dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7826

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

2 edits

1 recommendation

GuruGuy

Premium Member

SSL 3.0 vulnerability and Firefox

»addons.mozilla.org/en-US ··· control/

Add-on to disable SSL 3.0 from Firefox.

Updated FF version to be released in Nov per blog ( »blog.mozilla.org/securit ··· ssl-3-0/ ) "SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25"

Alternative FF workaround stated by Chubbzie four posts below which does the same thing without installing the add-on.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Well that won't install on Fx24.8 ESR but I assume it will install on Fx 31.2 ESR (which should be pushed soon via internal update)?

It also won't install on Pale Moon 25.

Mozilla says:

"Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.

As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback."

So, almost ALL websites are vulnerable to the attack that can trick a browser into connecting with SSLv3...all due to IE6 still being supported. You can use Qualys and see that even sites rated A - banking sites such as Chase are vulnerable as their servers support SSLv3. I hope this gets patched in Pale Moon.

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy

Premium Member

Why will it not install on Fx 24.8? Is the add-on not supported.

The other thread in the security forum: »Microsoft Security Advisory Notification Issued: October 14, 2014 links to the article that has the workaround for IE. Basically you go into settings and disable the SSL 3. I agree that alot of websites are going to have some issues.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

Mele20

Premium Member

Click for full size
Opera 12.17
Addons site says "not available for Fx24.8 or Fx24.9". It thinks Fx 24.9 is Pale Moon 25 ...it doesn't recognize the current Pale Moon. It could be a minor fix...maybe the install.rdf fileneeds to be "adjusted" to say Fx24 as minimum version rather than whatever it says which is likely Fx31 since that is the new ESR version so surely the addon will install on it. I've been really busy (haven't done the security patches yet on Win 8 - did do them on Win 10 preview tonight- but I will try to find time to download the patch to disk using IE and see if the problem is an easy fix or not).

Thanks for the tip on the IE workaround...I noticed that thread but hadn't read it yet. I keep thinking about Opera and how magnificent it was (before ver 15) regarding Security Protocols and how easy in Opera12 and below to turn off SSLv3...I've had it off there for ages. Mozilla hides all this from users and Pale Moon was so tied to Fx code until the new ver 25 that it hides this also.

There are a number of brand new posts on the Fx ESR list serve about this asking that Mozilla port the fix to the current ESR version 31.2. I posted the link to the addon which I am assuming will install on Fx31 ESR. A couple of posts mentioned how to turn off SSLv3 in about:config but I haven't looked there yet. That would be the best way for Fx 24x ESR and Pale Moon 25.

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

4 recommendations

Chubbzie

Member

Have you tried this:

In Firefox you can go into about:config and set security.tls.version.min to 1. Which will disable its ability to communicate over SSLv3.

Information garnered from POODLE attacks on SSLv3.

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

GuruGuy

Premium Member

I'm not sure that would work. Aren't you really just saying that the minimum TLS that I'll accept is 1.0. Not really keeping it from having a minimum SSL or falling back to SSL.

edit: I'm guessing that does work. I used the Mozilla add-on and it appears that the add-on did change that exact value to a "1".
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yeah, I think that was what one of the replies to the ESR listserve said to do.

Before I saw this, just now I downloaded the addon using Opera and opened the install.rdf file in WinRAR. It was what I suspected. Mozilla has the minimum version as Fx26. So, I edited it to Fx 24 and it installed immediately on Fx 24 ESR. I dropped it on Pale Moon 25 and it installed there and works there also. So, either solution works.

chachazz
Premium Member
join:2003-12-14

chachazz to GuruGuy

Premium Member

to GuruGuy
This POODLE bites: exploiting the SSL 3.0 fallback
»googleonlinesecurity.blo ··· t.co.uk/

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to Mele20

Premium Member

to Mele20
 
Is this as serious a security issue as the recent one which PM devs avoided fixing until version 25, when almost all other browser devs had fixed it right away ?

What have the other browser devs been doing about this one so far ?
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx to Mele20

Member

to Mele20
said by Mele20:

all due to IE6 still being supported

Finally, IE6 will be virtually unusable once servers start dropping support for SSLv3. The near future requirement of SHA-2 certificates will further help with this.
said by Mele20:

Thanks for the tip on the IE workaround...I noticed that thread but hadn't read it yet. I keep thinking about Opera and how magnificent it was (before ver 15) regarding Security Protocols and how easy in Opera12 and below to turn off SSLv3...I've had it off there for ages. Mozilla hides all this from users and Pale Moon was so tied to Fx code until the new ver 25 that it hides this also.

Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Geesh...I didn't know that. Why couldn't Mozilla have simply put one sentence in the GUI that said SSL was the older version instead of just banishing the options from the GUI. But Fx never did have the fabulous, easy to use abilities to decide what ciphers you will allow the browser to accept that Opera12x and below had. I wouldn't expect average users to know how to choose which ciphers to allow but a simple sentence in Fx GUI to point them away from disabling TLS 1.0 that would have been easy and kept the ease of disabling there in the GUI.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to evoxllx

Premium Member

to evoxllx
said by evoxllx:

....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding.

 
Yes, that IS silly numbering !

StuartMW
Premium Member
join:2000-08-06

StuartMW to GuruGuy

Premium Member

to GuruGuy
SSL 3.0 is now disabled in all browsers on all OS'es
Bobby_Peru
Premium Member
join:2003-06-16

1 edit

Bobby_Peru to Mele20

Premium Member

to Mele20
The extension "checkCompatabilty" (v 1.3) »addons.mozilla.org/en-US ··· ibility/ seems to work in PM 25x (W7P).

Used PM 25's internal update Checker for 25.01 (which, when set to "Never Check for Updates", resulted in 1) the Check For Updates button then indicating 25.01 Update Available 2) Next yielded the "More Info", Ask Later, Get Now... dialogues..).

»addons.mozilla.org/en-US ··· control/ threw the not-for-you warning, but did allow for overriding, and it installed from there.

In limited testing (W7P), PM 25.x is working quite well, albeit with only 20 of many more extensions installed, so far.

[EDIT: Clarified and added link for checkCompatability]
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

What do you mean "checkCompatibility"? for what?
evoxllx
join:2007-06-07
Winter Park, FL

evoxllx to Mele20

Member

to Mele20
said by Mele20:

Geesh...I didn't know that. Why couldn't Mozilla have simply put one sentence in the GUI that said SSL was the older version instead of just banishing the options from the GUI. But Fx never did have the fabulous, easy to use abilities to decide what ciphers you will allow the browser to accept that Opera12x and below had. I wouldn't expect average users to know how to choose which ciphers to allow but a simple sentence in Fx GUI to point them away from disabling TLS 1.0 that would have been easy and kept the ease of disabling there in the GUI.

There was actually a fairly long discussion/debate in the Chrome and Mozilla bug tracker on what to do, and there were suggestions similar to yours. Ultimately, Chrome and Mozilla decided to go with removing it completely from the GUI, since they feel most of their user base doesn't have enough understanding on the subject to make the right decisions.
said by Davesnothere:

said by evoxllx:

....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding.

 
Yes, that IS silly numbering !

Microsoft is to blame for the name change, it was done for entirely political purposes.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere

Premium Member

said by evoxllx:

said by Davesnothere:

said by evoxllx:

....Firefox/Chrome only got rid of those options in the GUI because a non-trivial number of users kept disabling TLS 1.0, probably thinking SSLv3 was newer (due to the larger number) and a general lack of understanding.

 
Yes, that IS silly numbering !

 
Microsoft is to blame for the name change - it was done for entirely political purposes.

 
Ah yessss....

Micro-Windows10-soft
Bobby_Peru
Premium Member
join:2003-06-16

2 edits

2 recommendations

Bobby_Peru to Mele20

Premium Member

to Mele20
The extension "checkCompatabilty" (v 1.3) : »addons.mozilla.org/en-US ··· ibility/ . Disables compatibility checking, or at least disables "compatibility" failure from preventing installation and use, in many cases. (I am pretty sure that this used to be selectable OoTB, but was deleted sometime ago by MoFo.) Of course, if the extension really is incompatible, it will not work, to varying degrees. The name seems to have been changed.

"About this Add-on
While it used to be possible to disable add-on compatibility checking entirely, by setting the extensions.checkCompatibility preference to false, it is now necessary to set a different preference for each new application version. This add-on re-enables the functionality of extensions.checkCompatibility irrespective of the current application version and disables checking by default. Checking can be re-enabled by disabling the add-on (which can be done without a restart) or by toggling the preference."
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to GuruGuy

Premium Member

to GuruGuy
from the "SSL Version Control" addon page:

"In the meantime, you can use this extension to turn off SSLv3 in your copy of Firefox. When you install the add-on, it will set the minimum TLS version to TLS 1.0 (disabling SSLv3)"

»addons.mozilla.org/en-US ··· control/
---------------------------------

duh.. if that is all it does, i don't need an "addon" for that..
Bobby_Peru
Premium Member
join:2003-06-16

Bobby_Peru to Mele20

Premium Member

to Mele20

PM Commander has SSL Settings

I forgot that PM Commander »www.palemoon.org/commander.shtml already has these setting available under Security --> SSL.

GuruGuy
Premium Member
join:2002-12-16
Atlanta, GA

1 edit

GuruGuy to redwolfe_98

Premium Member

to redwolfe_98

Re: SSL 3.0 vulnerability and Firefox

As I stated in the original post...I agree. I removed all the add-ons I had installed and went the about:config route
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to GuruGuy

Member

to GuruGuy

I think this is all scare tactics to try and scare ppl off of older browsers THAT CANT BE USED TO SPY ON PEOPLE!! (Ya cant say im wrong -- We dont know but it may be a possible agenda)

planet
join:2001-11-05
Oz

planet to Chubbzie

Member

to Chubbzie

Re: SSL 3.0 vulnerability and Firefox

said by Chubbzie:

about:config and set security.tls.version.min to 1

Thanks for that Chubbzie

StuartMW
Premium Member
join:2000-08-06

1 edit

StuartMW to 19579823

Premium Member

to 19579823

Re: ‏


IE6 Advanced Options

IE6 supports TLS 1.0 19579823 See Profile
19579823 (banned)
An Awesome Dude
join:2003-08-04

19579823 (banned) to GuruGuy

Member

to GuruGuy
Ya STU I just checked my IE6 settings and 'USE SSL 3.0' IS NOT CHECKED!!

I looked into it and it says 3.0 is more secure than the other 2!!

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

What says "3.0 is more secure than the other 2"? If I read this thread and the references herein, I get the opposite understanding with respect to the current issue.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to GuruGuy

Premium Member

to GuruGuy

Re: SSL 3.0 vulnerability and Firefox

in microsoft's advisory, it says to disable "SSL 3", in IE, and to enable "TLS 1.0", "TLS 1.1" and "TLS 1.2".. of course those of us who still use IE 6 can only use "TLS 1.0"..

it also says "this vulnerability is not considered high risk to customers"

»technet.microsoft.com/en ··· /3009008

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to GuruGuy

Premium Member

to GuruGuy
You can check your browser at »www.poodletest.com/ (site requires JavaScript). I found two of my several browsers that was vulnerable (Qupzilla, which hadn't been updated for a few weeks, and Firefox which needed the add-on patch)... the others all seem to be good to go.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to GuruGuy

Premium Member

to GuruGuy
i saw it mentioned that you have to adjust settings for "java", too..
jupitermoon
join:2011-09-27

jupitermoon to GuruGuy

Member

to GuruGuy
Here's an article detailing how to disable support for SSLv3 in Firefox, Chrome and IE:

»zmap.io/sslv3/browsers.html

I changed security.tls.version.min = 1 in about:config in Firefox 24.8.1 ESR, Firefox 28.0 and Firefox 33.0 and tested at the SSLv3 Poodle Attack Check website. Not vulnerable!

I unchecked Use SSL 3.0 in Tools, Options, Advanced, Encryption in Firefox 3.6.28, Firefox 10.0.12 ESR and Firefox 17.0.11 ESR and tested at the same website. Not vulnerable!

Now we'll see if I run into any problems.

Then I'll move on to Thunderbird. The older versions of Thunderbird that I use don't seem to have a Use SSL 3.0 checkbox in Tools, Options, so this will have to be done in about:config.