Saltar para: Posts [1], Pesquisa [2]

Anders Bateva

Nonfiction Litblog. Fichamentos / clippings / recortes de não-ficção. Prospecções literárias em: Ciências Sociais; Informática; e Ciências Ambientais.

Anders Bateva

Nonfiction Litblog. Fichamentos / clippings / recortes de não-ficção. Prospecções literárias em: Ciências Sociais; Informática; e Ciências Ambientais.

🦊 Firefox ∩ 🔒 TLS

O Firefox vem, ao longo do tempo, desativando os padrões obsoletos e inseguros de criptografia de HTTPS, limitando-se ao TLS 1.2 e ao TLS 1.3:

2014 - Firefox 34.0 Release Notes:
Disabled SSLv3.
2018 - Firefox 61.0 Release Notes:
Improved security: On-by-default support for the latest draft of the TLS 1.3 specification.
2020 - Firefox 78.0 Release Notes:
We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.

Então agora só há criptografia forte?

Não exatamente... O TLS 1.2, lançado em 2008, se mostrava falho em 2018, na época do lançamento do TLS 1.3:

Mozilla Security Blog: TLS 1.3 Published: in Firefox Today August 13, 2018.
TLS 1.3 removes a lot of outdated cryptography:
  • TLS 1.2 included a pretty wide variety of cryptographic algorithms (RSA key exchange, 3DES, static Diffie-Hellman) and this was the cause of real attacks such as FREAK, Logjam, and Sweet32.
  • TLS 1.3 instead focuses on a small number of well understood primitives (Elliptic Curve Diffie-Hellman key establishment, AEAD ciphers, HKDF).

Porquanto o TLS 1.2 ainda seja amplamente empregado na Web, não foi desabilitado por padrão e, de momento, não possui previsão para sê-lo:

Mozilla Security Blog: Removing Old Versions of TLS. October 15, 2018.
TLS Version Usage (August-September 2018)
Version %
TLS 1.0 1.11%
TLS 1.1 0.09%
TLS 1.2 93.12%
TLS 1.3 5.68%

O que se fez até então foi remediá-lo desabilitando pontualmente algumas características dele, a fim de estender a vida útil do mesmo:

Firefox 78.0 Release Notes, June 30, 2020.
As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.

Convém lembrar que criptografia forte não é uma panaceia. Ela serve a um dado propósito, e a outros não. É útil para evitar aulteração e quebra do sigilo dos dados enviados/recebidos (se não for burlada de alguma forma), mas não gera anonimato, por exemplo .

Atualização após a publicação do post:

Securing Connections: Disabling 3DES in Firefox 93, October 5, 2021.

3DES (“triple DES”, an adaptation of DES (“Data Encryption Standard”)) was for many years a popular encryption algorithm. However, as attacks against it have become stronger, and as other more secure and efficient encryption algorithms have been standardized and are now widely supported, it has fallen out of use. Recent measurements indicate that Firefox encounters servers that choose to use 3DES about as often as servers that use deprecated versions of TLS.

As long as 3DES remains an option that Firefox provides, it poses a security and privacy risk. Because it is no longer necessary or prudent to use this encryption algorithm, it is disabled by default in Firefox 93.

🦊 Firefox ∋ Modo Somente 🔒 HTTPS →maior obsolescência do 🔓 HTTP

Mozilla Security Blog - Firefox 83 introduces HTTPS-Only Mode. November 17, 2020.

The majority of websites already support HTTPS, and those that don’t are increasingly uncommon. Regrettably, websites often fall back to using the insecure and outdated HTTP protocol. Additionally, the web contains millions of legacy HTTP links that point to insecure versions of websites. When you click on such a link, browsers traditionally connect to the website using the insecure HTTP protocol.

[...]

HTTPS-Only Mode [is] a brand-new security feature available in Firefox 83 [(released on November, 17 2020)] [...] [that] ensures that Firefox doesn’t make any insecure connections without your permission. When you enable HTTPS-Only Mode, Firefox tries to establish a fully secure connection to the website you are visiting. Whether you click on an HTTP link, or you manually enter an HTTP address, Firefox will use HTTPS instead.

Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites.

Efeitos colaterais

  • For the small number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP.
  • It also can happen, rarely, that a website itself is available over HTTPS but resources within the website, such as images or videos, are not available over HTTPS. Consequently, some web pages may not look right or might malfunction. In that case, you can temporarily disable HTTPS-Only Mode for that site by clicking the lock icon in the address bar.

Muito útil também para se esquivar de vigilância na rede, como, por exemplo, de um administrador de rede cujo firewall não tem a capacidade deep-packet inspection. A criptografia do HTTPS, nesse caso, evitará que as páginas acessadas fiquem registradas no log, ficando registrados apenas os endereços IP dos servidores ou o nome de domínio do site acessado.

Convém ter em mente, porém, que é absolutamente essencial dispor de TLS (criptografia) moderno para o HTTPS fazer alguma diferença, do contrário não passaria de um auto-engano.