Firefox vulnerable to Logjam exploit
- ndebord
- Posts: 1122
- Joined: December 7th, 2002, 9:53 am
Firefox vulnerable to Logjam exploit
I am using Firefox 38.0.1 and it is vulnerable to the logjam exploit. Can we expect a bug fix soon? Microsoft 11 has released a patch much faster than normal, where is Mozilla on this?
Go here for a test to see if your browser is vulnerable or not.
weakdh.org
Go here for a test to see if your browser is vulnerable or not.
weakdh.org
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
- therube
- Posts: 21722
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Firefox vulnerable to Logjam exploit
Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.
On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)
Any other browsers come out with patches yet for it?
IE11, huh.
On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- ndebord
- Posts: 1122
- Joined: December 7th, 2002, 9:53 am
Re: Firefox vulnerable to Logjam exploit
therube wrote:Didn't see a bug on it, but I'm sure they know about it.
Any other browsers come out with patches yet for it?
IE11, huh.
On the browser end, wonder if JavaScript is a mitigating factor?
(It is, at least for their test page to proclaim vulnerable or not.
Blocking zmap.io & I get "Good News! Your browser is safe against the Logjam attack.".)
Hi therube,
Blocking zmap.io?
I use microRSS feed from Kaspersky Lab security news service (ThreatPost) to get some of my malware news... That is where I heard that only IE 11 has been patched. I have always browsed with Java and JavaScript disabled on a toggle in PrefBar, but JavaScript is so universal that I have to reenable it all the time.
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
-
- Posts: 33
- Joined: December 4th, 2002, 12:56 am
Re: Firefox vulnerable to Logjam exploit
I think that blocking zmap.io just interferes with this specific testing, but you are still vulnerable since the SSL RSA handshake does not require javascript.
A better test is created by the amazing Ivan Ristić:
https://www.ssllabs.com/ssltest/viewMyClient.html
A better test is created by the amazing Ivan Ristić:
https://www.ssllabs.com/ssltest/viewMyClient.html
- jscher2000
- Posts: 11772
- Joined: December 19th, 2004, 12:26 am
- Location: Silicon Valley, CA USA
- Contact:
Re: Firefox vulnerable to Logjam exploit
Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
- ndebord
- Posts: 1122
- Joined: December 7th, 2002, 9:53 am
Re: Firefox vulnerable to Logjam exploit
jscher2000 wrote:Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
jscher2000,
Much thanks, your fix made Fx 38.0.1 safe. Appreciate.
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
- therube
- Posts: 21722
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Firefox vulnerable to Logjam exploit
AMO: Disable DHE 0.1.1
(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey, or you can always do it manually as shown above .)
Also note that (as of now at least) Mozilla is not going to push through any update for this for FF 38, scheduled to land in FF 39.
(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey, or you can always do it manually as shown above .)
Also note that (as of now at least) Mozilla is not going to push through any update for this for FF 38, scheduled to land in FF 39.
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
-
- Posts: 316
- Joined: October 6th, 2010, 3:55 am
Re: Firefox vulnerable to Logjam exploit
Thanks, jscher2000. Much appreciated.
-
- Posts: 9
- Joined: February 26th, 2006, 3:57 pm
Re: Firefox vulnerable to Logjam exploit
jscher2000 wrote:Disable the insecure ciphers here:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html
Did this and ssllabs still says I'm vulnerable, 31.7.0 ESR
Thanks
- JayhawksRock
- Posts: 10433
- Joined: October 24th, 2010, 8:51 am
Re: Firefox vulnerable to Logjam exploit
31.7.0 ESR is vulnerable... install new 38 ESR from here > https://www.mozilla.org/en-US/firefox/o ... tions/all/ ... Choose your language and OS. I'm not sure if the 31 version will update to 38 automajicly
"The trouble with quotes on the internet is you never know if they are genuine" ...Abraham Lincoln
- mightyglydd
- Posts: 9813
- Joined: November 4th, 2006, 7:07 pm
- Location: Hollywood Ca.
-
- Posts: 182
- Joined: September 16th, 2008, 1:04 am
- Location: SW WAustralia
Re: Firefox vulnerable to Logjam exploit
therube wrote:AMO: Disable DHE 0.1.1
(SeaMonkey users will need to send the extension through Add-on Converter For SeaMonkey,
I was able to install directly from the addon page button, after dismissing a cute new kind of permission popup from Moz.
Confirmed the config change with manual inspection and at https://www.ssllabs.com/ssltest/viewMyClient.html
-
- Posts: 1504
- Joined: October 1st, 2014, 3:25 pm
Re: Firefox vulnerable to Logjam exploit
The solution suggested by jscher2000 seems to require a browser restart after flipping those prefs.
- mightyglydd
- Posts: 9813
- Joined: November 4th, 2006, 7:07 pm
- Location: Hollywood Ca.
Re: Firefox vulnerable to Logjam exploit
Indeed, and FWIW it works with SeaMonkey too.
#KeepFightingMichael and Alex.
- Gingerbread Man
- Posts: 7735
- Joined: January 30th, 2007, 10:55 am
Re: Firefox vulnerable to Logjam exploit
therube wrote:Didn't see a bug on it, but I'm sure they know about it.
Feel free to vote for the report to keep track of any progress, but please don't post comments unless you have technical information to add. See the Bugzilla etiquette page for details.
- Bug 1138554 - NSS accepts export-length DHE keys with regular DHE cipher suites