Firefox Security Misconfiguration (Security Hole)

Post your bugs here.
solydk
Posts: 4
Joined: 30 Apr 2020 09:09

Firefox Security Misconfiguration (Security Hole)

Postby solydk » 06 May 2020 14:01

Hi,

I don't know if anyone remembers the security disaster called Heartbleed. If not please refresh yourself on the topic. Its not just ugly, unmaintained code of OpenSSL (personally, I would love Artix to switch to LibreSSL - mass cleanup of code, more secure).

https://en.wikipedia.org/wiki/Heartbleed

The general idea was to get yourself between your bank and you via badly configured, unsafe SSL negotiations. Its 2021 (Heartbleed comes from 2012) and yet Mozilla Firefox is completely misconfigured. It looks like they want the bug to stay (is that why nobody has switched to libressl? on purpose?). Negotiations is the key. You want safe negotiations, otherwise the rest that is happaning after the shakedown is irrelevant!

So lets see why Firefox is still vulnerable to this security hole:

security.ssl.require_safe_negotiation ---> no /should be TRUE
security.ssl.treat_unsafe_negotiation_as_broken ---> no /should be TRUE

User avatar
ilu
Posts: 2745
Joined: 09 Oct 2013 12:45

Re: Firefox Security Misconfiguration (Security Hole)

Postby ilu » 06 May 2020 18:13

No idea why https://bugzilla.mozilla.org/show_bug.cgi?id=665859 is still undecided. https://www.ssllabs.com/ssl-pulse/ shows that only 0,3% of sites nowadays use insecure renegotiation, so we could include that setting in our firefox/waterfox config. Personally, I have it for more than 2 years and rarely run into problems. You probably wouldn't want to visit problematic sites anyway. Any other opinions?

On a personal note: Please try to voice your opinions more friendly. Just politely ask us to include that setting. We are always open to suggestions like that.

User avatar
Arjen Balfoort
Site Admin
Posts: 9518
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Firefox Security Misconfiguration (Security Hole)

Postby Arjen Balfoort » 07 May 2020 10:03

Shall I include these in firefox-solydxk-adjustments and waterfox-solydxk-adjustments?


SolydXK needs you!
Development | Testing | Translations

kurotsugi
Posts: 2290
Joined: 09 Jan 2014 00:17

Re: Firefox Security Misconfiguration (Security Hole)

Postby kurotsugi » 11 May 2020 02:07

Vulnerability to Heartbleed is resolved by updating OpenSSL to a patched version (1.0.1g or later). OpenSSL can be used either as a standalone program, a dynamic shared object, or a statically-linked library; therefore, the updating process can require restarting processes loaded with a vulnerable version of OpenSSL as well as re-linking programs and libraries that linked it statically. In practice this means updating packages that link OpenSSL statically, and restarting running programs to remove the in-memory copy of the old, vulnerable OpenSSL code.
+1 to ilu. I see no reason to panic here. the problem is mostly on server side. even with that option turned off, if the server is enabling ssl negotiation, we'll use that. I think the option was turned off for compatibility reason. even if only 0,3% server is using unsafe negotiation, with those option enabled, those sites would broken. I think we should leave it as it is

User avatar
ilu
Posts: 2745
Joined: 09 Oct 2013 12:45

Re: Firefox Security Misconfiguration (Security Hole)

Postby ilu » 12 May 2020 13:33

There's one other aspect: If we want to keep uniqueness of our browsers low, we should keep the browser config as near to default as much as possible. Every config change increases tracking. So after some consideration I agree with kurotsugi: leave it as it is.


Return to “Bug Control”

Who is online

Users browsing this forum: No registered users and 5 guests