Re: [Mozilla Enterprise] Disable DoH via policy.json?

2020-02-27 Thread Eddie Rowe 
Yes for Firefox ESR 68 and newer.

https://github.com/mozilla/policy-templates/blob/master/README.md#dnsoverhttps


-Original Message-
From: Enterprise  On Behalf Of James M. Pulver
Sent: Wednesday, February 26, 2020 8:02 AM
To: enterprise@mozilla.org
Subject: [Mozilla Enterprise] Disable DoH via policy.json?

CAUTION: This email originated from outside TDHCA's email system. DO NOT open 
attachments or click links unless you expect them from the sender and know the 
content is safe. 

Is there a policy yet for ESR to disable DoH?
-- 
James Pulver
CLASSE Computer Group
Cornell University
___
Enterprise mailing list
Enterprise@mozilla.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise=DwICAg=2WwxlqHD_9GeHFEUsOHZXg=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8=YmY4s5eB3XsT_P3lCcyTj-QtRxn1jQjCW607Pzc31yo=0NWgzAamQtPAmWpa2GGU_LVqq9tqql1lb_wNzrPSpQo=
 

To unsubscribe from this list, please visit 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise=DwICAg=2WwxlqHD_9GeHFEUsOHZXg=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8=YmY4s5eB3XsT_P3lCcyTj-QtRxn1jQjCW607Pzc31yo=0NWgzAamQtPAmWpa2GGU_LVqq9tqql1lb_wNzrPSpQo=
  or send an email to enterprise-requ...@mozilla.org with a subject of 
"unsubscribe"
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

2020-02-27 Thread Mike Kaply 
Where did you get this recommendation?

Mike

On Tue, Feb 18, 2020 at 3:18 PM Eddie Rowe 
wrote:

> // 4.6 (L2) Set OCSP Response Policy
>
> defaultPref("security.OCSP.require", true);
>
>
>
> I have enabled this setting in ESR 68.4 x64 and many sites such as Google
> and even Mozilla just do not work.  I don’t see how this could be adopted
> at a company level without created chaos.  Are there persons still using
> this setting?  Have you adjusted other settings to help out Firefox?
>
>
>
> *Example site that does not work with this setting set to true: *
>
> https://support.mozilla.org/en-US/questions/1169855
>
>
>
> *Error:*
>
> “Secure Connection Failed
>
>
>
> An error occurred during a connection to support.mozilla.org. The OCSP
> server experienced an internal error. Error code:
> SEC_ERROR_OCSP_SERVER_ERROR
>
>
>
> The page you are trying to view cannot be shown because the
> authenticity of the received data could not be verified.
>
> Please contact the website owners to inform them of this problem.”
>
>
>
>
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
>
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] Firefox 73 policy-templates / GPO

2020-02-27 Thread Mike Kaply 
I just released it.

https://github.com/mozilla/policy-templates/releases/tag/v1.13

Mike

On Wed, Feb 26, 2020 at 10:38 AM Mike Kaply  wrote:

> Yes some very minor changes. I'll get the update out today.
>
> Mike
>
> On Wed, Feb 26, 2020, 10:37 AM Kahle, Markus <
> markus.ka...@brueckmann-gmbh.de> wrote:
>
>> Hi,
>>
>> I wonder if there are any changes / addons to the policy-templates for
>> Firefox 73 ?
>> Can't find any new releases at the github page (
>> https://github.com/mozilla/policy-templates/releases)
>>
>> @mkaply: Any News on this ?
>>
>> Regards,
>>
>> Markus
>>
>>
>> ___
>> Enterprise mailing list
>> Enterprise@mozilla.org
>> https://mail.mozilla.org/listinfo/enterprise
>>
>> To unsubscribe from this list, please visit
>> https://mail.mozilla.org/listinfo/enterprise or send an email to
>> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
>>
>
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

2020-02-27 Thread Eddie Rowe 
Yes, I am following the guidance of a security baseline and setting this to 
true.  I guess I was thinking that OCSP stapling support would be broad enough 
by now that we should not have issues.  I think we are left with no option but 
to turn this feature off.  I was hoping I had overlooked something and I do 
appreciate the response!

From: Enterprise  On Behalf Of Osdoba, Sascha
Sent: Thursday, February 27, 2020 3:57 AM
To: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

Hi,

Mike Kaply answered my question to OCSP setting before so I guess you should 
not use it.


12. November 2019 17:37
Re: [Mozilla Enterprise] security.OCSP.require

FYI, on discussion with my team, there are lots of problems with OCSP. I assume 
you're setting it to true?

It can cause mysterious failures and very long delays loading web pages.

Mike


Regards,

Sascha


Von: Enterprise 
mailto:enterprise-boun...@mozilla.org>> Im 
Auftrag von Eddie Rowe
Gesendet: Mittwoch, 19. Februar 2020 00:18
An: enterprise@mozilla.org
Betreff: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);

I have enabled this setting in ESR 68.4 x64 and many sites such as Google and 
even Mozilla just do not work.  I don't see how this could be adopted at a 
company level without created chaos.  Are there persons still using this 
setting?  Have you adjusted other settings to help out Firefox?

Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855

Error:
"Secure Connection Failed

An error occurred during a connection to support.mozilla.org. The OCSP server 
experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

The page you are trying to view cannot be shown because the authenticity of 
the received data could not be verified.
Please contact the website owners to inform them of this problem."


___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] TLS Support

2020-02-27 Thread Mike Kaply 
Yes, there will still be the ability to override via the preferences. In
addition, for a release or two, we'll provide a manual downgrade on the
error page.

Mike

On Fri, Feb 21, 2020 at 10:54 AM Houle, Todd - 1120 - MITLL <
todd.ho...@ll.mit.edu> wrote:

> HI all –
>
> I know TLS support will be change to only 1.2 starting in March.
> Currently there are override settings that allow/limit different versions.
> Will those settings still be there and working during/after March?  We have
> an old isolated server that will not support TLS 1.2 so I need to
> enable/allow 1.0 TLS after March.
>
>  Thank you
>
> Todd
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
>
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

[Mozilla Enterprise] Disable DoH via policy.json?

2020-02-27 Thread James M. Pulver 

Is there a policy yet for ESR to disable DoH?
--
James Pulver
CLASSE Computer Group
Cornell University
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise 
or send an email to enterprise-requ...@mozilla.org with a subject of 
"unsubscribe"

Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

2020-02-27 Thread Eddie Rowe 
The Center for Internet Security publishes a number of security baselines.  
Firefox’s baseline is very old and does not appear to be updated so I took the 
older ESR version and looked at Policies and settings to come with my own newer 
version.


“4.6 (L2) Set OCSP Response Policy (Scored)

Profile Applicability:

 Level 2

Description:

This setting dictates whether Firefox will consider a given certificate to be 
invalid if Firefox is unable to obtain an Online Certificate Status Protocol 
(OCSP) response for it.

Rationale:

Requiring an OCSP response will reduce an adversary's ability to successfully 
leverage a compromised and revoked certificate.

Audit:

Perform the following procedure:

1. Type about:config in the address bar

2. Type security.ocsp.require in the filter

3. Ensure the preferences listed are set to the values specified below:



security.ocsp.require=true

Remediation:

Perform the following procedure:

1. Open the mozilla.cfg file in the installation directory with a text editor

2. Add the following lines to mozilla.cfg:



lockPref("security.ocsp.require", true);

Impact:

Enabling OCSP carries potential privacy implications. For each HTTPS site 
Firefox visits, a request is sent to an OCSP server to determine if the site's 
certificate has been revoked. This provides the OCSP server with the IP address 
of the requester (Firefox or NAT) and, among other properties, the domain name 
of the site Firefox is accessing.
Additionally, requiring an OCSP response increases opportunity for valid 
certificates to be deemed invalid. This may occur if OCSP server becomes 
unavailable or is not accessible.
Firefox 26+ support OCSP Stapling which mitigates the aforementioned privacy 
implications.
Default Value:
false

https://www.cisecurity.org/benchmark/mozilla_firefox/


From: Mike Kaply 
Sent: Tuesday, February 25, 2020 2:04 PM
To: Eddie Rowe 
Cc: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

Where did you get this recommendation?

Mike

On Tue, Feb 18, 2020 at 3:18 PM Eddie Rowe 
mailto:eddie.r...@tdhca.state.tx.us>> wrote:
// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);

I have enabled this setting in ESR 68.4 x64 and many sites such as Google and 
even Mozilla just do not work.  I don’t see how this could be adopted at a 
company level without created chaos.  Are there persons still using this 
setting?  Have you adjusted other settings to help out Firefox?

Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855

Error:
“Secure Connection Failed

An error occurred during a connection to 
support.mozilla.org.
 The OCSP server experienced an internal error. Error code: 
SEC_ERROR_OCSP_SERVER_ERROR

The page you are trying to view cannot be shown because the authenticity of 
the received data could not be verified.
Please contact the website owners to inform them of this problem.”


___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise
 or send an email to 
enterprise-requ...@mozilla.org with a 
subject of "unsubscribe"
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] Support for TLS 1.0 and 1.1

2020-02-27 Thread Philipp Madersbacher 
Hello, these plans have been announced quite a while ago and across browser
vendors:
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/

Best regards,
Philipp

Am Do., 27. Feb. 2020 um 20:31 Uhr schrieb JUSTIAA2 :

> Good Morning,
>
>
>
> What is the plan for Mozilla to stop supporting TLS 1.0 and 1.1. I’m
> hearing rumors about it possibly could be in March? I believe we have
> several servers that still has to support TLS 1.0.
>
>
>
> Justin Anderson
>
> Software Engineer
>
> *CACI*
>
>
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
>
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

[Mozilla Enterprise] Support for TLS 1.0 and 1.1

2020-02-27 Thread JUSTIAA2 
Good Morning,

What is the plan for Mozilla to stop supporting TLS 1.0 and 1.1. I'm hearing 
rumors about it possibly could be in March? I believe we have several servers 
that still has to support TLS 1.0.

Justin Anderson
Software Engineer
CACI

___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

2020-02-27 Thread Osdoba, Sascha 
Hi,

Mike Kaply answered my question to OCSP setting before so I guess you should 
not use it.


12. November 2019 17:37
Re: [Mozilla Enterprise] security.OCSP.require

FYI, on discussion with my team, there are lots of problems with OCSP. I assume 
you're setting it to true?

It can cause mysterious failures and very long delays loading web pages.

Mike


Regards,

Sascha


Von: Enterprise  Im Auftrag von Eddie Rowe
Gesendet: Mittwoch, 19. Februar 2020 00:18
An: enterprise@mozilla.org
Betreff: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites

// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);

I have enabled this setting in ESR 68.4 x64 and many sites such as Google and 
even Mozilla just do not work.  I don't see how this could be adopted at a 
company level without created chaos.  Are there persons still using this 
setting?  Have you adjusted other settings to help out Firefox?

Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855

Error:
"Secure Connection Failed

An error occurred during a connection to support.mozilla.org. The OCSP server 
experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

The page you are trying to view cannot be shown because the authenticity of 
the received data could not be verified.
Please contact the website owners to inform them of this problem."


___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"