TB v38.1 disables broken 512bit TLS keys identified in CVE-2015-4000 : Bug 1138554 refers
EVERYONE!
The "Powers that be" at Mozilla decided to limit TLS/SSL security to no less than 1024 DH keys with TB v38.1 that gets automatically installed on pretty much everyone's computer. This installation breaks god knows how many people's email be it with the SMTP, POP or IMAP services and with Firefox, web services and yet such encryption means nothing to the NSA!
As a system administrator - thanks for the nightmare that will be our world for the next few days or weeks!
There seems to be no way to force TB v38 to go back to allow the so called 'weaker' 512 DH keys despite the TLS settings in the config editor!
I was getting ready to go on vacation and I AM SO PISSED OFF RIGHT NOW!
Your only option appears to be to downgrade back to TB 31.7.0 and whatever the last version of Firefox was. To complicate that - you will also need to downgrade to Lightning v3.3 if you were using a calendar. See https://addons.mozilla.org/en-us/thunderbird/addon/lightning/versions/?page=1#version-3.3.3
Link to last working version of TB is https://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/31.7.0/win32/en-US/Thunderbird%20Setup%2031.7.0.exe
Good luck!
I have disabled upgrades to all Mozilla software in our network and will NEVER ALLOW AN AUTO UPGRADE OF ANYTHING FROM MOZILLA AGAIN! Trouble is tomorrow we are likely going to be inundated with calls from our customers!
THANKS A LOT MOZILLA!
Modified by Matt
All Replies (5)
Did you even read CVE-2015-4000 before deciding your security was ok. This is not just a Mozilla issue. To quote the folk here " Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack." They go on to say "If you’re a sysadmin or developer … Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.
Retaining 512 bit just leaves you and your customers open to man in the middle attacks on what are supposed to be secure connections. Or at least that is my reading of Bug 1138554 You would be better advised to disable TLS entirely than retain that which is broken. Then at least everyone would know there was no security. The has gone through the process quickly, but then that is entirely desirable for a security flaw.
If your customers are using insecure connections, I doubt your legal people would be happy with your business continuing to use them, knowing they are insecure. I strongly suggest you contact them for their suggested response as liability may well be involved should something go wrong..
BTW in a corporate or business environment it has always been suggested to use ESR versions of Mozilla software precisely so you have time to evaluate a new version before deployment. There will still be a point release on Thunderbird 31 ESR, and Firefox 31 ESR will continue in support and update until Firefox 40 is released.
I will also edit your title to more accurately reflect this change. Nothing is broken.
See https://www.mozilla.org/en-US/firefox/organizations/faq/
Matt,
You have no idea of the meaning of LEGACY systems and software. People like you live in a bubble world where anything older than a few seconds is considered obsolete. One day you'll find out what it is like to deal with something like this when it gets crammed down your throat by people who have no idea of how their decisions affect the rest of the world just because someone decided that there is a MINISCULE chance of a problem with someone's system.
Force changing a client program to stop working after an upgrade is lunacy - I don't care what the issue is. One day - when it happens to you - hopefully at the most inopportune time of your life - You WILL remember this.
bobatkins said
Matt, You have no idea of the meaning of LEGACY systems and software. People like you live in a bubble world where anything older than a few seconds is considered obsolete.
I am still supporting windows 98, are you? I have one on my desk at the moment I am trying to fix the touch screen for.
TLS is not however a legacy system. Nor is Thunderbird 38.1 or Firefox 38. So perhaps you could explain how changes to the two most recent releases of a software come under discussion of "Legacy systems" What software is it that requires export cipher suites that have not really been in general use for a decade. It is some 15 years since the Us export restriction that caused this mess in the first place was lifted.
- UPDATE**
Following discussion here. it Looks like there is a workaround available.through installing an add-on.
The fact of the matter is security can break you, or help pay the bills. The fact of the matter is security needs change over time. You can put your head in the sand, or protect yourself, your business and your customers.