Undetectable Humanizer: Lifetime Subscription
Transform AI-Generated Text into Human-Like, High-Ranking Content & Bypass Even the Most Sophisticated AI Detectors
Get 95% Deal

Manage cipher suites in Firefox

Martin Brinkmann
Apr 18, 2016
Firefox
|
11

Web browsers like Firefox ship with sets of cipher suites that the browser uses to protect data that is transferred between the web browser and secure websites.

When a browser connects to a secure website negotiations take place in which the client  provides the server with a list of supported cipher suites, and information about the preferred cipher suite and SSL/TLS protocol version.

The server may then accept the client's preferences if supported, or ignore them to deliver a cipher suite of its own which it prioritizes.

In the end, client and server either agree on the use of a cipher suite or the connection attempt fails.

Managing cipher suites in Firefox

Browsers like Firefox support several cipher suites to ensure compatibility with secure servers and sites on the Internet.

While that is a good thing, it may sometimes mean that insecure or vulnerable cipher suites are being used or are still supported.

A recent example is the RC4 Cipher which many browsers have deprecated recently because it is not secure anymore. While many companies who produce browsers have reacted to this threat, you could have blocked RC4 manually before those changes took affect.

You can check SSL on sites like How's My SSL or QUALY's SSL Labs which highlight what the browser supports, and whether anything is problematic from a security point of view.

Using about:config

firefox cipher suites

Firefox users can control the cipher suites in the browser on about:config.

  1. Type about:config in the browser's address bar and hit enter.
  2. You may receive a prompt that warns you about the dangers of using this in the browser if this is your first time opening the page. Click continue to proceed.
  3. Search for ssl3 using the search field at the top.

Firefox lists all cipher suites as a result, and you may enable or disable any of those by toggling the value with a double-click on the preference name.

A value of true means the cipher suite is enabled, one of false that it is not available.

Firefox Add-ons

toggle cipher suites

Toggle Cipher Suites is a new browser extension for the Firefox web browser that enables you to manage cipher suites in the browser.

Basically, what it does is provide you with an interface to enable or disable individual cipher suites so that you don't need to open about:config to do so.

The extension adds an icon to the main toolbar of Firefox, and a click on it reveals all supported cipher suites and their state.

You can click on the menu next to any cipher suite to toggle it, for instance from enabled to disabled.

The add-on links furthermore to the two SSL tests linked above so that you can run a check of the new configuration right after you make modifications.

Closing Words

Webmasters may use the add-on or the manual method to disable certain cipher suites to test web servers, and users to block cipher suites that are no longer secure.

Summary
Manage cipher suites in Firefox
Article Name
Manage cipher suites in Firefox
Description
Web browsers like Firefox ship with sets of cipher suites that the browser uses to protect data that is transferred between the web browser and secure websites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. pd said on April 20, 2016 at 6:14 am
    Reply

    FWIW, SSleuth appears to offer a similar facility. Load this URL for easiest access:

    chrome://ssleuth/content/preferences.xul

    then see the “Cipher suites” tab.

  2. Freddy Krugger said on April 19, 2016 at 7:11 pm
    Reply

    Reference my earlier comment on ‘security.ssl3.rsa_aes_256_sha’ see section on “Perfect forward secrecy” here https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
    Quote from that page not from me:
    If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break lots of stuff.

    security.ssl3.rsa_aes_256_sha=false

  3. Georgie Boy said on April 19, 2016 at 7:04 pm
    Reply

    To prevent man in the middle (MITM) attacks does anybody have an opinion on setting these configurations in ‘about:config’?:

    security.ssl.require_safe_negotiation = true

    security.ssl.treat_unsafe_negotiation_as_broken= true

    See:
    https://www.mulle-kybernetik.com/weblog/2013/why_do_i_get_ssl_error_unsafe.html

  4. Freddy Krugger said on April 19, 2016 at 5:46 pm
    Reply

    Very helpful, Alan Robertson. I have been looking for this type of advice for a while.
    Incidentally, I read somewhere ( but I can’t find the link to that advice at the moment) that “security.ssl3.rsa_aes_256_sha” had been broken and it is recommended to disable that also.

    1. Alan Robertson said on April 20, 2016 at 3:02 am
      Reply

      Hi Freddy – no problem. Yes, that’s a fly in the ointment but some sites won’t connect with https otherwise. It’s a bit of a compromise but you should be immune to Logjam, Freak and Poodle (where do they get these names from?)

      You could try switching it off and see how you get on – if the TLS connection fails then just re-enable it. You don’t need to restart Firefox.

    2. Dave said on April 19, 2016 at 9:57 pm
      Reply

      Yes, let’s all blindly trust random comments on the internet. That will lead to the best outcome.

  5. Alan Robertson said on April 18, 2016 at 6:33 pm
    Reply

    Use these and disable the rest (about:config in Firefox):
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
    security.ssl3.ecdhe_ecdsa_aes_256_sha
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
    security.ssl3.ecdhe_rsa_aes_256_sha
    security.ssl3.rsa_aes_256_sha

    You can test them at SSL Labs:
    https://www.ssllabs.com/ssltest/viewMyClient.html

    and at Fortify:
    https://www.fortify.net/sslcheck.html

  6. Tom Hawack said on April 18, 2016 at 6:06 pm
    Reply

    The idea of such an add-on seems pertinent. In my case I have to rely on what I learn here and there when it comes to ciphers (and not only them!) and set accordingly advised parameters in about:config : I have no idea as to when and why I should enable or disable a cipher in a given situation, which is I guess the purpose of this add-on.

  7. Dave said on April 18, 2016 at 5:48 pm
    Reply

    This is the stuff that makes Firefox cool

  8. CHEF-KOCH said on April 18, 2016 at 5:22 pm
    Reply

    Way to late for such addons, since FF removed all insecure ones + it get now more monitored.

    1. gh said on April 18, 2016 at 6:06 pm
      Reply

      Yes, too late. Mozilla’s decision to remove (vs just set false by default) some of the older ciphers has left many corporate deployments clinging to firefox ESR.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.