Ssl-version-min Broken, Add flag to enforce Minimum TLS, Cipher Selection & Priority, and Disabling Session Tickets
Reported by
canyonco...@gmail.com,
Sep 13
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0 Steps to reproduce the problem: 1. Have too many command line switches in Chrome shortcut target to add --ssl-version-min= 2. Open chrome in new incognito window from task-bar 3. Open chrome from a link in third party application What is the expected behavior? Chrome Minimum TLS enforced system wide What went wrong? ssl-version-min broken! Min Tls can only be enforced from a shortcut and is broken if you load a link from a third party application like Thunderbird or Outlook express. This is unacceptable for user security. Did this work before? N/A Chrome version: 71.0.3551.0 Channel: stable OS Version: Windows 7 x64 SP1 Flash Version: none Depreciated ciphers and TLS session tickets are the weakest link in the TLS chain. Disabling them is critical to ensure safe and secure browsing. Command line switches are limited to a max of 269 bytes in windows. This is totally unacceptable, and forces users to compromise on security and preferences, and unnecessary and time wasting efforts, like loading chromium from command prompt. On top of that, these switches are not executed when loading web links outside the command line. This is completely illogical. Solution: Add Min TLS, Cipher Selection & Priority, and option to disable TLS session tickets in chrome://flags/ & even better, under privacy & security settings. This will also encourage users become more educated in security critical TLS functionality. Read more: https://blog.filippo.io/we-need-to-talk-about-session-tickets/ Thanks!
,
Sep 13
,
Sep 13
To verify, you are using "--ssl-version-min=tls1.2" for the SSLLabs Client test? If you'd like to globally set the minimum SSL/TLS version, you can use the SSLVersionMin admin policy on Windows (https://www.chromium.org/administrators/policy-list-3#SSLVersionMin).
,
Sep 13
Chrome does not even have code for SSL 3.0 anymore, so either there is an issue with the SSL Labs test or you are behind some kind of TLS-terminating middlebox. As requested on the other bug, please attach a NetLog per these instructions: https://dev.chromium.org/for-testers/providing-network-details
,
Sep 13
,
Sep 13
ssl-version-min was not broken, a necessary js was blocked by umatrix!
,
Sep 13
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 14
,
Nov 9
The issue seems to be out of TE-scope as it is related to ssl-version-min and Cipher Selection and already the issue is being investigated by dev team. Hence, adding label TE-NeedsTriageHelp in order to push this issue out of TE-triaging bucket. Thanks...!!
,
Nov 9
Sounds like, per comment #7, this was resolved. Closing. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by canyonco...@gmail.com
, Sep 13