GuruGuy Premium Member join:2002-12-16 Atlanta, GA 2 edits
1 recommendation |
GuruGuy
Premium Member
2014-Oct-15 7:11 am
SSL 3.0 vulnerability and Firefox» addons.mozilla.org/en-US ··· control/Add-on to disable SSL 3.0 from Firefox. Updated FF version to be released in Nov per blog ( » blog.mozilla.org/securit ··· ssl-3-0/ ) "SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25" Alternative FF workaround stated by Chubbzie four posts below which does the same thing without installing the add-on. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2014-Oct-15 8:16 am
Well that won't install on Fx24.8 ESR but I assume it will install on Fx 31.2 ESR (which should be pushed soon via internal update)? It also won't install on Pale Moon 25. Mozilla says: "Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail. As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback." So, almost ALL websites are vulnerable to the attack that can trick a browser into connecting with SSLv3...all due to IE6 still being supported. You can use Qualys and see that even sites rated A - banking sites such as Chase are vulnerable as their servers support SSLv3. I hope this gets patched in Pale Moon. |
|
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
GuruGuy
Premium Member
2014-Oct-15 8:22 am
Why will it not install on Fx 24.8? Is the add-on not supported. The other thread in the security forum: » Microsoft Security Advisory Notification Issued: October 14, 2014 links to the article that has the workaround for IE. Basically you go into settings and disable the SSL 3. I agree that alot of websites are going to have some issues. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI 1 edit |
Mele20
Premium Member
2014-Oct-15 8:42 am
Opera 12.17 |
Addons site says "not available for Fx24.8 or Fx24.9". It thinks Fx 24.9 is Pale Moon 25 ...it doesn't recognize the current Pale Moon. It could be a minor fix...maybe the install.rdf fileneeds to be "adjusted" to say Fx24 as minimum version rather than whatever it says which is likely Fx31 since that is the new ESR version so surely the addon will install on it. I've been really busy (haven't done the security patches yet on Win 8 - did do them on Win 10 preview tonight- but I will try to find time to download the patch to disk using IE and see if the problem is an easy fix or not). Thanks for the tip on the IE workaround...I noticed that thread but hadn't read it yet. I keep thinking about Opera and how magnificent it was (before ver 15) regarding Security Protocols and how easy in Opera12 and below to turn off SSLv3...I've had it off there for ages. Mozilla hides all this from users and Pale Moon was so tied to Fx code until the new ver 25 that it hides this also. There are a number of brand new posts on the Fx ESR list serve about this asking that Mozilla port the fix to the current ESR version 31.2. I posted the link to the addon which I am assuming will install on Fx31 ESR. A couple of posts mentioned how to turn off SSLv3 in about:config but I haven't looked there yet. That would be the best way for Fx 24x ESR and Pale Moon 25. |
|
Hitron CDA3 (Software) OpenBSD + pf
4 recommendations |
Have you tried this: In Firefox you can go into about:config and set security.tls.version.min to 1. Which will disable its ability to communicate over SSLv3. Information garnered from POODLE attacks on SSLv3. |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
GuruGuy
Premium Member
2014-Oct-15 9:04 am
I'm not sure that would work. Aren't you really just saying that the minimum TLS that I'll accept is 1.0. Not really keeping it from having a minimum SSL or falling back to SSL.
edit: I'm guessing that does work. I used the Mozilla add-on and it appears that the add-on did change that exact value to a "1". |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2014-Oct-15 10:00 am
Yeah, I think that was what one of the replies to the ESR listserve said to do.
Before I saw this, just now I downloaded the addon using Opera and opened the install.rdf file in WinRAR. It was what I suspected. Mozilla has the minimum version as Fx26. So, I edited it to Fx 24 and it installed immediately on Fx 24 ESR. I dropped it on Pale Moon 25 and it installed there and works there also. So, either solution works. |
|
|
to GuruGuy
This POODLE bites: exploiting the SSL 3.0 fallback » googleonlinesecurity.blo ··· t.co.uk/ |
|
DavesnothereChange is NOT Necessarily Progress Premium Member join:2009-06-15 Canada |
to Mele20
Is this as serious a security issue as the recent one which PM devs avoided fixing until version 25, when almost all other browser devs had fixed it right away ?
What have the other browser devs been doing about this one so far ? |
|
evoxllx join:2007-06-07 Winter Park, FL |
to Mele20
said by Mele20:all due to IE6 still being supported Finally, IE6 will be virtually unusable once servers start dropping support for SSLv3. The near future requirement of SHA-2 certificates will further help with this. said by Mele20:Thanks for the tip on the IE workaround...I noticed that thread but hadn't read it yet. I keep thinking about Opera and how magnificent it was (before ver 15) regarding Security Protocols and how easy in Opera12 and below to turn off SSLv3...I've had it off there for ages. Mozilla hides all this from users and Pale Moon was so tied to Fx code until the new ver 25 that it hides this also. Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2014-Oct-15 10:45 am
Geesh...I didn't know that. Why couldn't Mozilla have simply put one sentence in the GUI that said SSL was the older version instead of just banishing the options from the GUI. But Fx never did have the fabulous, easy to use abilities to decide what ciphers you will allow the browser to accept that Opera12x and below had. I wouldn't expect average users to know how to choose which ciphers to allow but a simple sentence in Fx GUI to point them away from disabling TLS 1.0 that would have been easy and kept the ease of disabling there in the GUI. |
|
DavesnothereChange is NOT Necessarily Progress Premium Member join:2009-06-15 Canada |
to evoxllx
said by evoxllx:....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding. Yes, that IS silly numbering ! |
|
|
to GuruGuy
SSL 3.0 is now disabled in all browsers on all OS'es |
|
1 edit |
to Mele20
The extension "checkCompatabilty" (v 1.3) » addons.mozilla.org/en-US ··· ibility/ seems to work in PM 25x (W7P). Used PM 25's internal update Checker for 25.01 (which, when set to "Never Check for Updates", resulted in 1) the Check For Updates button then indicating 25.01 Update Available 2) Next yielded the "More Info", Ask Later, Get Now... dialogues..). » addons.mozilla.org/en-US ··· control/ threw the not-for-you warning, but did allow for overriding, and it installed from there. In limited testing (W7P), PM 25.x is working quite well, albeit with only 20 of many more extensions installed, so far. [EDIT: Clarified and added link for checkCompatability] |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2014-Oct-15 10:58 am
What do you mean "checkCompatibility"? for what? |
|
evoxllx join:2007-06-07 Winter Park, FL |
to Mele20
said by Mele20:Geesh...I didn't know that. Why couldn't Mozilla have simply put one sentence in the GUI that said SSL was the older version instead of just banishing the options from the GUI. But Fx never did have the fabulous, easy to use abilities to decide what ciphers you will allow the browser to accept that Opera12x and below had. I wouldn't expect average users to know how to choose which ciphers to allow but a simple sentence in Fx GUI to point them away from disabling TLS 1.0 that would have been easy and kept the ease of disabling there in the GUI. There was actually a fairly long discussion/debate in the Chrome and Mozilla bug tracker on what to do, and there were suggestions similar to yours. Ultimately, Chrome and Mozilla decided to go with removing it completely from the GUI, since they feel most of their user base doesn't have enough understanding on the subject to make the right decisions. said by Davesnothere:said by evoxllx:....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding. Yes, that IS silly numbering ! Microsoft is to blame for the name change, it was done for entirely political purposes. |
|
DavesnothereChange is NOT Necessarily Progress Premium Member join:2009-06-15 Canada |
said by evoxllx:said by Davesnothere:said by evoxllx:....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding. Yes, that IS silly numbering ! Microsoft is to blame for the name change - it was done for entirely political purposes. Ah yessss.... Micro-Windows10-soft |
|
2 edits
2 recommendations |
to Mele20
The extension "checkCompatabilty" (v 1.3) : » addons.mozilla.org/en-US ··· ibility/ . Disables compatibility checking, or at least disables "compatibility" failure from preventing installation and use, in many cases. (I am pretty sure that this used to be selectable OoTB, but was deleted sometime ago by MoFo.) Of course, if the extension really is incompatible, it will not work, to varying degrees. The name seems to have been changed. "About this Add-on While it used to be possible to disable add-on compatibility checking entirely, by setting the extensions.checkCompatibility preference to false, it is now necessary to set a different preference for each new application version. This add-on re-enables the functionality of extensions.checkCompatibility irrespective of the current application version and disables checking by default. Checking can be re-enabled by disabling the add-on (which can be done without a restart) or by toggling the preference." |
|
|
to GuruGuy
from the "SSL Version Control" addon page: "In the meantime, you can use this extension to turn off SSLv3 in your copy of Firefox. When you install the add-on, it will set the minimum TLS version to TLS 1.0 (disabling SSLv3)" » addons.mozilla.org/en-US ··· control/--------------------------------- duh.. if that is all it does, i don't need an "addon" for that.. |
|
|
to Mele20
PM Commander has SSL SettingsI forgot that PM Commander » www.palemoon.org/commander.shtml already has these setting available under Security --> SSL. |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA 1 edit |
to redwolfe_98
Re: SSL 3.0 vulnerability and FirefoxAs I stated in the original post...I agree. I removed all the add-ons I had installed and went the about:config route |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to GuruGuy
I think this is all scare tactics to try and scare ppl off of older browsers THAT CANT BE USED TO SPY ON PEOPLE!! (Ya cant say im wrong -- We dont know but it may be a possible agenda) |
|
|
to Chubbzie
Re: SSL 3.0 vulnerability and Firefoxsaid by Chubbzie:about:config and set security.tls.version.min to 1 Thanks for that Chubbzie |
|
1 edit |
to 19579823
Re: |
|
19579823 (banned)An Awesome Dude join:2003-08-04 |
to GuruGuy
Ya STU I just checked my IE6 settings and 'USE SSL 3.0' IS NOT CHECKED!!
I looked into it and it says 3.0 is more secure than the other 2!! |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
What says "3.0 is more secure than the other 2"? If I read this thread and the references herein, I get the opposite understanding with respect to the current issue. |
|
|
to GuruGuy
Re: SSL 3.0 vulnerability and Firefoxin microsoft's advisory, it says to disable "SSL 3", in IE, and to enable "TLS 1.0", "TLS 1.1" and "TLS 1.2".. of course those of us who still use IE 6 can only use "TLS 1.0".. it also says "this vulnerability is not considered high risk to customers" » technet.microsoft.com/en ··· /3009008 |
|
BlackbirdBuilt for Speed Premium Member join:2005-01-14 Fort Wayne, IN |
to GuruGuy
You can check your browser at » www.poodletest.com/ (site requires JavaScript). I found two of my several browsers that was vulnerable (Qupzilla, which hadn't been updated for a few weeks, and Firefox which needed the add-on patch)... the others all seem to be good to go. |
|
|
to GuruGuy
i saw it mentioned that you have to adjust settings for "java", too.. |
|
|
to GuruGuy
Here's an article detailing how to disable support for SSLv3 in Firefox, Chrome and IE: » zmap.io/sslv3/browsers.htmlI changed security.tls.version.min = 1 in about:config in Firefox 24.8.1 ESR, Firefox 28.0 and Firefox 33.0 and tested at the SSLv3 Poodle Attack Check website. Not vulnerable! I unchecked Use SSL 3.0 in Tools, Options, Advanced, Encryption in Firefox 3.6.28, Firefox 10.0.12 ESR and Firefox 17.0.11 ESR and tested at the same website. Not vulnerable! Now we'll see if I run into any problems. Then I'll move on to Thunderbird. The older versions of Thunderbird that I use don't seem to have a Use SSL 3.0 checkbox in Tools, Options, so this will have to be done in about:config. |
|