TLS1.2 weakness in FireFox browsers

For discussions about security.
Post Reply
Message
Author
User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

TLS1.2 weakness in FireFox browsers

#1 Post by 8Geee »

The path to this goes from looking up slackware patches (firefox dated 20th) to mozilla to their patches. In particular the CVE2017-7843 HIGH security risk found here.

I posted a mitigation for firefox users posted here.

As it turns out this is rather serious stuff, as it reads secure-transport information. It is not a fault of TLS1.2, but rather the way FF handles the information. By turning off workers (that have no real reason to access such information) and the indexed database (ditto comment), the attack vector can be quietted. Older versions of FF such as 27 and up have TLS1.2 installed and ARE vunerable.

I have decided to also put this here after reading the details. If you have Firefox as browser and regularly use TLS1.2 encryption (FF27 and up), IMHO this tweak to about config is necessary.

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: TLS1.2 weakness in FireFox browsers

#2 Post by belham2 »

8Geee wrote: I posted a mitigation for firefox users posted here.
8Geee
Hi 8Geee,

Thanks for this. Also, what do you think about the latest FF-versions? Here's some screenshots how they come out-of-the-box concerning "workers",, "index" and "tls" in about:config. On these new FF-versions, the only thing (among the usual others) I always religiously change is the 'security/tls.version.min' from "1" to "2". As you've also stated before, everyone should at a minimum when they setup any firefox, new and/or old.

I equally wonder, since the TLS setting comes default "1" if it might be wise to just tell everyone to change every setting in 'workers' from "true" to "false" plus setting 'dom.workers.maxPerDomain' from "512" to "1".

Also, in 'index' settings overall, just place "" in 'breakpad.reportURL' (removing the url completely), along with changing every "true" setting there to "false".


I'm going to try this in my MX-Linux frugal installs & see how the new Firefox versions act. Thanks, again.
Attachments
FF-58-64bit-1.png
(217.37 KiB) Downloaded 293 times
FF-58-64bit-2.png
(117.06 KiB) Downloaded 293 times
FF-58-64bit-3.png
(125.9 KiB) Downloaded 285 times

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#3 Post by 8Geee »

For workers
Looks like ALL FALSE
max per domain zero ( if this were just maximum, I would set at 1... but per domain needs to be zero (XSS attack vector))

for index
ALL FALSE
at the top, delete the phone-home
set the cache entry shown to zero
I am not sure of the highlighted entry... zero might mean OFF or it might mean always :?

for spdy
ALL FALSE

for TLS
minimum is 2... BTW in search bar type SSL and check again, make sure rc4 and dhe entries are false, and set any cache to zero

In this version you have there is also "performance.now"
In the search bar type now and see what appears. Performance now is related to the FF bug rreported. I wold FALSE any boolean.

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
6502coder
Posts: 677
Joined: Mon 23 Mar 2009, 18:07
Location: Western United States

#4 Post by 6502coder »

Unfortunately, I find that these changes break a web resource I rely on almost daily, the Weather Forecast Graph on Intellicast.com in SeaMonkey. It happens both on TahrPup 6.0.6 ( SM 2.48 ) and WinXP (SM 2.49.1). On the other hand, these changes DO NOT break the graph in PaleMoon (27.7.1) on TahrPup 6.0.6.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#5 Post by 8Geee »

hmmm... its "The Weather Channel" in disguise (AKA weather.com).

Thats usually a problem here just for the ads. :(

I'll have a go using FF27...

regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Post Reply