Default traefik config cuts off old devices from accessing the services #487

New Issue

knoflook · 2023-09-01T13:28:32Z

knoflook commented

2023-09-01 13:28:32 +00:00

It only allows TLS 1.2 or 1.3 and forces SHA-2 or later. That means that older devices, especially embedded ones like mobile phones are not able to access the service behind traefik. There is no HTTP version allowed either.
proof: https://testtls.com/autonomic.zone/443

Some affected platforms are:
windows XP SP2 or earlier (according to wikipedia)
Symbian S60^3 (tested on my nokia n95 8GB, a 2007 device)

now, SSLv3.0 and older TLS are broken and cannot be trusted anymore, but my understanding is that web clients will negotiate the newest and most secure protocol and cipher available, which means that users of modern hardware and software will not be exposed to insecure cryptography because their browsers will negotiate TLS1.3 anyway.
However if someone chooses to use an older device that is not cryptographically secure, they will be able to access the services. They should have the option to do so - especially when they're not sending or receiving any sensitive data, but merely browsing a publicly available internet site. They are not cryptographically secured against MITM attacks that would change the data they receive but I suppose if someone chooses to use windows XP SP2 or a symbian S60 device in 2023 they are either

a nerd that's aware of the problems
a nerd that's unaware of the problems but they will not be accessing any data of great importance
incapable of using any other device due to reasons beyond their control, in which case they should not be cut off from using the service just because it's not secure in traffic.

I think supporting legacy devices is an important part of making tech more ethical and shouldn't be written off in the blind chase for security.

So my proposition is to enable legacy ciphers by default in traefik and add a commented out option to all recipes so users can enable plaintext http access per app. If there's a way to do conditional http → https upgrade depending on whether the device supports it maybe we could even enable http by default on some/all services (i.e. wordpress). Otherwise we should leave http disabled by default to avoid a situation where people with https-compatible devices accidentally log in over plaintext because their connection wasn't upgraded.

It only allows TLS 1.2 or 1.3 and forces SHA-2 or later. That means that older devices, especially embedded ones like mobile phones are not able to access the service behind traefik. There is no HTTP version allowed either. proof: https://testtls.com/autonomic.zone/443 Some affected platforms are: windows XP SP2 or earlier (according to wikipedia) Symbian S60^3 (tested on my nokia n95 8GB, a 2007 device) now, SSLv3.0 and older TLS are broken and cannot be trusted anymore, but my understanding is that web clients will negotiate the newest and most secure protocol and cipher available, which means that users of modern hardware and software will not be exposed to insecure cryptography because their browsers will negotiate TLS1.3 anyway. However if someone chooses to use an older device that is not cryptographically secure, they will be able to access the services. They should have the option to do so - especially when they're not sending or receiving any sensitive data, but merely browsing a publicly available internet site. They are not cryptographically secured against MITM attacks that would change the data they receive but I suppose if someone chooses to use windows XP SP2 or a symbian S60 device in 2023 they are either - a nerd that's aware of the problems - a nerd that's unaware of the problems but they will not be accessing any data of great importance - incapable of using any other device due to reasons beyond their control, in which case they should not be cut off from using the service just because it's not secure in traffic. I think supporting legacy devices is an important part of making tech more ethical and shouldn't be written off in the blind chase for security. So my proposition is to enable legacy ciphers by default in traefik and add a commented out option to all recipes so users can enable plaintext http access per app. If there's a way to do conditional http → https upgrade depending on whether the device supports it maybe we could even enable http by default on some/all services (i.e. wordpress). Otherwise we should leave http disabled by default to avoid a situation where people with https-compatible devices accidentally log in over plaintext because their connection wasn't upgraded.

knoflook added the

design

security

performance

labels 2023-09-01 13:29:10 +00:00

decentral1se commented

2023-09-01 14:05:17 +00:00

Sounds great, thank you for taking this on!

Sign in to join this conversation.