Firefox vulnerable to Logjam exploit

User Help for Mozilla Firefox
User avatar
ndebord
Posts: 1122
Joined: December 7th, 2002, 9:53 am

Firefox vulnerable to Logjam exploit

Post by ndebord »

I am using Firefox 38.0.1 and it is vulnerable to the logjam exploit. Can we expect a bug fix soon? Microsoft 11 has released a patch much faster than normal, where is Mozilla on this?

Go here for a test to see if your browser is vulnerable or not.

weakdh.org
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Firefox vulnerable to Logjam exploit

Post by therube »

Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.

On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
ndebord
Posts: 1122
Joined: December 7th, 2002, 9:53 am

Re: Firefox vulnerable to Logjam exploit

Post by ndebord »

therube wrote:Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.

On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)


Hi therube,

Blocking zmap.io?

I use microRSS feed from Kaspersky Lab security news service (ThreatPost) to get some of my malware news... That is where I heard that only IE 11 has been patched. I have always browsed with Java and JavaScript disabled on a toggle in PrefBar, but JavaScript is so universal that I have to reenable it all the time.
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
Kob
Posts: 33
Joined: December 4th, 2002, 12:56 am

Re: Firefox vulnerable to Logjam exploit

Post by Kob »

I think that blocking zmap.io just interferes with this specific testing, but you are still vulnerable since the SSL RSA handshake does not require javascript.

A better test is created by the amazing Ivan Ristić:
https://www.ssllabs.com/ssltest/viewMyClient.html
User avatar
jscher2000
Posts: 11742
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA
Contact:

Re: Firefox vulnerable to Logjam exploit

Post by jscher2000 »

Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
User avatar
ndebord
Posts: 1122
Joined: December 7th, 2002, 9:53 am

Re: Firefox vulnerable to Logjam exploit

Post by ndebord »

jscher2000 wrote:Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html


jscher2000,

Much thanks, your fix made Fx 38.0.1 safe. Appreciate.
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Firefox vulnerable to Logjam exploit

Post by therube »

AMO: Disable DHE 0.1.1

(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey, or you can always do it manually as shown above :-).)


Also note that (as of now at least) Mozilla is not going to push through any update for this for FF 38, scheduled to land in FF 39.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Diane Vigil
Posts: 316
Joined: October 6th, 2010, 3:55 am

Re: Firefox vulnerable to Logjam exploit

Post by Diane Vigil »

Thanks, jscher2000. Much appreciated.
sleemans
Posts: 9
Joined: February 26th, 2006, 3:57 pm

Re: Firefox vulnerable to Logjam exploit

Post by sleemans »

jscher2000 wrote:Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html


Did this and ssllabs still says I'm vulnerable, 31.7.0 ESR
Thanks
User avatar
JayhawksRock
Posts: 10433
Joined: October 24th, 2010, 8:51 am

Re: Firefox vulnerable to Logjam exploit

Post by JayhawksRock »

31.7.0 ESR is vulnerable... install new 38 ESR from here > https://www.mozilla.org/en-US/firefox/o ... tions/all/ ... Choose your language and OS. I'm not sure if the 31 version will update to 38 automajicly
"The trouble with quotes on the internet is you never know if they are genuine" ...Abraham Lincoln
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Firefox vulnerable to Logjam exploit

Post by mightyglydd »

Thanks J, WFM.
#KeepFightingMichael and Alex.
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

therube wrote:AMO: Disable DHE 0.1.1

(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey,


I was able to install directly from the addon page button, after dismissing a cute new kind of permission popup from Moz.
Confirmed the config change with manual inspection and at https://www.ssllabs.com/ssltest/viewMyClient.html
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Firefox vulnerable to Logjam exploit

Post by barbaz »

The solution suggested by jscher2000 seems to require a browser restart after flipping those prefs.
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Firefox vulnerable to Logjam exploit

Post by mightyglydd »

Indeed, and FWIW it works with SeaMonkey too.
#KeepFightingMichael and Alex.
User avatar
Gingerbread Man
Posts: 7735
Joined: January 30th, 2007, 10:55 am

Re: Firefox vulnerable to Logjam exploit

Post by Gingerbread Man »

therube wrote:Didn't see a bug on it, but I'm sure they know about it.

Feel free to vote for the report to keep track of any progress, but please don't post comments unless you have technical information to add. See the Bugzilla etiquette page for details.
  • Bug 1138554 - NSS accepts export-length DHE keys with regular DHE cipher suites
Post Reply