Logjam browser fix breaks Trisquel's website
- Login o registrati per inviare commenti
Check here: https://weakdh.org
If you are vulnerable to Logjam, then this workaround for Firefox is being suggested:
call: about:config
search for:
security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_rsa_aes_128_sha
security.ssl3.dhe_rsa_aes_256_sha
Deactivate them all. Set them to false.
Then do the check once more: https://weakdh.org
However, after doing that, the Trisquel website becomes unreachable. Is there something that can be done about it?
I've changed all of them the day I've read about it (although, reading about this, if I understand correctly this affects servers, not clients).
However I left those entries disabled for the sake of mental ease..
Trisquel and all other sites I visit daily have been working great. Mind that I use Iceweasel 31.7.0
I'm using Abrowser. Maybe Iceweasel has already been updated with a fix?
Don't think so.. I suspect some other config combined with those negatives you listed is responsible for the Trisquel site fail. :(
Thank you, pizzaiolo, for pointing that out, seems like we could have a separate Security area.
For me, in Belenos, in my about:config for aBrowser I could only find these two of the three parameters you mention, and I toggled the two to false and went back to https://weakdh.org and got a clean bill of 'logjam health.' :)
security.ssl3.dhe_rsa_aes_128_sha;false
security.ssl3.dhe_rsa_aes_256_sha;false
But after a reboot I tried to come to trisquel site again and got this message from aBrowser:
"An error occurred during a connection to trisquel.info. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"
So I retoggled rsa aes 256 sha
security.ssl3.dhe_rsa_aes_256_sha;true
Then I fail the https://weakdh.org/ test again but can get to Trisquel.
So Trisquel site is vulnerable? Guess I should consider using iceweasel.
Geshmy - Well, I guess Iceweasel is no more "secure" than Abrowser. By default I would say Icecat is the best broz out there. I don't think Trisquel site is vulnerable. It is a complicated matter. You shouldn't just change your browser because of that..
Maybe try asking in IRC?
For me (Belenos, Abrowser 37.0.2) it says that I'm safe. I didnt change anything in about:config.
For a more reliable test you can use https://dhe512.zmap.io/ . If the page doesn't load, then you are safe. Abrowser will give a "Secure Connection Failed" message when you aren't using the vulnerable algorithms. Otherwise you'll see the message "If you can view this page, your browser is vulnerable to the LogJam attack.".
Also, you may have to restart your browser when you change the configuration.
https://weakdh.org/ relies on you not blocking stuff, like 3th party requests. The test works by trying to load https://dhe512.zmap.io/ using JavaScript, a page which requires the vulnerable algorithms. When it fails to load, the JavaScript reports that you are safe.
The server rejected the handshake because the client downgraded to a lower TLS version than the server supports.
(Error code: ssl_error_inappropriate_fallback_alert)
nice link!
I may not be the only one suffering with this.
An issue was created for this by someone else: https://trisquel.info/en/issues/14356
Disable DHE disables ephemeral Diffie-Hellman cipher suites that are vulnerable to the logjam attack: https://addons.mozilla.org/en-US/firefox/addon/disable-dhe/?src=search
I have suggested to Rubén Rodríguez who maintains GNU IceCat, to consider to implement this add-on in GNU IceCat 31.8.0.
- Login o registrati per inviare commenti