General :
K-Meleon Web Browser Forum
Am I correct that KM74 isn't running SSL?
about:config:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability
What's the KM solution?
Edited 4 time(s). Last edit at 10/15/2014 03:25PM by KM2005.
You are not correct.
What you are posting are ciphers.
The default min version for security version is SSLv3 in K-meleon.
Change the preference security.tls.version.min to 1 to avoid using SSLv3.
http://kb.mozillazine.org/Security.tls.version.%2A
EDIT: bold text to highlight.
Edited 1 time(s). Last edit at 10/15/2014 04:26PM by JohnHell.
You are wrong. TLS 0 means AFAIK SSL3. And K-Meleon has that as security.tls.version.min.
And You originally asked about TLS 1.3.
So I will answer that next.
K-Meleon does not develop the GRE or the TLS component.
K-Meleon does support the newest TLS protocol which is 1.2.
And I remember that You originally linked to the thread where how to change to TLS 1.2 was posted.
http://kmeleonbrowser.org/forum/read.php?2,130135,130146#msg-130146
POODLE: To stop the possibility of POODLE attack, AFAIK You need to completely disable SSL 3.0 on the client side and the server side. This will AFAIR by default come soon on the client side with updates of the Firefox GRE 34 in November 2014.
While I personaly think that there is not point on switching off lower fallbacks since You loose all protection on sites that have no TLS - You can manually set security.tls.version.min to 1 (via about:config).
Vulnerabilities on the server side remain.
http://en.wikipedia.org/wiki/Transport_Layer_Security#Survey_of_websites
Using Your brain will maybe help You out. Shorts sessions if You need high security and a profile with high security.tls.version.min for specific sites.
Read in this thread what ciphers Mozilla does still use in nightly GRE 34 for clues what they thinks is safe. And You can try these with the sites You need.
http://kmeleonbrowser.org/forum/read.php?2,130135,130146#msg-130146
With some luck all will work out.
Edited 1 time(s). Last edit at 10/15/2014 06:23PM by guenter.
Makes sense along with reading the mozillazine.org article.
Thanks JohnHell
Caveat, bullet two: http://kb.mozillazine.org/Security.tls.version.%2A#Caveats (that JohnHell provided)
Quote: "There is currently no fallback from TLS 1.1/1.2 to earlier protocols. Thus, selecting security.tls.version.max = 2 (or 3) for TLS 1.1 (or 1.2) support results in the connection failing when the server connected to doesn't support that version...."
I'd say protected up to the point the browser can't even get a connection, encrypted or unencrypted, when the server connected to doesn't support that version.
I am not sure if this needed or possible, but Mozilla has created an addon for the poodle problem.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Tested it a while ago. A good idea but...
IMHO not as good as a dedicated K-Meleon profile if something needs REAL security.
You put all shields up if You go e.g. to Your bank and do nothing else with such a profile.
They AFAIK cannot create specialiszed profiles as easy as we. So they have these toggle things.
General discussion about K-Meleon
SSL 3.0 POODLE Attack
Posted by:
KM2005
Date: October 15, 2014 02:40PM
Am I correct that KM74 isn't running SSL?
about:config:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability
What's the KM solution?
Edited 4 time(s). Last edit at 10/15/2014 03:25PM by KM2005.
Re: SSL 3.0 POODLE Attack
Posted by:
JohnHell
Date: October 15, 2014 04:25PM
You are not correct.
What you are posting are ciphers.
The default min version for security version is SSLv3 in K-meleon.
Change the preference security.tls.version.min to 1 to avoid using SSLv3.
http://kb.mozillazine.org/Security.tls.version.%2A
EDIT: bold text to highlight.
Edited 1 time(s). Last edit at 10/15/2014 04:26PM by JohnHell.
Re: SSL 3.0 POODLE Attack
Posted by:
guenter
Date: October 15, 2014 05:52PM
Quote
KM2005
Am I correct that KM74 isn't running SSL?
www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability
What's the KM solution?
You are wrong. TLS 0 means AFAIK SSL3. And K-Meleon has that as security.tls.version.min.
And You originally asked about TLS 1.3.
So I will answer that next.
Quote
Wikipedia
TLS 1.3 (draft) As of July 2014, TLS 1.3 is a draft and details have not fixed yet.[16][17] It is based on the earlier TLS 1.1 and 1.2 specification. Major differences from TLS 1.2 include: Reworked handshake to provide 1-RTT mode. Remove custom DHE groups. Removed support for compression. Removed support for static RSA and DH key exchange. Removed support for non-AEAD ciphers (CBC mode of block ciphers, RC4).
K-Meleon does not develop the GRE or the TLS component.
K-Meleon does support the newest TLS protocol which is 1.2.
And I remember that You originally linked to the thread where how to change to TLS 1.2 was posted.
http://kmeleonbrowser.org/forum/read.php?2,130135,130146#msg-130146
POODLE: To stop the possibility of POODLE attack, AFAIK You need to completely disable SSL 3.0 on the client side and the server side. This will AFAIR by default come soon on the client side with updates of the Firefox GRE 34 in November 2014.
While I personaly think that there is not point on switching off lower fallbacks since You loose all protection on sites that have no TLS - You can manually set security.tls.version.min to 1 (via about:config).
Vulnerabilities on the server side remain.
http://en.wikipedia.org/wiki/Transport_Layer_Security#Survey_of_websites
Using Your brain will maybe help You out. Shorts sessions if You need high security and a profile with high security.tls.version.min for specific sites.
Read in this thread what ciphers Mozilla does still use in nightly GRE 34 for clues what they thinks is safe. And You can try these with the sites You need.
http://kmeleonbrowser.org/forum/read.php?2,130135,130146#msg-130146
With some luck all will work out.
Edited 1 time(s). Last edit at 10/15/2014 06:23PM by guenter.
Re: SSL 3.0 POODLE Attack
Posted by:
KM2005
Date: October 15, 2014 06:39PM
Makes sense along with reading the mozillazine.org article.
Thanks JohnHell
Re: SSL 3.0 POODLE Attack
Posted by:
KM2005
Date: October 15, 2014 07:01PM
Quote
guenter
While I personaly think that there is not point on switching off lower fallbacks since You loose all protection on sites that have no TLS - You can manually set security.tls.version.min to 1 (via about:config).
Caveat, bullet two: http://kb.mozillazine.org/Security.tls.version.%2A#Caveats (that JohnHell provided)
Quote: "There is currently no fallback from TLS 1.1/1.2 to earlier protocols. Thus, selecting security.tls.version.max = 2 (or 3) for TLS 1.1 (or 1.2) support results in the connection failing when the server connected to doesn't support that version...."
I'd say protected up to the point the browser can't even get a connection, encrypted or unencrypted, when the server connected to doesn't support that version.
Re: SSL 3.0 POODLE Attack
Posted by:
JamesD
Date: October 30, 2014 09:27PM
I am not sure if this needed or possible, but Mozilla has created an addon for the poodle problem.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Re: SSL 3.0 POODLE Attack
Posted by:
guenter
Date: October 30, 2014 10:32PM
Quote
JamesD
I am not sure if this needed or possible, but Mozilla has created an addon for the poodle problem.
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
Tested it a while ago. A good idea but...
IMHO not as good as a dedicated K-Meleon profile if something needs REAL security.
You put all shields up if You go e.g. to Your bank and do nothing else with such a profile.
They AFAIK cannot create specialiszed profiles as easy as we. So they have these toggle things.
English