Potentially Breaking Security Changes
Dropping TLSv1.0 and TLSv1.1 support

As part of Miraheze's continued commitment to ensuring users privacy and security remains at the forefront of our efforts, we are announcing the intention to drop support for some old and weak TLS versions and TLS Ciphers.

What is TLS?

TLS (Transport Layer Security) are a set of cryptographic protocols designed to provide security and encryption to communications over the web. They work by encrypting communications with a unique key used for encryption that both sides have agreed on (a hand shake) - one of the key features we intend to introduce is forward secrecy only support. Forward Secrecy is a more secure version of the TLS protocols by generating a unique key for the session only for encryption and then decryption of communications. Forward secrecy greatly improves user security as if the hosts key is released in the future, previous communications can not be decrypted under any circumstances.

What do you plan to drop and who would be affected?

We plan to remove the following TLS versions from Miraheze:

  • TLSv1.0
  • TLSv1.1

We also plan to remove all non-ECDH (Elliptic-curve Diffie–Hellman) based RSA (Rivest–Shamir–Adleman) TLS ciphers. This is because they do not support forward secrecy and as such are not considered strong from a security stand point.

Based on our choice of dropping TLSv1.0 and TLSv1.1, the following browsers will likely be affected:

  • Internet Explorer (+Edge)
    • Version 8 and below does not support TLSv1.2.
    • Versions 9 and 10 do support TLSv1.2 if and only if you are running Windows 7+ and you have enabled the TLSv1.2 protocol.
    • Version 11+ and Edge support TLSv1.2 by default and users should not be affected.
  • Mozilla FireFox
    • Version 22 and below does not support TLSv1.2.
    • Versions 23 to 26 do support TLSv1.2 if and only if you enable it manually.
    • Version 27 and above does support TLSv1.2 by default and users should not be affected.
  • Google Chrome
    • Version 21 and below does not support TLSv1.2.
    • Versions 22 to 37 do support TLSv1.2 if and only if you are running it on one of the following operating systems; Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile). If you are, this will work by default and users should not be affected.
    • Version 38 and above does support TLSv1.2 by default and users should not be affected.
  • Safari (desktop)
    • Version 6 and below if you are running OS X 10.8 (Mountain Lion) and below does not support TLSv1.2.
    • Version 7 and higher if you are running OS X 10.9 (Mavericks) and higher does support TLSv1.2.
    • If you do not fall into either of the above, it can be safe to assume you are not capable of using TLSv1.2.
  • Safari (iOS)
    • iOS version 4 and below does not support TLSv1.2.
    • iOS version 5 and above does support TLSv1.2.

If using the above, it states you need to manually enable TLSv1.2 support and you do not know how to, please refer to this guide by DigiCert to support you. If you are using a browser not listed above, please contact john [at] miraheze.org stating the version and browser you are using and he will happily assist you in determining TLS support.

We will monitor in particular the usage of each TLS version and ciphers used on each connection to Miraheze while we work towards improving the security of our service. If any UserAgents provide identifying information (such as a username or a contact email), we will attempt to reach out to users who we identify as using incompatible ciphers with relation to this change. As we notice new browsers being used, the list above will be updated in order to ensure we are able to provide an easy to reference guide to users.

What timescale are you proposing?

The following is a schedule Operations intend to work towards with relation to this change. It is liable to change as we gather new information.

  • September 22nd
    • Introduce verbose logging of each TLS version and Cipher in use with each connection.
  • September 23rd - September 30th
    • Monitor the popularity of each version and cipher in use on connections.
    • Paying particular attention to versions and ciphers we intend to remove from service.
    • Pursuant to the Terms of Service and Privacy Policy, we will release anonymised data to the public (on Phabricator) tracking the total number of daily requests using each TLS version and cipher.
  • October 1st
    • We intend to drop support for any TLS versions and ciphers which have less than 1% of total weekly connections.
    • If any ciphers or versions accounts for exactly 1% or more, we will issue targeted advice to users advising them that they are at risk of losing access to Miraheze.
  • October 2nd - October 9th
    • We will continue to monitor traffic and do the same as listed under September 23rd - September 30th.
  • October 10th
    • We will completely drop support for all the versions and ciphers listed above irrespective of their usage. If users are experiencing issues upgrading to more modern software, they must have contacted john [at] miraheze.org before this date. This date is flexible depending on circumstances (may include dropping all but the necessary ciphers to support said users) though if this is the case, we will further announce a date where we will become 100% forward secret.
Written by John on Sep 23 2018, 01:15.
Engineering Manager, Infrastructure
AmandaCath, MacFan4000

Event Timeline