Ask / Submit
32

HowTo: Get your browser more crypt secure

asked 2014-02-25 22:16:05 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2019-04-07 01:51:41 +0300

Leon gravatar image

Test your browser with http://howsmyssl.com

Create a file ~/.mozilla/mozembed/user.js if not created otherwise and insert

user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 3);

Test your browser again with https://howsmyssl.com

edit retag flag offensive close delete

Comments

2

Hey, just to be fair: If the web server does only rc4 these settings will fail. But think about using ssl servers which use real time crackable crypto...

cy8aer ( 2014-02-25 22:45:12 +0300 )edit

I wouldnt disable RC4 completely as a lot of sites still rely on it, and if you disable it completely these sites will fail to load.

The only rc4 suite I would disable is "ssl3.rsa_rc4_128_md5" as I dont think there is any site out there relying only on this suite. Usually they at least support the slightly more secure "ssl3.rsa_rc4_128_sha" suite which is left enabled and these sites will still work.

You also recommend disabling SSL3 and this will also cripple support for many sites.

vasavr ( 2014-03-15 13:51:08 +0300 )edit

3 Answers

Sort by » oldest newest most voted
21

answered 2014-02-26 11:00:59 +0300

veskuh gravatar image

Thanks for this how-to. We are working on updating the gecko engine to version 29, which brings TLS 1.2 and clearly improves the rating at the mentioned site.

edit flag offensive delete publish link more

Comments

@jollateam: great effort to hold the gecko engine up to date. Thank you

cy8aer ( 2014-02-26 12:13:16 +0300 )edit
3

What about other TLS/SSL using software such as email, Exchange connector, XMPP, Jolla updates etc.? Are or will their settings be checked to this commercially viable update coming in the beginning of March?

Karri Huhtanen ( 2014-02-26 13:23:58 +0300 )edit
11

answered 2019-04-06 00:04:53 +0300

tux_in_iE gravatar image

Updating for SF3.0...

On 3.0.2.8 (installed after a factory reset) it's "Probably Okay" out of the box. :)

edit flag offensive delete publish link more
10

answered 2016-06-11 14:05:05 +0300

tux_in_iE gravatar image

updated 2017-09-01 21:43:29 +0300

Updating this for SF2.0...

On 2.0.1.11 I went from "Bad" to "Probably OK" with the following user.js :

user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false);

edit flag offensive delete publish link more
Login/Signup to Answer

Question tools

Follow
19 followers

Stats

Asked: 2014-02-25 22:16:05 +0300

Seen: 1,852 times

Last updated: Apr 07