Page 1 of 1

Firefox Security Misconfiguration (Security Hole)

Posted: 06 May 2020 14:01
by solydk
Hi,

I don't know if anyone remembers the security disaster called Heartbleed. If not please refresh yourself on the topic. Its not just ugly, unmaintained code of OpenSSL (personally, I would love Artix to switch to LibreSSL - mass cleanup of code, more secure).

https://en.wikipedia.org/wiki/Heartbleed

The general idea was to get yourself between your bank and you via badly configured, unsafe SSL negotiations. Its 2021 (Heartbleed comes from 2012) and yet Mozilla Firefox is completely misconfigured. It looks like they want the bug to stay (is that why nobody has switched to libressl? on purpose?). Negotiations is the key. You want safe negotiations, otherwise the rest that is happaning after the shakedown is irrelevant!

So lets see why Firefox is still vulnerable to this security hole:

security.ssl.require_safe_negotiation ---> no /should be TRUE
security.ssl.treat_unsafe_negotiation_as_broken ---> no /should be TRUE

Re: Firefox Security Misconfiguration (Security Hole)

Posted: 06 May 2020 18:13
by ilu
No idea why https://bugzilla.mozilla.org/show_bug.cgi?id=665859 is still undecided. https://www.ssllabs.com/ssl-pulse/ shows that only 0,3% of sites nowadays use insecure renegotiation, so we could include that setting in our firefox/waterfox config. Personally, I have it for more than 2 years and rarely run into problems. You probably wouldn't want to visit problematic sites anyway. Any other opinions?

On a personal note: Please try to voice your opinions more friendly. Just politely ask us to include that setting. We are always open to suggestions like that.

Re: Firefox Security Misconfiguration (Security Hole)

Posted: 07 May 2020 10:03
by Arjen Balfoort
Shall I include these in firefox-solydxk-adjustments and waterfox-solydxk-adjustments?

Re: Firefox Security Misconfiguration (Security Hole)

Posted: 11 May 2020 02:07
by kurotsugi
Vulnerability to Heartbleed is resolved by updating OpenSSL to a patched version (1.0.1g or later). OpenSSL can be used either as a standalone program, a dynamic shared object, or a statically-linked library; therefore, the updating process can require restarting processes loaded with a vulnerable version of OpenSSL as well as re-linking programs and libraries that linked it statically. In practice this means updating packages that link OpenSSL statically, and restarting running programs to remove the in-memory copy of the old, vulnerable OpenSSL code.
+1 to ilu. I see no reason to panic here. the problem is mostly on server side. even with that option turned off, if the server is enabling ssl negotiation, we'll use that. I think the option was turned off for compatibility reason. even if only 0,3% server is using unsafe negotiation, with those option enabled, those sites would broken. I think we should leave it as it is

Re: Firefox Security Misconfiguration (Security Hole)

Posted: 12 May 2020 13:33
by ilu
There's one other aspect: If we want to keep uniqueness of our browsers low, we should keep the browser config as near to default as much as possible. Every config change increases tracking. So after some consideration I agree with kurotsugi: leave it as it is.