Red Hat Enterprise Linux Crypto Changes for Firefox 59

Updated -

TLS/SSL compression removal
TLS/SSL compression code will be removed in the upcoming NSS rebase. The whole concept of the compression on TLS/SSL level is considered a security risk for a few years already (a most visible example is probably the CRIME attack used to recover secret web cookies). This change preserves the API compatibility. Existing applications that follow the TLS/SSL standards will work as previously.

Benefits:
Security hardening - it will not be possible to negotiate TLS/SSL with compression by mistake

CA code signing bit removal
With the upcoming rebase of the ca-certificates package, Mozilla removes support for the bit indicating that particular certificate authority (CA) is trusted for code signing. This change reflects the reality that there are no recent or ongoing security audits that would verify that CAs do required checking for this purpose and generally this functionality is becoming deprecated. Previously-existing use cases requiring usage of the code signing bit are no longer applicable.

Benefits:
Security hardening - with this change, Red Hat makes clear that applications using the CA code signing bit are no longer considered secure.

Code signing bit support will be removed in Red Hat Enterprise Linux 7.5. In previous releases, the API compatibility is going to be preserved, and the code signing bit is granted to CAs that:
1. had it previously set, AND
2. still have the TLS trust bit indicating that they are trusted for identifying TLS servers.

Certificate authorities that are not trusted for TLS with less rigid checking should not be trusted for the code signing, which requires more extensive checking.

Comments