securedrop-docs icon indicating copy to clipboard operation
securedrop-docs copied to clipboard

Published 20 hours ago verified publisher icon freedomofpress

Update TLS recommentations in Landing page

Open emkll opened this issue 6 years ago • 6 comments

Description

In https://github.com/freedomofpress/securedrop/pull/4008, instructions on how to set up TLS 1.3 were added. We should review existing recommendations for landing page cipher suites, and consider removing TLS 1.0 and 1.1 from the example configs.

User Stories

As a user visiting the landing page and as a SecureDrop admin , I want to ensure deprecated protocols are not used when browsing the landing page.

emkll avatar Jan 03 '19 20:01 emkll

I would suggest waiting for 2020: https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-01

loganaden avatar Jan 03 '19 20:01 loganaden

It's 2020 now, but it's also 2020, so deprecation has been partially delayed: https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/

The plan to disable TLS 1.0/1.1 by default is being updated for Internet Explorer and Microsoft Edge Legacy. TLS 1.0 and TLS 1.1 will not be disabled by default for either browser until Spring of 2021 at the earliest. Organizations that wish to disable TLS 1.0 and TLS 1.1 before that time may do so using Group Policy.

That said, we may still want to go ahead and remove it from our recommended landing page config now, given the specific sensitivity of tips pages.

eloquence avatar Oct 20 '20 18:10 eloquence

ok, I can send in a PR ? @eloquence.

loganaden avatar Oct 20 '20 19:10 loganaden

Please go for it, thank you! :)

eloquence avatar Oct 20 '20 19:10 eloquence

We can go ahead with this - it's ~2 years since 1.0 an 1.2 were formally deprecated.

zenmonkeykstop avatar Jan 05 '23 16:01 zenmonkeykstop

I will send the PR

loganaden avatar Jan 05 '23 16:01 loganaden