Logjam browser fix breaks Trisquel's website

10 réponses [Dernière contribution]
pizzaiolo
Hors ligne
A rejoint: 03/12/2015

Check here: https://weakdh.org

If you are vulnerable to Logjam, then this workaround for Firefox is being suggested:

call: about:config

search for:

security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha

Deactivate them all. Set them to false.

Then do the check once more: https://weakdh.org

However, after doing that, the Trisquel website becomes unreachable. Is there something that can be done about it?

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

I've changed all of them the day I've read about it (although, reading about this, if I understand correctly this affects servers, not clients).
However I left those entries disabled for the sake of mental ease..
Trisquel and all other sites I visit daily have been working great. Mind that I use Iceweasel 31.7.0

pizzaiolo
Hors ligne
A rejoint: 03/12/2015

I'm using Abrowser. Maybe Iceweasel has already been updated with a fix?

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

Don't think so.. I suspect some other config combined with those negatives you listed is responsible for the Trisquel site fail. :(

Geshmy
Hors ligne
A rejoint: 04/23/2015

Thank you, pizzaiolo, for pointing that out, seems like we could have a separate Security area.

For me, in Belenos, in my about:config for aBrowser I could only find these two of the three parameters you mention, and I toggled the two to false and went back to https://weakdh.org and got a clean bill of 'logjam health.' :)

security.ssl3.dhe_rsa_aes_128_sha;false
security.ssl3.dhe_rsa_aes_256_sha;false

But after a reboot I tried to come to trisquel site again and got this message from aBrowser:

"An error occurred during a connection to trisquel.info. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"

So I retoggled rsa aes 256 sha
security.ssl3.dhe_rsa_aes_256_sha;true

Then I fail the https://weakdh.org/ test again but can get to Trisquel.

So Trisquel site is vulnerable? Guess I should consider using iceweasel.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

Geshmy - Well, I guess Iceweasel is no more "secure" than Abrowser. By default I would say Icecat is the best broz out there. I don't think Trisquel site is vulnerable. It is a complicated matter. You shouldn't just change your browser because of that..
Maybe try asking in IRC?

Legimet
Hors ligne
A rejoint: 12/10/2013

For me (Belenos, Abrowser 37.0.2) it says that I'm safe. I didnt change anything in about:config.

Mampir
Hors ligne
A rejoint: 12/16/2009

For a more reliable test you can use https://dhe512.zmap.io/ . If the page doesn't load, then you are safe. Abrowser will give a "Secure Connection Failed" message when you aren't using the vulnerable algorithms. Otherwise you'll see the message "If you can view this page, your browser is vulnerable to the LogJam attack.".

Also, you may have to restart your browser when you change the configuration.

https://weakdh.org/ relies on you not blocking stuff, like 3th party requests. The test works by trying to load https://dhe512.zmap.io/ using JavaScript, a page which requires the vulnerable algorithms. When it fails to load, the JavaScript reports that you are safe.

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

The server rejected the handshake because the client downgraded to a lower TLS version than the server supports.

(Error code: ssl_error_inappropriate_fallback_alert)

nice link!

pizzaiolo
Hors ligne
A rejoint: 03/12/2015

I may not be the only one suffering with this.

An issue was created for this by someone else: https://trisquel.info/en/issues/14356

David_Hedlund
Hors ligne
A rejoint: 03/30/2013

Disable DHE disables ephemeral Diffie-Hellman cipher suites that are vulnerable to the logjam attack: https://addons.mozilla.org/en-US/firefox/addon/disable-dhe/?src=search

I have suggested to Rubén Rodríguez who maintains GNU IceCat, to consider to implement this add-on in GNU IceCat 31.8.0.