New issue
Advanced search Search tips
Starred by 18 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Blocked on:
issue 490260



Sign in to add a comment

Increase minimum DH size to 1024 bits (tracking bug)

Project Member Reported by agl@chromium.org, May 20 2015

Issue description

This is a tracking bug for addressing the ecosystem issues raised at https://weakdh.org not that it's public.

See https://groups.google.com/a/chromium.org/d/msg/security-dev/WyGIpevBV1s/68W-VMOoxqkJ for details.
 

Comment 1 by agl@chromium.org, May 20 2015

Cc: f...@chromium.org lgar...@chromium.org agl@chromium.org davidben@chromium.org
 Issue 483724  has been merged into this issue.

Comment 2 by f...@chromium.org, May 20 2015

agl@: Can you share your plans for how the deprecation will go (what UI changes, expected rate of broken sites, etc.)? Would like to help that go smoothly. If you can't share on the (public) bug, e-mail or talk in person on Thurs?
felt: The handshakes are just going to hard fail, no badging or anything. See https://dh480.badssl.com/ for the error from the last time we did this. I'll let agl answer the question in full since I don't know the expected breakage numbers.

Looking at that error, we do need to fix the "Learn more" URL from the last time and update the chromium.org page.

https://code.google.com/p/chromium/codesearch#chromium/src/chrome/common/localized_error.cc&q=ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY&sq=package:chromium&type=cs&l=51

It should be:
https://sites.google.com/a/chromium.org/dev/administrators/err_ssl_weak_server_ephemeral_dh_key
Or perhaps this shorter one:
https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key

Comment 4 by agl@chromium.org, May 20 2015

felt: we already have a DH minimum size and sites that are under it get a fatal error. (See attached image.)

Microsoft did a security update last week to enforce a 1024-bit minimum and I believe that it also causes a fatal error.

Overall, it looks like about 0.3% of sites with a valid certificate chain will be affected by this.
weakdh.png
32.7 KB View Download

Comment 5 by a...@chromium.org, May 20 2015

Blockedon: chromium:490260
Project Member

Comment 6 by bugdroid1@chromium.org, May 20 2015

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/a7997f12be358e58aeb2345bb8b88a9d53240024

commit a7997f12be358e58aeb2345bb8b88a9d53240024
Author: Adam Langley <agl@google.com>
Date: Fri May 15 00:38:50 2015

Set minimum DH group size to 1024 bits.

DH groups less than 1024 bits are clearly not very safe. Ideally servers
would switch to ECDHE because 1024 isn't great either, but this will
serve for the short term.

BUG= 490240 

Change-Id: Ic9aac714cdcdcbfae319b5eb1410675d3b903a69
Reviewed-on: https://boringssl-review.googlesource.com/4813
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>

[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/crypto/dh/dh.c
[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/include/openssl/dh.h
[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/ssl/s3_clnt.c
[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/ssl/test/runner/common.go
[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/ssl/test/runner/key_agreement.go
[modify] http://crrev.com/a7997f12be358e58aeb2345bb8b88a9d53240024/ssl/test/runner/runner.go

are DHE suites still going to be considered "modern", now that we know they don't really provide forward secrecy?

"Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections."

Comment 9 by f...@chromium.org, May 20 2015

Re #3: Good point about the "learn more" link. Do you know how to get the help center article updated? LMK if you need help with that.

Do we expect that this will cause a bunch of questions in the help forum? (My guess is yes.) If so it would be good to reach out to Melody with a short statement ready to go.
Project Member

Comment 10 by bugdroid1@chromium.org, May 20 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa9abe7692a3ee99b69811594938d97cb180351e

commit aa9abe7692a3ee99b69811594938d97cb180351e
Author: avi <avi@chromium.org>
Date: Wed May 20 20:57:17 2015

Use the correct URL for ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY errors.

BUG= 490260 , 490240 
TEST=as in bug

Review URL: https://codereview.chromium.org/1148943002

Cr-Commit-Position: refs/heads/master@{#330799}

[modify] http://crrev.com/aa9abe7692a3ee99b69811594938d97cb180351e/chrome/common/localized_error.cc

Comment 11 by f...@chromium.org, May 20 2015

Re #10: I notice that these are all chromium.org URLs. It might be helpful to have the help center folks actually write a HC article instead, if we think a non-trivial number of people are going to see this. (People search the help center.)

Comment 12 by agl@chromium.org, May 20 2015

felt: I've tweaked https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key so that it's technically correct but, if you want to make it more human, please go ahead.

There will probably be comments on the help forum, although perhaps we can have Melody direct people to that same help page.
I've also added a link to that page from the deprecation section of the TLS FAQ: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/education/tls?pli=1#TOC-Weak-ephemeral-Diffie-Hellman-Key-Exchange

What would you think of moving https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key  entirely into the question, and perhaps moving the entire question into a separate page?
Project Member

Comment 14 by bugdroid1@chromium.org, May 20 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1f400ca05a556848195154c2a5b2f7c15063fd4

commit b1f400ca05a556848195154c2a5b2f7c15063fd4
Author: agl <agl@chromium.org>
Date: Wed May 20 22:59:42 2015

Roll third_party/boringssl/src 96600327:a7997f12

Summary of changes available at:
https://boringssl.googlesource.com/boringssl/+log/96600327..a7997f12

This pulls in the 1024-bit minimum DH group size restriction.

BUG= 490240 

Review URL: https://codereview.chromium.org/1144363002

Cr-Commit-Position: refs/heads/master@{#330828}

[modify] http://crrev.com/b1f400ca05a556848195154c2a5b2f7c15063fd4/DEPS

Comment 15 by agl@chromium.org, May 21 2015

Status: Fixed
lgarron: thanks for adding the link. I'm not sure that I follow you however: surely that "question" is already on a separate page—the page that we're talking about.
I meant: Move info DHE into the TLS FAQ deprecation section (instead of a dedicated DHE page).
And maybe: Move the TLS FAQ deprecation section (four-ish topics) to its own page.

I don't think moving the DHE into the TLS FAQ will help, at least not unless/until there's an HC article.

Moving the TLS FAQ out into its own page I'm neutral on. There have been separate attempts to both consolidate pages and to split pages up, so there are strong opinions on either side historically. Unless you have a strong opinion, it may be better to let inertia carry there.
Alright, status quo sounds fine to me.
(I mainly want to keep having a places lists all the current deprecations. As long as we mention DHE there, I don't really care if we link to a separate explanation.)
Labels: M-45
 Issue 492159  has been merged into this issue.
I have installed stable version of Chrome:

Google Chrome	43.0.2357.81 (Official Build) m (32-bit)
Revision	f873f0128382b8cf6b5c2a877d12491ca807748e-refs/branch-heads/2357@{#434}

When can I expect this fix in stable channel? The https://weakdh.org site reports that: "Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser."

Thanks!

Comment 22 by agl@chromium.org, Jun 8 2015

This change is on track for Chrome 45 at the moment.
This change is a great litmus test to detect unfortunate servers that use 768-bit DH in 2015, including electronic payment services and ISP billings.

BEFORE | AFTER
stat.baikal-ttk.ru DH768.png
300 KB View Download
doshcard.kg DH768.png
432 KB View Download
Project Member

Comment 24 by bugdroid1@chromium.org, Jun 9 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93937caf120fed43de182e475822805afdbe3001

commit 93937caf120fed43de182e475822805afdbe3001
Author: mostynb <mostynb@opera.com>
Date: Tue Jun 09 19:36:17 2015

increase crypto_unittest key sizes to satisfy NSS 3.19.1

NSS version 3.19.1 added minimum key size constraints to avoid the Logjam attack:

> The minimum size of keys that NSS will generate has been raised:
>    The minimum modulus size for RSA keys is now 512 bits
>    The minimum modulus size for DSA keys is now 1023 bits
>    The minimum modulus size for Diffie-Hellman keys is now 1023 bits

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes

https://bugzilla.mozilla.org/show_bug.cgi?id=1138554

BUG= 490240 

Review URL: https://codereview.chromium.org/1148193006

Cr-Commit-Position: refs/heads/master@{#333554}

[modify] http://crrev.com/93937caf120fed43de182e475822805afdbe3001/crypto/nss_key_util_unittest.cc
[modify] http://crrev.com/93937caf120fed43de182e475822805afdbe3001/crypto/rsa_private_key_unittest.cc

NSS 3.19.2 reverted the change to the the minimum required key sizes so Chromium built against system NSS is now reported as vulnerable again. [1]

Is there a way to correct this?

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes
No it didn't. It just moved where the changes are to only affect TLS clients, rather than all consumers.
You are correct, the relevant NSS commit is: https://hg.mozilla.org/projects/nss/rev/2b29dfe134a5

The minimum key size is now enforced in libssl3 which Chromium doesn't seem to use. (This also explains why Firefox (which uses libssl3) is not reported as vulnerable by http://weakdh.org/.)
As noted in this bug, that change is being rolled out with Chrome 45, so it is not tied to your system NSS version.
My mistake, I assumed that Chromium didn't use BoringSSL on Linux; guess I was confused by the patch to the bundled NSS in comment 8. I just tested Chromium 45.0.2431.0 and it is safe against Logjam (according to weakdh.org).

Sorry for the noise! :)
(We don't use BoringSSL on Linux (yet!), but we ship a bundled copy of NSS's SSL implementation. Chrome 45 includes the change to both stacks.)
Thank you for the information, it's starting to make sense now.

From what I understand, Chromium uses the system's libnss (libnss3.so, libnssutil3.so) but bundles its own copy of libssl (extracted from NSS). Which means I can use the NSS patch from comment 8 and our Chromium 43+ builds will continue to be safe from Logjam even after we update to NSS 3.19.2 in Arch Linux. This is great! :)
I'm not certain this is the exact change that caused it, but it's ridiculous to force this ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY problem down end-users' throats when in many cases (e.g. routers, Cisco UCM, ...) they have little or no control over the server, and in some environments (internal corporate networks) the risk is relatively low.  Sure, warn them... but there has to be a workaround/ignore option available at least for a reasonable grace period.

Comment 33 by war...@gmail.com, Sep 11 2015

There was a more than reasonable grace period, Chrome was the last browser to fix this vulnerability. Internet Explorer was patched in May and Firefox in July. You should complain to the vendors who don't patch their software/hardware, not the browser developer who is trying to make the internet a little more secure.

Sign in to add a comment