 5:01 PM

Change 147199 merged by Dzahn:
etherpad - update SSL cipher list

https://gerrit.wikimedia.org/r/147199

gerritbot added a comment.Via ConduitJul 18 2014, 8:56 PM

Change 147185 merged by Dzahn:
racktables - update SSL cipher list

https://gerrit.wikimedia.org/r/147185

gerritbot added a comment.Via ConduitJul 18 2014, 9:38 PM

Change 147214 merged by Dzahn:
metrics - update SSL cipher list

https://gerrit.wikimedia.org/r/147214

gerritbot added a comment.Via ConduitJul 19 2014, 4:31 AM

Change 147715 had a related patch set uploaded by Chmarkine:
rt -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147715

gerritbot added a comment.Via ConduitJul 19 2014, 2:37 PM

Change 147739 had a related patch set uploaded by Chmarkine:
blog -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147739

gerritbot added a comment.Via ConduitJul 19 2014, 3:11 PM

Change 147740 had a related patch set uploaded by Chmarkine:
ishmael -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147740

gerritbot added a comment.Via ConduitJul 22 2014, 4:03 AM

Change 147739 abandoned by Chmarkine:
blog -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/147739

gerritbot added a comment.Via ConduitJul 23 2014, 9:13 AM

Change 148618 had a related patch set uploaded by Chmarkine:
tendril -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148618

gerritbot added a comment.Via ConduitJul 23 2014, 9:47 AM

Change 148624 had a related patch set uploaded by Chmarkine:
planet -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148624

gerritbot added a comment.Via ConduitJul 23 2014, 10:31 AM

Change 148631 had a related patch set uploaded by Chmarkine:
svn -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/148631

gerritbot added a comment.Via ConduitJul 25 2014, 8:25 AM

Change 149267 had a related patch set uploaded by Chmarkine:
icinga-admin -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/149267

gerritbot added a comment.Via ConduitJul 25 2014, 3:32 PM

Change 149267 merged by Dzahn:
icinga-admin -- update cipher suite list to support PFS

https://gerrit.wikimedia.org/r/149267

Chmarkine added a comment.Via ConduitNov 20 2014, 11:59 PM

I just found that https://payments.wikimedia.org is still using the old cipher suite list:

TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

https://www.ssllabs.com/ssltest/analyze.html?d=payments.wikimedia.org

gerritbot added a comment.Via ConduitDec 9 2014, 10:38 PM

Change 178676 had a related patch set uploaded (by JanZerebecki):
Change ru.wikinews.org to HTTPS only.

https://gerrit.wikimedia.org/r/178676

Patch-For-Review

Dzahn added a comment.Via WebDec 10 2014, 2:19 PM

Fundraising-tech should be added for the payments.wm.org comment above

gerritbot added a subscriber: gerritbot.Via ConduitMar 2 2015, 7:51 PM

Change 178676 abandoned by JanZerebecki:
Change ru.wikinews.org to HTTPS only.

Reason:
Was done elsewhere.

https://gerrit.wikimedia.org/r/178676

Aklapper added a subscriber: Aklapper.Via WebMar 9 2015, 2:10 PM

All Gerrit patchsets linked in this ticket are merged or abandoned.

What's left to do here?

Aklapper removed a project: Patch-For-Review.Via WebMar 9 2015, 2:10 PM
Aklapper set Security to None.
JanZerebecki added a comment.Via WebMar 9 2015, 3:19 PM

A few servers still do not provide forward secrecy because they need to be upgraded to apache 2.4 to support that. See: https://wikitech.wikimedia.org/wiki/HTTPS/domains

Also we still offer non-FS ciphers, but maybe disabling non-forward-secrecy should be a different task.

Krenair added a subscriber: Krenair.Via WebWed, Mar 25, 4:58 AM
Tony_Tan_98 added a subscriber: Tony_Tan_98.Via WebSun, Mar 29, 6:22 PM
DaBPunkt added a subscriber: DaBPunkt.EditedVia WebTue, Mar 31, 2:04 PM

Guys, while it is true that apache 2.2 doesn’t support ECHD, it supports DHE just fine. And DHE IS a PFS. I know that it is a bit slower, but does it really matter for these web-servers?

Dzahn added a comment.Via WebTue, Mar 31, 4:45 PM

We are currently using this:

'compat' => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-E    CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-    GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!DH',

whether it's Apache 2.2 or 2.4

Dzahn added a comment.Via WebTue, Mar 31, 6:23 PM

T83471 - seems like a duplicate of this but was resolved and not visibally public, fixed that

T91504 - OTRS SSL config (this is ticket.wikimedia.org in the linked list above)

T86655 - re: SVN (will probably be rejected in favor of decom)

T82698 - blocker for lists.wm

RT - will probably be rejected in favor of decom? needs ticket though?

T94585 - wikitech-static, needs distro upgrade, ticket created

that leaves from the list: gerrit? librenms? icinga?

JanZerebecki added a comment.Via WebTue, Mar 31, 6:52 PM

In this case server load is the least of the concerns. Enabling non-EC DHE ciphers may be acceptable. It is necessary if we want to disable no-FS ciphers, which is desirable. Work on this in general is not blocked by the upgrade.

But there is a big downside to enabling non-EC DHE ciphers on older apaches: they only support something like 1k bit DH parameters. Which means one would decrease key size. I suggest to not enable non-EC DHE on older apaches, but to upgrade them.

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.