MozillaZine

Firefox vulnerable to Logjam exploit

User Help for Mozilla Firefox
ndebord

User avatar
 
Posts: 736
Joined: December 7th, 2002, 9:53 am

Post Posted May 20th, 2015, 8:07 pm

I am using Firefox 38.0.1 and it is vulnerable to the logjam exploit. Can we expect a bug fix soon? Microsoft 11 has released a patch much faster than normal, where is Mozilla on this?

Go here for a test to see if your browser is vulnerable or not.

weakdh.org
-N-

Dell Venue Pro 8 5830, Windows 10 Home, AvastFree and Scotty is on Patrol
Dulce bellum inexpertis

therube

User avatar
 
Posts: 17727
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 21st, 2015, 10:11 am

Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.

On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

ndebord

User avatar
 
Posts: 736
Joined: December 7th, 2002, 9:53 am

Post Posted May 21st, 2015, 10:59 am

therube wrote:Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.

On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)


Hi therube,

Blocking zmap.io?

I use microRSS feed from Kaspersky Lab security news service (ThreatPost) to get some of my malware news... That is where I heard that only IE 11 has been patched. I have always browsed with Java and JavaScript disabled on a toggle in PrefBar, but JavaScript is so universal that I have to reenable it all the time.
-N-

Dell Venue Pro 8 5830, Windows 10 Home, AvastFree and Scotty is on Patrol
Dulce bellum inexpertis

Kob
 
Posts: 33
Joined: December 4th, 2002, 12:56 am

Post Posted May 21st, 2015, 3:22 pm

I think that blocking zmap.io just interferes with this specific testing, but you are still vulnerable since the SSL RSA handshake does not require javascript.

A better test is created by the amazing Ivan Ristić:
https://www.ssllabs.com/ssltest/viewMyClient.html

jscher2000

User avatar
 
Posts: 10077
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA

Post Posted May 21st, 2015, 4:58 pm

Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html

ndebord

User avatar
 
Posts: 736
Joined: December 7th, 2002, 9:53 am

Post Posted May 22nd, 2015, 11:39 am

jscher2000 wrote:Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html


jscher2000,

Much thanks, your fix made Fx 38.0.1 safe. Appreciate.
-N-

Dell Venue Pro 8 5830, Windows 10 Home, AvastFree and Scotty is on Patrol
Dulce bellum inexpertis

therube

User avatar
 
Posts: 17727
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 22nd, 2015, 1:13 pm

AMO: Disable DHE 0.1.1

(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey, or you can always do it manually as shown above :-).)


Also note that (as of now at least) Mozilla is not going to push through any update for this for FF 38, scheduled to land in FF 39.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Diane Vigil
 
Posts: 234
Joined: October 6th, 2010, 3:55 am

Post Posted May 22nd, 2015, 4:21 pm

Thanks, jscher2000. Much appreciated.

sleemans
 
Posts: 9
Joined: February 26th, 2006, 3:57 pm

Post Posted May 22nd, 2015, 5:42 pm

jscher2000 wrote:Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html


Did this and ssllabs still says I'm vulnerable, 31.7.0 ESR
Thanks

JayhawksRock

User avatar
 
Posts: 10429
Joined: October 24th, 2010, 8:51 am

Post Posted May 22nd, 2015, 5:52 pm

31.7.0 ESR is vulnerable... install new 38 ESR from here > https://www.mozilla.org/en-US/firefox/o ... tions/all/ ... Choose your language and OS. I'm not sure if the 31 version will update to 38 automajicly
"The trouble with quotes on the internet is you never know if they are genuine" ...Abraham Lincoln

mightyglydd

User avatar
 
Posts: 9018
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted May 22nd, 2015, 6:22 pm

Thanks J, WFM.
#KeepFightingMichael

NanM
 
Posts: 174
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 23rd, 2015, 1:14 am

therube wrote:AMO: Disable DHE 0.1.1

(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey,


I was able to install directly from the addon page button, after dismissing a cute new kind of permission popup from Moz.
Confirmed the config change with manual inspection and at https://www.ssllabs.com/ssltest/viewMyClient.html

barbaz
 
Posts: 1677
Joined: October 1st, 2014, 3:25 pm

Post Posted May 23rd, 2015, 8:34 am

The solution suggested by jscher2000 seems to require a browser restart after flipping those prefs.
*Always* check the changelogs BEFORE updating that important software!

mightyglydd

User avatar
 
Posts: 9018
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted May 23rd, 2015, 8:56 am

Indeed, and FWIW it works with SeaMonkey too.
#KeepFightingMichael

Gingerbread Man

User avatar
 
Posts: 7504
Joined: January 30th, 2007, 10:55 am

Post Posted May 23rd, 2015, 11:37 pm

therube wrote:Didn't see a bug on it, but I'm sure they know about it.

Feel free to vote for the report to keep track of any progress, but please don't post comments unless you have technical information to add. See the Bugzilla etiquette page for details.
  • Bug 1138554 - NSS accepts export-length DHE keys with regular DHE cipher suites

Return to Firefox Support


Who is online

Users browsing this forum: Google [Bot], malliz and 18 guests