Firefox vulnerable to Logjam exploit

User Help for Mozilla Firefox
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

barbaz wrote:The solution suggested by jscher2000 seems to require a browser restart after flipping those prefs.


There seems to be a problem with the ssllabs test.
The manual test at
https://www.ssllabs.com:10445/
Needs a refresh to register the toggle.
The parent test page
https://www.ssllabs.com/ssltest/viewMyClient.html
does register the toggle without refresh or restart needed.
Note: default NS domain permissions enabled for ssllabs.com, if that matters for the test.
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Firefox vulnerable to Logjam exploit

Post by therube »

I'm thinking that anything in the current window (perhaps even new tabs?) may need a refresh.
But anything opened in a new window should be OK.
(Easy enough to test.)
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
rolfp
Posts: 138
Joined: November 8th, 2009, 10:51 am

Re: Firefox vulnerable to Logjam exploit

Post by rolfp »

jscher2000 wrote:Disable the insecure ciphers here:...


Thank you.
sleemans
Posts: 9
Joined: February 26th, 2006, 3:57 pm

Re: Firefox vulnerable to Logjam exploit

Post by sleemans »

JayhawksRock wrote:31.7.0 ESR is vulnerable... install new 38 ESR from here > https://www.mozilla.org/en-US/firefox/o ... tions/all/ ... Choose your language and OS. I'm not sure if the 31 version will update to 38 automajicly


Thanks.
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

The main SSL labs page https://www.ssllabs.com/ssltest/viewMyClient.html
doesn't have this user agent. ?yet, or is linux not easy for them :?
The SSL test page recognises the toggle.
The weakdh.org test needs a restart to recognise the toggle.
User avatar
rolfp
Posts: 138
Joined: November 8th, 2009, 10:51 am

Re: Firefox vulnerable to Logjam exploit

Post by rolfp »

NanM wrote:The main SSL labs page https://www.ssllabs.com/ssltest/viewMyClient.html
doesn't have this user agent. ?yet, or is linux not easy for them :?
The SSL test page recognises the toggle.
The weakdh.org test needs a restart to recognise the toggle.

Except that I use 64-bit, I have the same user agent and that page gives me a result :?:
SSL/TLS Capabilities of Your Browser
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

Other User Agents »

Protocol Support
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is the best available protocol version at the moment.
Logjam Vulnerability (Experimental)
Your user agent is not vulnerable.
For more information about the Logjam attack, please go to weakdh.org.
To test manually, click here. Your user agent is not vulnerable if it fails to connect to the site.
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

rolfp wrote:same user agent and that page gives me a result :?:


Thanks rolfp,
I got the user agent detected, but the rest of the tests were flagging spinners which I interpreted as SSLLabs not having data to complete the tests.
I've just tested with a fresh profile. Tests work as expected.
Now to find the config difference.
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Re: Firefox vulnerable to Logjam exploit

Post by Scarlettrunner20 »

You need to uncheck all DHE ciphers not just the two Mozilla unchecks via https://addons.mozilla.org/en-US/firefo ... sable-dhe/.
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Firefox vulnerable to Logjam exploit

Post by therube »

You need to uncheck all DHE ciphers not just the two Mozilla unchecks

Why?
I think something like that was mentioned in Palemoon, but I didn't see a reason as to why?
If Mozilla thought that all DHE needed to be disabled, don't you think they would have done that in the extension?
Perhaps, I don't know, disabling all of them is "safer", but more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
User avatar
therube
Posts: 21703
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Re: Firefox vulnerable to Logjam exploit

Post by therube »

Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

NanM wrote:the config difference.

Found it. The old

Code: Select all

dom.disable_image_src_set 
at true
that I've dragged around in user.js since cocky was an egg.
NanM
Posts: 182
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Re: Firefox vulnerable to Logjam exploit

Post by NanM »

therube wrote:more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?

Ha!
But agree it's very likely the only way to keep usability best for majority is to play whack a mole rather than nuke the whole lawn.
I certainly does appear that SSL is seriously effed.
User avatar
Scarlettrunner20
Posts: 1016
Joined: February 13th, 2003, 5:06 pm

Re: Firefox vulnerable to Logjam exploit

Post by Scarlettrunner20 »

therube wrote:
You need to uncheck all DHE ciphers not just the two Mozilla unchecks

Why?
I think something like that was mentioned in Palemoon, but I didn't see a reason as to why?
If Mozilla thought that all DHE needed to be disabled, don't you think they would have done that in the extension?
Perhaps, I don't know, disabling all of them is "safer", but more likely to cause breakages, or maybe it is just that some DHE are not affected by Logjam (but what about Logjam II, the son of Logjam, ohhh)?


Fx 31.7 ESR will not be EOL until early August. It, like Pale Moon, has a lot of DHE ciphers ALL of which need disabling. Fx 38 has only the two Mozilla has made a tool for to disable them.

I don't know when Mozilla dropped the other DHE ciphers...I do know my Fx31.7 ESR on Windows 8 Pro and Win 10 Preview has more than two. So, maybe Mozilla only removed the other DHE ciphers in Fx38? So, folks using earlier versions of Fx and anyone using Fx 31.7 ESR need to disable all of the DHE ciphers. Even AFTER I disabled all of them on Fx 31.7ESR it happily (on Windows 10) took me to foldingforum.org and declared it secure! Fx 38 colors the address bar red at that site and says encryption is broken. Pale Moon won't let me near that site. I far prefer Pale Moon's approach as the red address bar doesn't stop a user from going to the site and using it and, of course, it's scary that the Enterprise version of Fx that is currently still supported by Mozilla (has one more point update scheduled) says that site is secure. Pale Moon throws an error "no common encryption algorithm" and tells the user to contact the webmaster of the site to have it fixed.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Firefox vulnerable to Logjam exploit

Post by patrickjdempsey »

At least on SeaMonkey 2.33.1 on my computers, most of the other DHE ciphers are already set to false by default:

security.ssl3.dhe_dss_aes_128_sha;true
security.ssl3.dhe_dss_aes_256_sha;false
security.ssl3.dhe_rsa_aes_128_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_des_ede3_sha;false
security.ssl3.dhe_rsa_camellia_128_sha;false
security.ssl3.dhe_rsa_camellia_256_sha;false
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Downsouth
Posts: 2
Joined: June 1st, 2015, 8:21 am

Re: Firefox vulnerable to Logjam exploit

Post by Downsouth »

Hi,

I'm using Firefox 38.0.1 with WIN 8.1

I've applied jscher2000's changes and tested at:
https://www.ssllabs.com/ssltest/viewMyClient.html
weakdh.org
- all good

BUT the changes don't stick
New Window: no joy
Close all Windows, then new Window (both ordinary and "in Private"): no joy

.... hmmm
Post Reply