Skip to main content
Topic: Firefox Security Misconfiguration (Security Hole). (Read 832 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Firefox Security Misconfiguration (Security Hole).

Hi,

I don't know if anyone remembers the security disaster called Heartbleed. If not please refresh yourself on the topic. Its not just ugly, unmaintained code of OpenSSL (personally, I would love Artix to switch to LibreSSL - mass cleanup of code, more secure).

https://en.wikipedia.org/wiki/Heartbleed

The general idea was to get yourself between your bank and you via badly configured, unsafe SSL negotiations. Its 2021 (Heartbleed comes from 2012) and yet Mozilla Firefox is completely misconfigured.  It looks like they want the bug to stay (is that why nobody has switched to libressl? on purpose?). Negotiations is the key. You want safe negotiations, otherwise the rest that is happaning after the shakedown is irrelevant!

So lets see why Firefox is still vulnerable to this security hole:

security.ssl.require_safe_negotiation ---> no /should be TRUE
security.ssl.treat_unsafe_negotiation_as_broken ---> no /should be TRUE


Re: Firefox Security Misconfiguration (Security Hole).

Reply #1
Recompile any kind of browser is a real pain in the hole for us as these are monsters that requires lot of RAM, space and CPU power to compile and its a process that can take several hours locking any other work in our pipeline. I am not very familiar with which mechanism  firefox (or any other browser) offers in order to change this kind of configuration by default apart that using the "about:config" interface per profile.

Do you know of any option to make this kind of configuration globally default without requiring package recompilation?

Btw, it is 2020 not 2021 :D

Re: Firefox Security Misconfiguration (Security Hole).

Reply #2
Well there is. Profiles. Anyway time to file a bug upstream don't you think?


Re: Firefox Security Misconfiguration (Security Hole).

Reply #4
it would be maybe  good idea to put more pressure on archlinux developers in this matter.

Re: Firefox Security Misconfiguration (Security Hole).

Reply #5
Quote from above link:
"This is why these settings are disabled by default. Only if you use the browser in a high-sec environment where this must be enforced (e.g. tightly-controlled military or governmental environments where even the mere possibility of a non-compliant connection is a major transgression) do you need these kinds of settings."

If you enable those then apparently (I haven't tried it though) you can't do things like go to bank websites, government tax websites, or checkout on eBay. Possibly you won't be able to connect to your router.  I guess from reading that,  heartbleed has been fixed elsewhere and those settings don't do what they did in 2010. If you want them set like that and it doesn't break any websites you use then go to about:config and set them yourself, it will be remembered in your profile, although if they were set like that as default then it would be just as easy change them back.

 

Re: Firefox Security Misconfiguration (Security Hole).

Reply #6
I myself trust LibreSSL over OpenSSL anytime, and I wish Arch would switch to LibreSSL as well, that way we could easily