How is it that other sites score better then?
Example:
https://www.ssllabs.com/ssltest/analyze.html?d=transmitly.com
Topic: Site's Security Grade: A- - page 2. (Read 2442 times)
Yes, though I assume he did that in the code. It should be user-configurable.
With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.
Does this help at all? I don't quite follow as what Moonchild has done, but seems to me it might be related to above quoted in bold.
http://forum.palemoon.org/viewtopic.php?f=1&t=3848&sid=2309b57228f8968e551c0187bee0e64e
Quote
Changed the list of supported encryption ciphers and order of preference to provide you with secure, speedy connections wherever possible.
Very new to me. Interesting much indeed. Makes sense, I disabled all Camellia in about:config, forcing a certain site to now use AES instead of Camellia.
Seems like the standard is
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha
Good to know!
Hopefully whether it helps or not, as I seen u stated "HTTPS authentication is nearly useless anyway", this clears up anybody wondering like myself.
I will give enabled
a test run for a week or so. Any complications happen, I'll revert.
Seems like the standard is
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha
Good to know!
Hopefully whether it helps or not, as I seen u stated "HTTPS authentication is nearly useless anyway", this clears up anybody wondering like myself.
I will give enabled
Code:
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha
a test run for a week or so. Any complications happen, I'll revert.
Disabling ciphers may cause some sites to stop working. I'd only disable the very weak ones (if any very weak ones are enabled). Especially since HTTPS authentication is nearly useless anyway.
With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.
For choosing cipher suites:
- GCM is better than CBC.
- (EC)DHE provides forward secrecy. (Forward secrecy means that if someone records the encrypted network traffic, they can't later decrypt the traffic by obtaining a private key from the server.)
- AES is the best encryption algorithm. I wouldn't be surprised if effective attacks against RC4 are known to the NSA. Camellia is not as well-studied as AES, but it is preferred by most browsers for no apparent reason, which makes me suspicious.
With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.
For choosing cipher suites:
- GCM is better than CBC.
- (EC)DHE provides forward secrecy. (Forward secrecy means that if someone records the encrypted network traffic, they can't later decrypt the traffic by obtaining a private key from the server.)
- AES is the best encryption algorithm. I wouldn't be surprised if effective attacks against RC4 are known to the NSA. Camellia is not as well-studied as AES, but it is preferred by most browsers for no apparent reason, which makes me suspicious.
Quote
The server does not support Forward Secrecy with the reference browsers.
This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.
This thread made me investigate my browsers security which was horrible.
I did some digging for mozilla based browsers. FF/PM/WF ect.
My life is pretty much boring, this made it a little bit more exciting to do some security cleanup work internally of my browser, modification of the profile is never ending, even after 3-4 years of modifications :p .
So here it goes.
My Palemoon browser was utilizing 128 bit on bitcointalk.org.
What I did to force it to utilize tls1.2 or tls 1.1 & AES 256-bit RSA 2048-bit:sha1 on bitcointalk.org.
Quote
http://kb.mozillazine.org/Security.tls.version.*
I changed
from its default setting to to what it is in the code box.
I changed
Code:
security.tls.version.min : 2
security.tls.version.max : 3
security.tls.version.max : 3
from its default setting to to what it is in the code box.
In about:config search security.ssl3 , below, leave as is, and disable the rest.
OP: http://forum.palemoon.org/viewtopic.php?p=21731&sid=a065e58e6b465b89c238c38aa872ccda#p21731
http://forum.palemoon.org/viewtopic.php?p=22512&sid=a065e58e6b465b89c238c38aa872ccda#p22512
Code:
security.ssl3.dhe_dss_aes_256_sha;true
security.ssl3.dhe_dss_camellia_256_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_camellia_256_sha;true
security.ssl3.ecdh_ecdsa_aes_256_sha;true
security.ssl3.ecdh_rsa_aes_256_sha;true
security.ssl3.ecdhe_ecdsa_aes_256_sha;true
security.ssl3.ecdhe_rsa_aes_256_sha;true
security.ssl3.rsa_aes_256_sha;true
security.ssl3.rsa_camellia_256_sha;true
security.ssl3.dhe_dss_camellia_256_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_camellia_256_sha;true
security.ssl3.ecdh_ecdsa_aes_256_sha;true
security.ssl3.ecdh_rsa_aes_256_sha;true
security.ssl3.ecdhe_ecdsa_aes_256_sha;true
security.ssl3.ecdhe_rsa_aes_256_sha;true
security.ssl3.rsa_aes_256_sha;true
security.ssl3.rsa_camellia_256_sha;true
Going to https://www.howsmyssl.com/ before setting set above, rating was BAD.
After above settings, going to https://www.howsmyssl.com/ , rating went to good "Your client is using TLS 1.2"
This might be outdated, but I did use some stuff inside as references.
http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html
So, even though I just secured my browser, going to https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org still shows A-.
I think the client side "my browser" is as tight as it can get, i think.
Also, I hope I may redeem myself from the past by helping the community and you out by helping them/you securing their/yours mozilla based brower.
So with that. Theymos or anyone else, would you have any recommendations to secure the browsers any more than what they are with above?
Please continue with this subject, and hope above info helps ppl out, I like to help.
Edit:
I had tried
Code:
security.tls.version.min : 3
security.tls.version.max : 3
security.tls.version.max : 3
but certain sites like support.mozilla.org would not load.
Edit2:
Btw, I am using
https://addons.mozilla.org/en-US/firefox/addon/cipherfox/
to see the encryption type.
Edit3:
Ok, I ran into a problem with a certain tls enabled site, I had to drop my security.tls.version.min down to the setting of 1.
So I'm guessing
Code:
security.tls.version.min : 1
security.tls.version.max : 3
security.tls.version.max : 3
is best for security and compatibility.
Quote
The server does not support Forward Secrecy with the reference browsers.
This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.
Jump to: