gene1wood
commented
3 years ago Good point. Looks like browser support would map to Modern.
Anyone interested in PRing changes for Modern in your favorite server type to use 308?
Open mavit opened 3 years ago
gene1wood
commented
3 years ago Good point. Looks like browser support would map to Modern.
Anyone interested in PRing changes for Modern in your favorite server type to use 308?
gstrauss
commented
6 months ago According to the details in https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308, all web browsers listed on the page have supported 308 for over 8 years, with Edge, of course, being the last among them to add support for 308 in Edge 12 released 2015-07-28.
A year and a half ago, Microsoft published an article declaring IE 11 dead and buried. https://blogs.windows.com/windowsexperience/2022/06/15/internet-explorer-11-has-retired-and-is-officially-out-of-support-what-you-need-to-know/ Again, that was a year and a half ago and was not a surprise, IE having been long deprecated.
Internet Explorer 11 desktop app retirement FAQ (Published May 19 2021 08:55 AM) https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549 In an update to that article on or before May 18, 2023:
Update: The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. Based on customer feedback, organizations will maintain control over when to remove IE11 UI elements from their devices. Over the coming months a small subset of exceptional scenarios where IE11 is still accessible will be redirected to Edge, ensuring users access a supported and more secure Microsoft browser.
https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions Windows 8.1 end-of-life was 2023-01-10, a year ago.
IE has been actively disabled. The concerns raised in this issue are out-of-date.
This issue could have been resolved years ago with a simple choice:
@gene1wood is there any open question that remains that would prevent this issue from being decided and resolved?
janbrasna
commented
4 months ago EOL or not, the intermediate claims to support it:
https://github.com/mozilla/ssl-config-generator/blob/454a2353f0215042d50ec5df574e7fcf2a03a85d/src/static/guidelines/5.7.json#L86
which hasn't changed since the issue opened.
No problem for modern, as mentioned above.
In intermediate there's one UA running one OS schannel that will break with this 🤷 (I know it's disabled by Edge updater in W10, but IIRC this mechanism doesn't disable IE11 on Server or W7/8 so there still might be live IE11 as shown by globalstats: 11=0.44%, i. e. not completely extinct 😢).
So unless there's new UA support matrix in the cards for the specs, this should not break now. (Read: Might need new specs version release with different UAs claimed to be supported; at the same time this might mean moving all DHE to old as that correlates with said EOLed UAs somewhat…) — or unless someone approves breaking the declared support UAs intentionally if they're "dead enough", without actually bumping the specs version and changing the supported clients list…
gstrauss
commented
4 months ago Please help me to understand. If software is end-of-life, then the "old" config applies. People using end-of-life software should not qualify for "intermediate" compatibility. The software they are using is end-of-life. Yes, people are using end-of-life software. It is obvious that it is not dead yet. However, end-of-life software should unquestionably qualify as "old" and nothing else.
Now, I have not checked end-of-life for Server W7/8, but would point out that web browsers should be used in a very, very limited fashion on Windows servers, as they are servers, and not client machines. Safer corporate configs block servers from direct access to the internet if they allow it at all.
janbrasna
commented
4 months ago @gstrauss I agree.
There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around. (And with it, even the ciphers needed to support them, so getting rid of EOL IE 11 AND DHE suites at the same time would be lovely.) — I just don't know what's the roadmap for v5.x specs and who (and when) should make the call it's about time to reassess the support matrix for 2024 perspective.
(The issue with "IE 11" as a client is a simplification to an extent, as it's similar to e. g. 2008 R2 Server or 2012 R2 Server, using the same SChannel they can't get more cipher updates for and are stuck with what's provided by the system network layer, where .NET applications can't use any alternative network stack, only the system SChannel. The R2 Server might be an API client, and the client limitations for the .NET app would be the same as for the IE11 browser unfortunately. So that explains the "web browsers use" on servers. For .NET on R2 Servers that basically means the whole network implementation that can't be replaced or circumvented.)
gstrauss
commented
4 months ago I just don't know what's the roadmap for v5.x specs and who (and when) should make the call
This statement suggests that reassessment has not been happening periodically and regularly.
using the same SChannel they can't get more cipher updates for and are stuck with what's provided by the system network layer
Any such system is classified unmaintained (or unmaintainable) and must be classified as "old".
These are not merely opinions of mine. Basic secdevops logic applies.
The meta message behind my posts is to help you and others more succinctly recognize that the current state is not helping people maintain best security practices on maintained systems. The guidance is out-of-date, and has been acknowledged as such in #232
gstrauss
commented
4 months ago There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around.
Do you happen to know which group/committee at or affiliated with Mozilla does that? Is it the Security Assurance team at Mozilla? Is there an open request in an issue tracker or an open item for the project manager to review and refresh the specs?
gstrauss
commented
3 months ago @gene1wood wrote April 2, 2021
Good point. Looks like browser support would map to Modern.
Anyone interested in PRing changes for Modern in your favorite server type to use 308?
@janbrasna wrote last month:
There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around.
Do you happen to know which group/committee at or affiliated with Mozilla does that? Is it the Security Assurance team at Mozilla? Is there an open request in an issue tracker or an open item for the project manager to review and refresh the specs?
I notice that 301 Moved Permanently is used to redirect from HTTP to HTTPS, but that this status code can cause POST requests to be transformed to GET requests.
There's a new code 308 Permanent Redirect which seems more appropriate, here. I understand it's not supported by IE 11 before Windows 10, but is there a reason it's not used in the Modern profiles?