Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 21 Sep 2018, 17:35
All times are UTC - 4
 Forum index » Off-Topic Area » Security
TLS1.2 weakness in FireFox browsers
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
8Geee


Joined: 12 May 2008
Posts: 1668
Location: N.E. USA

PostPosted: Tue 23 Jan 2018, 01:43    Post subject:  TLS1.2 weakness in FireFox browsers  

The path to this goes from looking up slackware patches (firefox dated 20th) to mozilla to their patches. In particular the CVE2017-7843 HIGH security risk found here.

I posted a mitigation for firefox users posted here.

As it turns out this is rather serious stuff, as it reads secure-transport information. It is not a fault of TLS1.2, but rather the way FF handles the information. By turning off workers (that have no real reason to access such information) and the indexed database (ditto comment), the attack vector can be quietted. Older versions of FF such as 27 and up have TLS1.2 installed and ARE vunerable.

I have decided to also put this here after reading the details. If you have Firefox as browser and regularly use TLS1.2 encryption (FF27 and up), IMHO this tweak to about config is necessary.

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1535

PostPosted: Tue 23 Jan 2018, 04:50    Post subject: Re: TLS1.2 weakness in FireFox browsers  

8Geee wrote:

I posted a mitigation for firefox users posted here.
8Geee


Hi 8Geee,

Thanks for this. Also, what do you think about the latest FF-versions? Here's some screenshots how they come out-of-the-box concerning "workers",, "index" and "tls" in about:config. On these new FF-versions, the only thing (among the usual others) I always religiously change is the 'security/tls.version.min' from "1" to "2". As you've also stated before, everyone should at a minimum when they setup any firefox, new and/or old.

I equally wonder, since the TLS setting comes default "1" if it might be wise to just tell everyone to change every setting in 'workers' from "true" to "false" plus setting 'dom.workers.maxPerDomain' from "512" to "1".

Also, in 'index' settings overall, just place "" in 'breakpad.reportURL' (removing the url completely), along with changing every "true" setting there to "false".


I'm going to try this in my MX-Linux frugal installs & see how the new Firefox versions act. Thanks, again.
FF-58-64bit-1.png
 Description   
 Filesize   217.37 KB
 Viewed   241 Time(s)

FF-58-64bit-1.png

FF-58-64bit-2.png
 Description   
 Filesize   117.06 KB
 Viewed   244 Time(s)

FF-58-64bit-2.png

FF-58-64bit-3.png
 Description   
 Filesize   125.9 KB
 Viewed   244 Time(s)

FF-58-64bit-3.png

Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1668
Location: N.E. USA

PostPosted: Tue 23 Jan 2018, 21:06    Post subject:  

For workers
Looks like ALL FALSE
max per domain zero ( if this were just maximum, I would set at 1... but per domain needs to be zero (XSS attack vector))

for index
ALL FALSE
at the top, delete the phone-home
set the cache entry shown to zero
I am not sure of the highlighted entry... zero might mean OFF or it might mean always Confused

for spdy
ALL FALSE

for TLS
minimum is 2... BTW in search bar type SSL and check again, make sure rc4 and dhe entries are false, and set any cache to zero

In this version you have there is also "performance.now"
In the search bar type now and see what appears. Performance now is related to the FF bug rreported. I wold FALSE any boolean.

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
6502coder


Joined: 23 Mar 2009
Posts: 475
Location: Western United States

PostPosted: Fri 26 Jan 2018, 00:53    Post subject:  

Unfortunately, I find that these changes break a web resource I rely on almost daily, the Weather Forecast Graph on Intellicast.com in SeaMonkey. It happens both on TahrPup 6.0.6 ( SM 2.48 ) and WinXP (SM 2.49.1). On the other hand, these changes DO NOT break the graph in PaleMoon (27.7.1) on TahrPup 6.0.6.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1668
Location: N.E. USA

PostPosted: Thu 15 Feb 2018, 03:26    Post subject:  

hmmm... its "The Weather Channel" in disguise (AKA weather.com).

Thats usually a problem here just for the ads. Sad

I'll have a go using FF27...

regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0531s ][ Queries: 12 (0.0054s) ][ GZIP on ]