Jan 8, 2014 - Secure Your Firefox

Comments

Are you sure youre Firefox uses secure encryption systems?

tl;dr:

Have a look at howsmyssl.com. If your client isn't "Probably Okay" open: about:config and set the following:

  • security.tls.version.max;3
  • security.ssl3.ecdh_rsa_rc4_128_sha;false
  • security.ssl3.ecdhe_rsa_rc4_128_sha;false
  • security.ssl3.rsa_fips_des_ede3_sha;false
  • security.ssl3.rsa_rc4_128_md5;false
  • security.ssl3.rsa_rc4_128_sha;false

Longer Version

First of all, i got this link via twitter (@andreasdotorg). So i clicked it and was a bit shocked. My browser, firefox 26, used only TLS 1.0 and also it used broken SSL ciphers, in particular RC4.

A quick web research revealed, that the Mozilla developers implemented TLS 1.2 within the NSS library with version 3.15.1, in the middle of 2013. Maybe i didn't have that version installed. A quick look into my linux told me, that i have installed nss in version 3.15.3. So what is the matter with my firefox?

After more research i learned, that i have everything needed for TLS 1.2 but it's not activated within firefox 26 by default. (Can anyone explain to me, why this is?)

Anyhow, it is possible to activate TLS 1.2 in firefox 26 pretty easy. Just switch to the configuration (about:config) and navigate to: security.tls.version.max. Set the Value to 3.

After that, deactivate the following ssl ciphers (by setting them to false):

  • security.ssl3.ecdh_rsa_rc4_128_sha
  • security.ssl3.ecdhe_rsa_rc4_128_sha
  • security.ssl3.rsa_fips_des_ede3_sha
  • security.ssl3.rsa_rc4_128_md5
  • security.ssl3.rsa_rc4_128_sha

After that, restart your browser and navigate again to howsmyssl.com. You should now be "Probably Okay" ;-)