MozillaZine

Firefox vulnerable to Logjam exploit

User Help for Mozilla Firefox
NanM
 
Posts: 181
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 24th, 2015, 1:23 am

barbaz wrote:The solution suggested by jscher2000 seems to require a browser restart after flipping those prefs.


There seems to be a problem with the ssllabs test.
The manual test at
https://www.ssllabs.com:10445/
Needs a refresh to register the toggle.
The parent test page
https://www.ssllabs.com/ssltest/viewMyClient.html
does register the toggle without refresh or restart needed.
Note: default NS domain permissions enabled for ssllabs.com, if that matters for the test.

therube

User avatar
 
Posts: 20511
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 24th, 2015, 4:38 am

I'm thinking that anything in the current window (perhaps even new tabs?) may need a refresh.
But anything opened in a new window should be OK.
(Easy enough to test.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

rolfp

User avatar
 
Posts: 135
Joined: November 8th, 2009, 10:51 am

Post Posted May 24th, 2015, 9:12 am

jscher2000 wrote:Disable the insecure ciphers here:...


Thank you.

sleemans
 
Posts: 9
Joined: February 26th, 2006, 3:57 pm

Post Posted May 24th, 2015, 4:35 pm

JayhawksRock wrote:31.7.0 ESR is vulnerable... install new 38 ESR from here > https://www.mozilla.org/en-US/firefox/o ... tions/all/ ... Choose your language and OS. I'm not sure if the 31 version will update to 38 automajicly


Thanks.

NanM
 
Posts: 181
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 25th, 2015, 2:16 am

The main SSL labs page https://www.ssllabs.com/ssltest/viewMyClient.html
doesn't have this user agent. ?yet, or is linux not easy for them :?
The SSL test page recognises the toggle.
The weakdh.org test needs a restart to recognise the toggle.

rolfp

User avatar
 
Posts: 135
Joined: November 8th, 2009, 10:51 am

Post Posted May 25th, 2015, 5:49 am

NanM wrote:The main SSL labs page https://www.ssllabs.com/ssltest/viewMyClient.html
doesn't have this user agent. ?yet, or is linux not easy for them :?
The SSL test page recognises the toggle.
The weakdh.org test needs a restart to recognise the toggle.

Except that I use 64-bit, I have the same user agent and that page gives me a result :?:
SSL/TLS Capabilities of Your Browser
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

Other User Agents »

Protocol Support
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is the best available protocol version at the moment.
Logjam Vulnerability (Experimental)
Your user agent is not vulnerable.
For more information about the Logjam attack, please go to weakdh.org.
To test manually, click here. Your user agent is not vulnerable if it fails to connect to the site.

NanM
 
Posts: 181
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 26th, 2015, 2:06 am

rolfp wrote:same user agent and that page gives me a result :?:


Thanks rolfp,
I got the user agent detected, but the rest of the tests were flagging spinners which I interpreted as SSLLabs not having data to complete the tests.
I've just tested with a fresh profile. Tests work as expected.
Now to find the config difference.

Scarlettrunner20

User avatar
 
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Post Posted May 26th, 2015, 6:24 am

You need to uncheck all DHE ciphers not just the two Mozilla unchecks via https://addons.mozilla.org/en-US/firefo ... sable-dhe/.

therube

User avatar
 
Posts: 20511
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 26th, 2015, 8:41 am

You need to uncheck all DHE ciphers not just the two Mozilla unchecks

Why?
I think something like that was mentioned in Palemoon, but I didn't see a reason as to why?
If Mozilla thought that all DHE needed to be disabled, don't you think they would have done that in the extension?
Perhaps, I don't know, disabling all of them is "safer", but more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

therube

User avatar
 
Posts: 20511
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted May 26th, 2015, 10:36 am

Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

NanM
 
Posts: 181
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 26th, 2015, 1:49 pm

NanM wrote:the config difference.

Found it. The old
Code: Select all
dom.disable_image_src_set
at true
that I've dragged around in user.js since cocky was an egg.

NanM
 
Posts: 181
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted May 26th, 2015, 1:58 pm

therube wrote:more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?

Ha!
But agree it's very likely the only way to keep usability best for majority is to play whack a mole rather than nuke the whole lawn.
I certainly does appear that SSL is seriously effed.

Scarlettrunner20

User avatar
 
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Post Posted May 27th, 2015, 1:41 am

therube wrote:
You need to uncheck all DHE ciphers not just the two Mozilla unchecks

Why?
I think something like that was mentioned in Palemoon, but I didn't see a reason as to why?
If Mozilla thought that all DHE needed to be disabled, don't you think they would have done that in the extension?
Perhaps, I don't know, disabling all of them is "safer", but more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?


Fx 31.7 ESR will not be EOL until early August. It, like Pale Moon, has a lot of DHE ciphers ALL of which need disabling. Fx 38 has only the two Mozilla has made a tool for to disable them.

I don't know when Mozilla dropped the other DHE ciphers...I do know my Fx31.7 ESR on Windows 8 Pro and Win 10 Preview has more than two. So, maybe Mozilla only removed the other DHE ciphers in Fx38? So, folks using earlier versions of Fx and anyone using Fx 31.7 ESR need to disable all of the DHE ciphers. Even AFTER I disabled all of them on Fx 31.7ESR it happily (on Windows 10) took me to foldingforum.org and declared it secure! Fx 38 colors the address bar red at that site and says encryption is broken. Pale Moon won't let me near that site. I far prefer Pale Moon's approach as the red address bar doesn't stop a user from going to the site and using it and, of course, it's scary that the Enterprise version of Fx that is currently still supported by Mozilla (has one more point update scheduled) says that site is secure. Pale Moon throws an error "no common encryption algorithm" and tells the user to contact the webmaster of the site to have it fixed.

patrickjdempsey

User avatar
 
Posts: 23734
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC

Post Posted May 28th, 2015, 1:12 am

At least on SeaMonkey 2.33.1 on my computers, most of the other DHE ciphers are already set to false by default:

security.ssl3.dhe_dss_aes_128_sha;true
security.ssl3.dhe_dss_aes_256_sha;false
security.ssl3.dhe_rsa_aes_128_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_des_ede3_sha;false
security.ssl3.dhe_rsa_camellia_128_sha;false
security.ssl3.dhe_rsa_camellia_256_sha;false
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/

Downsouth
 
Posts: 2
Joined: June 1st, 2015, 8:21 am

Post Posted June 1st, 2015, 8:41 am

Hi,

I'm using Firefox 38.0.1 with WIN 8.1

I've applied jscher2000's changes and tested at:
https://www.ssllabs.com/ssltest/viewMyClient.html
weakdh.org
- all good

BUT the changes don't stick
New Window: no joy
Close all Windows, then new Window (both ordinary and "in Private"): no joy

.... hmmm

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 11 guests