[Mozilla Enterprise] Is it possible to put security.tls.version.enable-deprecated in the Firefox ESR ADMX template in a near future?

pascal.wulleput at orange.com pascal.wulleput at orange.com
Thu Feb 4 18:57:44 UTC 2021 

Hello Mike,

Thanks a lot for your reply and confirmation you’ll take care of this in the GPO ADMX.
It will make it a lot easier for us down here
Can I ask you when you plan to release this update?

Let me just try to explain you what our objective is:

Today’s setup on our side is
Thanks to GPO

-        TLSmin 1.0

-        TLSmax 1.3
==>users : are happy because no popup, no warning, no blocking when they access sites in TLS 1.0/1.1
==>IT Teams : are worry because

1)     We are not happy with the level of security offer to ALL users (no matter if they use or not old TLS versions). I mean for a few old sites we have to let all TLS versions alive

2)     With such a configuration we can’t inventory precisely who access sites with such old TLS versions and therefore we can’t have any proactive action on this situation

3)     We know that soon or later but quite soon you guys on Mozilla will no more support TLS 1.0/1.1. What will happen at that time if we have not taken this usages ….

Solutions we have been thinking of are


1)     We force right now TLSmin at 1.2

a.     Good for security

b.     Bad for users who will lose connectivity to TLS 1.0/1.1 sites and could be also the case for sites on the internet which are not TLS 1.2 compatible

2)     We remove TLSmin 1.0 and TLSmax 1.3

a.     Good and bad for security

                                               i.     We go back to the native behaviour (=TLS1.0/1.1 inactivated by default)

                                              ii.     Only user in the old TLS versions use cases will get a warning popup and thx to the button provided he will be able to override the warning. This action will set tls-depreciated at TRUE

                                             iii.     Problem is that this will set up tls depreciated at TRUE for ALL sites and so by doing this once the user will PERMANENTLY decrease the security of his FF ESR

                                             iv.     At soon as it has been applied (first occurrence) then the other TLS1.0/1.1 connections to other sites will be unknown. This is not at all what we want

3)     If we can FORCE tls-depreciated = FALSE with a GPO setting (our request) and we remove TLSmin 1.0 and TLSmax 1.3 with the GPO then

a.     We have the same avantages than in 2) plus

                                               i.     The downgrade of the security level is this time TEMPORARY et it only happens if the user is in the use cases TLS 1.0/1.1

                                              ii.     The fact that the warning popup appears for those on the use cases will improve the reporting on them

                                             iii.     We send a clear message to old tls sites admins and at the same time we offer them the possibility to react before you guys do not support old tls versions

                                             iv.     We propose a solution to help admins and not block users

                                              v.     The backdraw of this solution 3) is that we push back the deadline we gave sites admins.

I hope this helps you Mickael and you all understand our strategy and why we would really appreciate this change on your side.
The alternative for us would be to manage it at the .CFG level but then we have to push back this file to all users ….

Thanks again Mike


Bien Cordialement / Best Regards

[logo Orange]<http://www.orange.com/>

“Preparing the future, powering the present”

Pascal Wulleput
Orange Technology and Global Innovation – TGI
Orange Labs Services – OLS
Digital Infrastructure & End-to-end Secure Environments – DIESE
Digital Workspace Services – DWS
e-buro, Services & Maintenances – ESM

tel:  +33 633 467 082

pascal.wulleput at orange.com<mailto:pascal.wulleput at orange.com>


De : Enterprise [mailto:enterprise-bounces at mozilla.org] De la part de Mike Kaply
Envoyé : mercredi 3 février 2021 16:56
À : TARLO Marius OBS/OCB <marius.tarlo at orange.com>
Cc : CHAPOT Frederic DTSI/DSI <frederic.chapot at orange.com>; enterprise at mozilla.org; CHEMINEL Mickael DTSI/DISU <mickael.cheminel at orange.com>
Objet : Re: [Mozilla Enterprise] Is it possible to put security.tls.version.enable-deprecated in the Firefox ESR ADMX template in a near future?

After discussion, I'll add this one to policy.

Mike

On Mon, Feb 1, 2021 at 11:08 AM Mike Kaply <mkaply at mozilla.com<mailto:mkaply at mozilla.com>> wrote:
I'm curious as to why you want this?

It's not the users fault that they are running into TLS 1.0/1.1 sites. Where are these TLS 1.0/1.1 sites coming from? Are they internal sites that need to be upgraded?

What you're proposing will train your users to click "bypass" on security pages like that which I don't think you want to do.

Mike Kaply

On Mon, Feb 1, 2021 at 5:06 AM <marius.tarlo at orange.com<mailto:marius.tarlo at orange.com>> wrote:
Hello,

We currently have TLS enabled from 1.0 to 1.3 (SSLversionmin to 1 and SSLversionmax to 1.3) and we would like to set up the following configuration :

-       Remove the 2 parameters SSLversionmin and SSLversionmax

-       When the user browses a TLS 1.0 or TLS 1.1 site, it shows a “SSL_ERROR_UNSUPPORTED_VERSION” error, with a button “Enable TLS 1.0 and 1.1” : we would like to have this error message appearing every time the user launches Firefox (we don’t want the user to click it once and have forever security.tls.version.enable-deprecated set to true, but we want the user having to click it every time)

It would be easy to set this up by setting security.tls.version.enable-deprecated to false in the GPO (then it’s set to false when the user launches Firefox, and if he clicks the button, it’s set to true temporarily during his session but the next time he launches it would be reset to false again)

But unfortunately for us, it’s not in the Preferences part of the ADMX (https://github.com/mozilla/policy-templates/blob/v2.7/README.md#preferences)

Would it be possible to have it added in the ADMX in a near future?

Thank you very much for your answer!

Cordialement / Best regards,
[http://www.orange.com/sirius/logos_mail/orange_logo.gif]<http://www.orange.com/>
Marius TARLO
Maintenance e-buro
Orange<http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/OBS<http://annuaire.sso.infra.ftgroup/entities/ou=OBS,ou=Orange,ou=entities>/SCE<http://annuaire.sso.infra.ftgroup/entities/ou=SCE,ou=OBS,ou=Orange,ou=entities>/OCB SUBS<http://annuaire.sso.infra.ftgroup/entities/ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/DACF<http://annuaire.sso.infra.ftgroup/entities/ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/DS<http://annuaire.sso.infra.ftgroup/entities/ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/CS<http://annuaire.sso.infra.ftgroup/entities/ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/TMI ORA<http://annuaire.sso.infra.ftgroup/entities/ou=TMI%20ORA,ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>
Orange<http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/TGI<http://annuaire.sso.infra.ftgroup/entities/ou=TGI,ou=Orange,ou=entities>/OLS<http://annuaire.sso.infra.ftgroup/entities/ou=OLS,ou=TGI,ou=Orange,ou=entities>/DIESE<http://annuaire.sso.infra.ftgroup/entities/ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>/DWS<http://annuaire.sso.infra.ftgroup/entities/ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>/ESM<http://annuaire.sso.infra.ftgroup/entities/ou=MSSM,ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>
tél. +33 1 42 75 34 25
marius.tarlo at orange.com<mailto:marius.tarlo at orange.com>


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210204/35a574a7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 785 bytes
Desc: image002.jpg
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210204/35a574a7/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 369 bytes
Desc: image003.png
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210204/35a574a7/attachment.png>

More information about the Enterprise mailing list