Last modified: 2014-11-20 23:59:13 UTC
Forward Secrecy capable ciphers are not currently available on wikipedia.org. The only ciphers available on wikipedia.org are: * SSL_RSA_WITH_RC4_128_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA source, https://www.ssllabs.com/ssltest/analyze.html?d=en.wikipedia.org None of which offer Forward Secrecy. Could this please be added to wikipedia's servers?
Where can I find more information? https://en.wikipedia.org/wiki/Perfect_forward_secrecy ?
The blog post [1] explains the "forward secrecy" property only adds a +15% in CPU load for ECDHE ciphers, but +300% for simple DHE ciphers. Probably the Operations team should carefully review this bug before activating it for performance reasons. Nowadays only Chromium and Firefox support FS, Opera only supports DHE ciphers and Internet Explorer don’t support FS; I don’t know for Safari. This other blog post [2] (and blog) explains how Google configured FS: why they chosed ECDHE (this performance reason) and how they configured session tickets. [1] http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html [2] https://www.imperialviolet.org/2011/11/22/forwardsecret.html
Google is already supporting Forward Secrecy for SSL connections. The deployment of Forward Secrecy muss be done carefully, especialy when SSL session IDs are used. But SSL session IDs can help reduce the overhead of Forward Secrecy: https://www.imperialviolet.org/2013/06/27/botchingpfs.html http://blog.ivanristic.com/2013/06/ssl-labs-deploying-forward-secrecy.html http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html http://blog.ivanristic.com/2013/08/increasing-dhe-strength-on-apache.html There have been some questions about backdoors in ECDHE ciphers: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters
According to https://wikitech.wikimedia.org/wiki/HTTPS/Future_work this is in the plans already (second bullet), adjusting fields.
https://gerrit.wikimedia.org/r/#/c/132393/
Change 132393 had a related patch set uploaded by MZMcBride: Improve nginx TLS/SSL settings. https://gerrit.wikimedia.org/r/132393
Giuseppe tested the settings, proving the load is not a problem, and thanks to this the change is now scheduled for next week! https://wikitech.wikimedia.org/wiki/Deployments#deploycal-item-20140701T1000
The load may not be a problem for our servers, but I'd like to know whether there is a potential impact on user experience, and whether an attempt has been made to quantify it.
Change 132393 merged by Giuseppe Lavagetto: Improve nginx TLS cipher list & session timeout https://gerrit.wikimedia.org/r/132393
The change is now live. Thanks Giuseppe!
For the potential impact on HTTPS clients Chris Steipp told me on IRC he looked into what I assume is EventLogging data and later told me that Oliver had done some analysis work on that. I wanted to ask Oliver if he could publish his queries (or SQL and R code or whatever he used), but haven't yet done so (feel free to do that). The idea was also to compare before and after deployment. It would be interesting if we could publish an aggregated and anonymized analysis of the before and after comparison.
(In reply to Jan Zerebecki from comment #11) > It would be interesting if we could publish an aggregated > and anonymized analysis of the before and after comparison. You know about: * https://gdash.wikimedia.org/dashboards/frontend/ , * http://ur1.ca/hn8fi * and any other graphite graph you may desire, don't you?
None of those on gdash differentiate between HTTP and HTTPS. I do not have full graphite access, so the ability to create something that might help may exist.
gerrit.wikimedia.org still does not support Forward Secrecy. * https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org
wikitech.wikimedia.org also doesn't support Forward Secrecy. More importantly, SSL Labs says Wikitech server is "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable". * https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org
(In reply to chmarkine from comment #15) > wikitech.wikimedia.org also doesn't support Forward Secrecy. > > More importantly, SSL Labs says Wikitech server is "vulnerable to the > OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable". > > * https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org F to A- now
Yes and there are more sites that still lack forward secrecy. Now that there is an acceptable configuration with FS we can just apply that one to them. Some like wikitech and gerrit can probably use one that is less backwards compatible (like no SSL3, disable RC4, difficult: disable non-fs ciphers).
I agree with Jan. I think disabling SSL3 and non-fs ciphers is feasible, because only IE 6-8 on XP do not support any FS ciphers, only IE 6 does not support TLS 1.0 or higher, and even IE 7 on Vista supports ECDHE. Also ticket.wikimedia.org does not support PFS. So all together: * gerrit.wikimedia.org * wikitech.wikimedia.org * ticket.wikimedia.org https://www.ssllabs.com/ssltest/analyze.html?d=ticket.wikimedia.org
I just find more and more sites with no FS: * gerrit.wikimedia.org * wikitech.wikimedia.org * ticket.wikimedia.org * lists.wikimedia.org * dumps.wikimedia.org * graphite.wikimedia.org * gdash.wikimedia.org Again, graphite.wikimedia.org, gdash.wikimedia.org and dumps.wikimedia.org are "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable". lists.wikimedia.org is "vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224), but probably not exploitable", and lists.wikimedia.org does not support TLS 1.1 and TLS 1.2. [1] https://www.ssllabs.com/ssltest/analyze.html?d=graphite.wikimedia.org (F) [2] https://www.ssllabs.com/ssltest/analyze.html?d=gdash.wikimedia.org (F) [3] https://www.ssllabs.com/ssltest/analyze.html?d=dumps.wikimedia.org (F) [4] https://www.ssllabs.com/ssltest/analyze.html?d=lists.wikimedia.org (B)
See also: https://bugzilla.wikimedia.org/show_bug.cgi?id=67564
meanwhile dumps and lists have been fixed it seems dumps.wikimedia.org Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224). lists.wikimedia.org Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224).
It's a bit unpractical to have one comment for each domain. Jan and chmarkine, it would be IMHO more useful if you resurrected https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of which domains have https but lack PFS.
Change 144731 had a related patch set uploaded by Dzahn: update SSL cipher list for gerrit to support PFS https://gerrit.wikimedia.org/r/144731
Change 144734 had a related patch set uploaded by Dzahn: update SSL cipher list for OTRS to support PFS https://gerrit.wikimedia.org/r/144734
Change 144736 had a related patch set uploaded by Dzahn: update SSL cipher list on wikitech to support PFS https://gerrit.wikimedia.org/r/144736
all services behind the misc. varnish cluster should be fixed now. they were lacking an nginx restart on cp1043/cp1044, which i did now this should have fixed all these: doc git gdash graphite parsoid-tests performance integration releases legalpad logstash scholarships
Change 144731 merged by Dzahn: update SSL cipher list for gerrit to support PFS https://gerrit.wikimedia.org/r/144731
(In reply to Nemo from comment #22) > It's a bit unpractical to have one comment for each domain. Jan and > chmarkine, it would be IMHO more useful if you resurrected > https://wikitech.wikimedia.org/wiki/Httpsless_domains to make a table of > which domains have https but lack PFS. I made such a list: https://wikitech.wikimedia.org/wiki/User:Chmarkine/HTTPS It summarizes support status for Forward Secrecy and HSTS. It also shows protocol versions, whether HTTP redirects to HTTPS, links to SSL Labs and SSL Labs grades. It is an incomplete list. Please feel free to update it or move it to main namespace, if you want!
also see the older wiki page that just focused on domains without https https://wikitech.wikimedia.org/wiki/Httpsless_domains
chmarkine: very nice list, thanks! I just wanted to add that even though i have those (partly pending) patches to enable it on gerrit,wikitech,otrs ..it will not actually work before Apache is also a 2.4 version. But do you agree i should merge already anyways,based on it being an improvement anyways? Then it would just automatically be supported as soon as Apache will be upgraded.
(In reply to Daniel Zahn from comment #30) > chmarkine: very nice list, thanks! > > I just wanted to add that even though i have those (partly pending) patches > to enable it on gerrit,wikitech,otrs ..it will not actually work before > Apache is also a 2.4 version. But do you agree i should merge already > anyways,based on it being an improvement anyways? Then it would just > automatically be supported as soon as Apache will be upgraded. I agree! I think we should definitely merge them.
Change 144734 merged by Dzahn: update SSL cipher list for OTRS to support PFS https://gerrit.wikimedia.org/r/144734
Change 144736 merged by Dzahn: update SSL cipher list on wikitech to support PFS https://gerrit.wikimedia.org/r/144736
Change 146510 had a related patch set uploaded by Chmarkine: update SSL ciphers for contacts.wm.org to support PFS https://gerrit.wikimedia.org/r/146510
Change 146510 merged by Dzahn: update SSL ciphers for contacts.wm.org to support PFS https://gerrit.wikimedia.org/r/146510
Change 147110 had a related patch set uploaded by Chmarkine: update SSL ciphers for Ganglia to support PFS https://gerrit.wikimedia.org/r/147110
Change 147123 had a related patch set uploaded by Chmarkine: update SSL ciphers for noc.wikimedia.org to support PFS https://gerrit.wikimedia.org/r/147123
Change 147110 merged by Dzahn: update SSL ciphers for Ganglia to support PFS https://gerrit.wikimedia.org/r/147110
Why does ganglia still get a B from Qualys SSL Labs after the change, while others are fine?
Change 147123 merged by Dzahn: update SSL ciphers for noc.wikimedia.org to support PFS https://gerrit.wikimedia.org/r/147123
It is B for ganglia because that old of an libssl and apache do not support newer TLS versions. ganglia / nickel.wikimedia.org is still on Ubuntu Lucid.
Change 147185 had a related patch set uploaded by JanZerebecki: racktables - update SSL cipher list https://gerrit.wikimedia.org/r/147185
Change 147196 had a related patch set uploaded by JanZerebecki: smokeping - update SSL cipher list https://gerrit.wikimedia.org/r/147196
Change 147199 had a related patch set uploaded by JanZerebecki: etherpad - update SSL cipher list https://gerrit.wikimedia.org/r/147199
Change 147207 had a related patch set uploaded by JanZerebecki: icinga - update SSL cipher list https://gerrit.wikimedia.org/r/147207
Change 147208 had a related patch set uploaded by JanZerebecki: generic_vhost (webserver) - update SSL ciphers https://gerrit.wikimedia.org/r/147208
Change 147214 had a related patch set uploaded by JanZerebecki: metrics - update SSL cipher list https://gerrit.wikimedia.org/r/147214
Change 147196 abandoned by Dzahn: smokeping - update SSL cipher list https://gerrit.wikimedia.org/r/147196
Change 147199 merged by Dzahn: etherpad - update SSL cipher list https://gerrit.wikimedia.org/r/147199
Change 147185 merged by Dzahn: racktables - update SSL cipher list https://gerrit.wikimedia.org/r/147185
Change 147214 merged by Dzahn: metrics - update SSL cipher list https://gerrit.wikimedia.org/r/147214
Change 147715 had a related patch set uploaded by Chmarkine: rt -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/147715
Change 147739 had a related patch set uploaded by Chmarkine: blog -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/147739
Change 147740 had a related patch set uploaded by Chmarkine: ishmael -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/147740
Change 147739 abandoned by Chmarkine: blog -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/147739
Change 148618 had a related patch set uploaded by Chmarkine: tendril -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/148618
Change 148624 had a related patch set uploaded by Chmarkine: planet -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/148624
Change 148631 had a related patch set uploaded by Chmarkine: svn -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/148631
Change 149267 had a related patch set uploaded by Chmarkine: icinga-admin -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/149267
Change 149267 merged by Dzahn: icinga-admin -- update cipher suite list to support PFS https://gerrit.wikimedia.org/r/149267
I just found that https://payments.wikimedia.org is still using the old cipher suite list: TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA https://www.ssllabs.com/ssltest/analyze.html?d=payments.wikimedia.org