Hello Mike,
Thanks a lot for your reply and confirmation you’ll take care of this in the
GPO ADMX.
It will make it a lot easier for us down here
Can I ask you when you plan to release this update?
Let me just try to explain you what our objective is:
Today’s setup on our side is
Thanks to GPO
- TLSmin 1.0
- TLSmax 1.3
==>users : are happy because no popup, no warning, no blocking when they access
sites in TLS 1.0/1.1
==>IT Teams : are worry because
1) We are not happy with the level of security offer to ALL users (no
matter if they use or not old TLS versions). I mean for a few old sites we have
to let all TLS versions alive
2) With such a configuration we can’t inventory precisely who access sites
with such old TLS versions and therefore we can’t have any proactive action on
this situation
3) We know that soon or later but quite soon you guys on Mozilla will no
more support TLS 1.0/1.1. What will happen at that time if we have not taken
this usages ….
Solutions we have been thinking of are
1) We force right now TLSmin at 1.2
a. Good for security
b. Bad for users who will lose connectivity to TLS 1.0/1.1 sites and could
be also the case for sites on the internet which are not TLS 1.2 compatible
2) We remove TLSmin 1.0 and TLSmax 1.3
a. Good and bad for security
i. We go back to the native
behaviour (=TLS1.0/1.1 inactivated by default)
ii. Only user in the old TLS
versions use cases will get a warning popup and thx to the button provided he
will be able to override the warning. This action will set tls-depreciated at
TRUE
iii. Problem is that this will
set up tls depreciated at TRUE for ALL sites and so by doing this once the user
will PERMANENTLY decrease the security of his FF ESR
iv. At soon as it has been
applied (first occurrence) then the other TLS1.0/1.1 connections to other sites
will be unknown. This is not at all what we want
3) If we can FORCE tls-depreciated = FALSE with a GPO setting (our request)
and we remove TLSmin 1.0 and TLSmax 1.3 with the GPO then
a. We have the same avantages than in 2) plus
i. The downgrade of the
security level is this time TEMPORARY et it only happens if the user is in the
use cases TLS 1.0/1.1
ii. The fact that the warning
popup appears for those on the use cases will improve the reporting on them
iii. We send a clear message
to old tls sites admins and at the same time we offer them the possibility to
react before you guys do not support old tls versions
iv. We propose a solution to
help admins and not block users
v. The backdraw of this
solution 3) is that we push back the deadline we gave sites admins.
I hope this helps you Mickael and you all understand our strategy and why we
would really appreciate this change on your side.
The alternative for us would be to manage it at the .CFG level but then we have
to push back this file to all users ….
Thanks again Mike
Bien Cordialement / Best Regards
[logo Orange]<http://www.orange.com/>
“Preparing the future, powering the present”
Pascal Wulleput
Orange Technology and Global Innovation – TGI
Orange Labs Services – OLS
Digital Infrastructure & End-to-end Secure Environments – DIESE
Digital Workspace Services – DWS
e-buro, Services & Maintenances – ESM
tel: +33 633 467 082
[email protected]<mailto:[email protected]>
De : Enterprise [mailto:[email protected]] De la part de Mike Kaply
Envoyé : mercredi 3 février 2021 16:56
À : TARLO Marius OBS/OCB <[email protected]>
Cc : CHAPOT Frederic DTSI/DSI <[email protected]>;
[email protected]; CHEMINEL Mickael DTSI/DISU <[email protected]>
Objet : Re: [Mozilla Enterprise] Is it possible to put
security.tls.version.enable-deprecated in the Firefox ESR ADMX template in a
near future?
After discussion, I'll add this one to policy.
Mike
On Mon, Feb 1, 2021 at 11:08 AM Mike Kaply
<[email protected]<mailto:[email protected]>> wrote:
I'm curious as to why you want this?
It's not the users fault that they are running into TLS 1.0/1.1 sites. Where
are these TLS 1.0/1.1 sites coming from? Are they internal sites that need to
be upgraded?
What you're proposing will train your users to click "bypass" on security pages
like that which I don't think you want to do.
Mike Kaply
On Mon, Feb 1, 2021 at 5:06 AM
<[email protected]<mailto:[email protected]>> wrote:
Hello,
We currently have TLS enabled from 1.0 to 1.3 (SSLversionmin to 1 and
SSLversionmax to 1.3) and we would like to set up the following configuration :
- Remove the 2 parameters SSLversionmin and SSLversionmax
- When the user browses a TLS 1.0 or TLS 1.1 site, it shows a
“SSL_ERROR_UNSUPPORTED_VERSION” error, with a button “Enable TLS 1.0 and 1.1” :
we would like to have this error message appearing every time the user launches
Firefox (we don’t want the user to click it once and have forever
security.tls.version.enable-deprecated set to true, but we want the user having
to click it every time)
It would be easy to set this up by setting
security.tls.version.enable-deprecated to false in the GPO (then it’s set to
false when the user launches Firefox, and if he clicks the button, it’s set to
true temporarily during his session but the next time he launches it would be
reset to false again)
But unfortunately for us, it’s not in the Preferences part of the ADMX
(https://github.com/mozilla/policy-templates/blob/v2.7/README.md#preferences)
Would it be possible to have it added in the ADMX in a near future?
Thank you very much for your answer!
Cordialement / Best regards,
[http://www.orange.com/sirius/logos_mail/orange_logo.gif]<http://www.orange.com/>
Marius TARLO
Maintenance e-buro
Orange<http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/OBS<http://annuaire.sso.infra.ftgroup/entities/ou=OBS,ou=Orange,ou=entities>/SCE<http://annuaire.sso.infra.ftgroup/entities/ou=SCE,ou=OBS,ou=Orange,ou=entities>/OCB
SUBS<http://annuaire.sso.infra.ftgroup/entities/ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/DACF<http://annuaire.sso.infra.ftgroup/entities/ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/DS<http://annuaire.sso.infra.ftgroup/entities/ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/CS<http://annuaire.sso.infra.ftgroup/entities/ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>/TMI
ORA<http://annuaire.sso.infra.ftgroup/entities/ou=TMI%20ORA,ou=CS,ou=DS,ou=DACF,ou=OCB%20SUBS,ou=SCE,ou=OBS,ou=Orange,ou=entities>
Orange<http://annuaire.sso.infra.ftgroup/entities/ou=Orange,ou=entities>/TGI<http://annuaire.sso.infra.ftgroup/entities/ou=TGI,ou=Orange,ou=entities>/OLS<http://annuaire.sso.infra.ftgroup/entities/ou=OLS,ou=TGI,ou=Orange,ou=entities>/DIESE<http://annuaire.sso.infra.ftgroup/entities/ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>/DWS<http://annuaire.sso.infra.ftgroup/entities/ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>/ESM<http://annuaire.sso.infra.ftgroup/entities/ou=MSSM,ou=GWIS,ou=DIESE,ou=OLS,ou=TGI,ou=Orange,ou=entities>
tél. +33 1 42 75 34 25
[email protected]<mailto:[email protected]>
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
Enterprise mailing list
[email protected]<mailto:[email protected]>
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected]<mailto:[email protected]> with a
subject of "unsubscribe"
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
