The path to this goes from looking up slackware patches (firefox dated 20th) to mozilla to their patches. In particular the CVE2017-7843 HIGH security risk found here.
I posted a mitigation for firefox users posted here.
As it turns out this is rather serious stuff, as it reads secure-transport information. It is not a fault of TLS1.2, but rather the way FF handles the information. By turning off workers (that have no real reason to access such information) and the indexed database (ditto comment), the attack vector can be quietted. Older versions of FF such as 27 and up have TLS1.2 installed and ARE vunerable.
I have decided to also put this here after reading the details. If you have Firefox as browser and regularly use TLS1.2 encryption (FF27 and up), IMHO this tweak to about config is necessary.
Regards
8Geee
TLS1.2 weakness in FireFox browsers
TLS1.2 weakness in FireFox browsers
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
Re: TLS1.2 weakness in FireFox browsers
Hi 8Geee,8Geee wrote: I posted a mitigation for firefox users posted here.
8Geee
Thanks for this. Also, what do you think about the latest FF-versions? Here's some screenshots how they come out-of-the-box concerning "workers",, "index" and "tls" in about:config. On these new FF-versions, the only thing (among the usual others) I always religiously change is the 'security/tls.version.min' from "1" to "2". As you've also stated before, everyone should at a minimum when they setup any firefox, new and/or old.
I equally wonder, since the TLS setting comes default "1" if it might be wise to just tell everyone to change every setting in 'workers' from "true" to "false" plus setting 'dom.workers.maxPerDomain' from "512" to "1".
Also, in 'index' settings overall, just place "" in 'breakpad.reportURL' (removing the url completely), along with changing every "true" setting there to "false".
I'm going to try this in my MX-Linux frugal installs & see how the new Firefox versions act. Thanks, again.
- Attachments
-
- FF-58-64bit-1.png
- (217.37 KiB) Downloaded 293 times
-
- FF-58-64bit-2.png
- (117.06 KiB) Downloaded 293 times
-
- FF-58-64bit-3.png
- (125.9 KiB) Downloaded 285 times
For workers
Looks like ALL FALSE
max per domain zero ( if this were just maximum, I would set at 1... but per domain needs to be zero (XSS attack vector))
for index
ALL FALSE
at the top, delete the phone-home
set the cache entry shown to zero
I am not sure of the highlighted entry... zero might mean OFF or it might mean always
for spdy
ALL FALSE
for TLS
minimum is 2... BTW in search bar type SSL and check again, make sure rc4 and dhe entries are false, and set any cache to zero
In this version you have there is also "performance.now"
In the search bar type now and see what appears. Performance now is related to the FF bug rreported. I wold FALSE any boolean.
Regards
8Geee
Looks like ALL FALSE
max per domain zero ( if this were just maximum, I would set at 1... but per domain needs to be zero (XSS attack vector))
for index
ALL FALSE
at the top, delete the phone-home
set the cache entry shown to zero
I am not sure of the highlighted entry... zero might mean OFF or it might mean always
for spdy
ALL FALSE
for TLS
minimum is 2... BTW in search bar type SSL and check again, make sure rc4 and dhe entries are false, and set any cache to zero
In this version you have there is also "performance.now"
In the search bar type now and see what appears. Performance now is related to the FF bug rreported. I wold FALSE any boolean.
Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
"Zuckerberg: a large city inhabited by mentally challenged people."
Unfortunately, I find that these changes break a web resource I rely on almost daily, the Weather Forecast Graph on Intellicast.com in SeaMonkey. It happens both on TahrPup 6.0.6 ( SM 2.48 ) and WinXP (SM 2.49.1). On the other hand, these changes DO NOT break the graph in PaleMoon (27.7.1) on TahrPup 6.0.6.