Firefox Security Misconfiguration (Security Hole).

Topic: Firefox Security Misconfiguration (Security Hole). (Read 831 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Firefox Security Misconfiguration (Security Hole).

06 May 2020, 13:02:59

Hi,

I don't know if anyone remembers the security disaster called Heartbleed. If not please refresh yourself on the topic. Its not just ugly, unmaintained code of OpenSSL (personally, I would love Artix to switch to LibreSSL - mass cleanup of code, more secure).

https://en.wikipedia.org/wiki/Heartbleed

The general idea was to get yourself between your bank and you via badly configured, unsafe SSL negotiations. Its 2021 (Heartbleed comes from 2012) and yet Mozilla Firefox is completely misconfigured. It looks like they want the bug to stay (is that why nobody has switched to libressl? on purpose?). Negotiations is the key. You want safe negotiations, otherwise the rest that is happaning after the shakedown is irrelevant!

So lets see why Firefox is still vulnerable to this security hole:

security.ssl.require_safe_negotiation ---> no /should be TRUE
security.ssl.treat_unsafe_negotiation_as_broken ---> no /should be TRUE

Re: Firefox Security Misconfiguration (Security Hole).

Reply #1 – 06 May 2020, 15:33:25

Recompile any kind of browser is a real pain in the hole for us as these are monsters that requires lot of RAM, space and CPU power to compile and its a process that can take several hours locking any other work in our pipeline. I am not very familiar with which mechanism firefox (or any other browser) offers in order to change this kind of configuration by default apart that using the "about:config" interface per profile.

Do you know of any option to make this kind of configuration globally default without requiring package recompilation?

Btw, it is 2020 not 2021

Re: Firefox Security Misconfiguration (Security Hole).

Reply #2 – 06 May 2020, 15:57:17

Well there is. Profiles. Anyway time to file a bug upstream don't you think?

Re: Firefox Security Misconfiguration (Security Hole).

Reply #3 – 06 May 2020, 16:00:43

https://forum.palemoon.org/viewtopic.php?f=3&t=14549&p=104117&hilit=security.ssl.require_safe_negotiation#p104117

The settings are the same in Pale Moon, and that link above explains why, although no doubt you could discuss it with Firefox to see if anything has changed recently.

Re: Firefox Security Misconfiguration (Security Hole).

Reply #4 – 06 May 2020, 16:23:51

it would be maybe good idea to put more pressure on archlinux developers in this matter.

Re: Firefox Security Misconfiguration (Security Hole).

Reply #5 – 06 May 2020, 19:01:41

Quote from above link:
"This is why these settings are disabled by default. Only if you use the browser in a high-sec environment where this must be enforced (e.g. tightly-controlled military or governmental environments where even the mere possibility of a non-compliant connection is a major transgression) do you need these kinds of settings."

If you enable those then apparently (I haven't tried it though) you can't do things like go to bank websites, government tax websites, or checkout on eBay. Possibly you won't be able to connect to your router. I guess from reading that, heartbleed has been fixed elsewhere and those settings don't do what they did in 2010. If you want them set like that and it doesn't break any websites you use then go to about:config and set them yourself, it will be remembered in your profile, although if they were set like that as default then it would be just as easy change them back.

Re: Firefox Security Misconfiguration (Security Hole).

Reply #6 – 06 May 2020, 22:44:09

I myself trust LibreSSL over OpenSSL anytime, and I wish Arch would switch to LibreSSL as well, that way we could easily