-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ToDo: security.ssl3.* #24
Comments
What bugs me a bit is the "Restore default settings" button on those "Secure Connection Failed" pages. |
The strings I have set to false as unsecure:
Unsecure cryptographic keys aren't issued anymore. So there's a limbo where you stumble on expired CA Certs until they are renewed (and use different keys).
But it has 128 on my screen. I abstain from crosslinking the discussions on pyllyukko's user.js repo. Note: adding this to your Chromium shortcut (as the “Arguments”) or command-line |
Thank you ;) 1214 -
'security.nocertdb' I think they are still trying to figure out how to achieve disabling only the certdb without also breaking every other db. Until we have a hardened, chances are they improve it at least slightly. 'restore default settings button' - i didn't dare click on it tbh. only want to see what exactly it does and if it can be blocked. purely out of interest. I can hide/disable the button with custom css on my own machine, but I wanna see if there's a pref for that. (fe. for company environment or so) @Atavic those are all the RC4 ciphers and they were removed recently from FF anyway. |
Where would it come in the prefered order if enabled? - after 10 and before the 2 static-rsa ones
[Edit: removed OT] |
Huh? There's so much going on here :) Here's the reason to (slowly) move away from 128-bit key sizes: |
Thanks Pants, good stuff. @pyllyukko well, the 1st site gives me a SEC_ERROR_UNKNOWN_ISSUER and the 2nd one, oh boy the 2nd one.... well let's just say it's slightly over my head (lol, what an understatement). Imagine what such a machine could do in those 92 seconds other than brute-forcing my encrypted data! All that aside, that's not really the point here. Why do we disable 2 of the 10 modern ciphers because of a theoretical future possibility but at the same time allow 2 older ciphers for compatibility reasons, with one of them also using AES128, and both being arguably weaker than the 2 modern ones? |
Oh, and there's also a theory that says that AES128 is potentially more secure than AES256. |
1214: won't be removed completely. But whatever we end up doing with it, we should agree on something and then use it both here and @pyllyukko user.js. That way we will at least increase "our little group" slightly. (re: cipher fingerprint) 1209: is already set to 4 in https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/security-prefs.js#6 so I think this will be default in FF52, idk. It can break sites on servers that haven't updated their openssl or whatnot, hence I think we should wait for FF52, at least. Users can enable it already if they want. |
from Atavic's first link:
therefore I'd advocate for 1214 to be commented out, because they are 2 of the 10 modern ciphers |
Unfortunately the security-prefs.js also still has the following prefs, so cipher FP will remain a slight problem for us, for now.
What if we regroup parts of that section, and add a note that changing the default values for them can be fingerprinted? for example:
|
FYI: It restores/clears/resets all user-set prefs for https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#2991 |
It does the same as reset on any about:config entry. You can right-click on an about:config entry and there's reset option in the GUI list. |
commented out as per proposal (C) @ #24 (comment)
proposals
original post
I looked at our current settings and I want to share some of my observations.
https://badssl.com/
https://www.howsmyssl.com/
https://wiki.mozilla.org/Security/Server_Side_TLS
https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
https://dh2048.badssl.com/ => we break dh2048 due to
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
The eff article explicitly names that pref and recommends to disable it even though it talks about 1024-bit primes being presumably broken by the NSA, and that pref uses a 2048-bit prime.
There's also this sentence from the mozilla wiki for "Modern compatibility":
It doesn't say it's easy to break only that it's slow. Do we assume the NSA can also break DHE with a 2048-bit prime, or should we comment out that pref for less breakage (and recommend it only for the paranoid?) - because according to badssl.com dh2048 is still secure.
If we keep it, we may want to rename 1210 to 'disable DHE (Diffie-Hellman Key Exchange)' and remove the 1024 bit part.
'Modern compatibility' ciphers and the matching pref:
Interestingly Firefox sends them in a different order (see howsmyssl.com).
Instead of 1-8 its 5,6,3,4,1,2,7,8
When 9+10 are enabled the order is 5,6,3,4,1,2,7,9,8,10
(+
TLS_RSA_WITH_AES_128_CBC_SHA
andTLS_RSA_WITH_AES_256_CBC_SHA
at the end [11+12], for the 2 remaining ones that we still allow)The Rationales explain some of it:
In Modern compatibility:
AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES.
While in Intermediate compatibility (default):
ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.
Well, anyhow, there's nothing we can do about it anyway.
Apart from the 10 modern ciphers (2 of which we have disabled) we only support 2 older ones:
security.ssl3.rsa_aes_128_sha
andsecurity.ssl3.rsa_aes_256_sha
, which is whystatic-rsa
(https://static-rsa.badssl.com/) still works, but it's listed with an!
and not a red warning sign.The only other thing that I really don't like is that https://incomplete-chain.badssl.com/ still works.
But maybe this can be fixed if
security.nocertdb
is set to true; I haven't tested this because I really don't like the current implementation behind that pref.IMO we should remove 1214, because the 128bit in AES is not the problem, 5+6 have them also.
And the 2 prefs in 1214 are part of the 10 modern ciphers.
Perhaps we were a bit overeager when we added 1214, without really understanding it. (?)
The text was updated successfully, but these errors were encountered: