TLS ciphers

Hello,

My firewall is warning me that my Purple Air is using “unsafe TLS ciphers”. Which version of TLS is being used? I have a PA-II-SD and a PA-I, both with the 7.02 firmware.

thanks,
D

Is this an off-the-shelf firewall or something you built yourself?

Does the message say what site(s) are being accessed with the unsafe ciphers, and are they inbound or outbound of your network?

“Unsafe TLS cipher” as an alert shows up in the ntop software package, which isn’t something you generally see in consumer firewalls.

That means, of course, your firewall is actively sniffing all your traffic.

I use a pfsense firewall with ntopng sniffing everything.

And, the “unsafe TLS cipher” traffic is outbound from my purpleair sensors to www.purpleair.com and sensors-ingest.wunderground.com

Ah, well then, welcome to 2000s era intrusion detection technology. Expect lots of false positives and alerts about non-issues.

I ran the SSL Labs analyzer on those two sites and it determines that old TLS versions and weak ciphers are accepted on those sites. The core issue is likely whether older versions/ciphers must be accepted to support older sensor hardware.

The user-facing site for PurpleAir is actually www2.purpleair.com which has a good TLS score. www.purpleair.com is a Google frontend that nominally redirects to www2, but (probably) handles ingest from the sensors directly. I wouldn’t think there is much PA hardware out there that is pre-TLSv1.3, so they could tighten that up.

wunderground is more egregious since they haven’t updated their servers to accept TLSv1.3 yet, but that’s no surprise given WU has been on autopilot for several years now. That said, there’s decades of hardware out there sending stuff to WU and I doubt they are interested in breaking them.

Ah, ok, thanks! I won’t worry about it then.