Ask / Submit
27

HowTo: Get your browser more crypt secure

asked 2014-02-25 22:16:05 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2014-07-23 11:07:39 +0200

jiit gravatar image
  • Test your browser with http://howsmyssl.com

  • Create a file ~/.mozilla/mozembed/user.js if not created otherwise and insert

    user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_fips_des_ede3_sha", false); user_pref("security.tls.version.min", 1); user_pref("security.tls.version.max", 3);

  • Test your browser again with https://howsmyssl.com

edit retag flag offensive close delete

Comments

2

Hey, just to be fair: If the web server does only rc4 these settings will fail. But think about using ssl servers which use real time crackable crypto...

cy8aer ( 2014-02-25 22:45:12 +0200 )edit

I wouldnt disable RC4 completely as a lot of sites still rely on it, and if you disable it completely these sites will fail to load.

The only rc4 suite I would disable is "ssl3.rsa_rc4_128_md5" as I dont think there is any site out there relying only on this suite. Usually they at least support the slightly more secure "ssl3.rsa_rc4_128_sha" suite which is left enabled and these sites will still work.

You also recommend disabling SSL3 and this will also cripple support for many sites.

vasavr ( 2014-03-15 13:51:08 +0200 )edit

2 Answers

Sort by » oldest newest most voted
16

answered 2014-02-26 11:00:59 +0200

veskuh gravatar image

Thanks for this how-to. We are working on updating the gecko engine to version 29, which brings TLS 1.2 and clearly improves the rating at the mentioned site.

edit flag offensive delete publish link more

Comments

@jollateam: great effort to hold the gecko engine up to date. Thank you

cy8aer ( 2014-02-26 12:13:16 +0200 )edit
3

What about other TLS/SSL using software such as email, Exchange connector, XMPP, Jolla updates etc.? Are or will their settings be checked to this commercially viable update coming in the beginning of March?

Karri Huhtanen ( 2014-02-26 13:23:58 +0200 )edit
9

answered 2016-06-11 14:05:05 +0200

tux_in_iE gravatar image

updated 2017-09-01 21:43:29 +0200

Updating this for SF2.0...

On 2.0.1.11 I went from "Bad" to "Probably OK" with the following user.js :

user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false);

edit flag offensive delete publish link more
Login/Signup to Answer

Question tools

Follow
16 followers

Stats

Asked: 2014-02-25 22:16:05 +0200

Seen: 1,374 times

Last updated: Sep 01 '17