Manage cipher suites in Firefox - gHacks Tech News

Manage cipher suites in Firefox

Web browsers like Firefox ship with sets of cipher suites that the browser uses to protect data that is transferred between the web browser and secure websites.

When a browser connects to a secure website negotiations take place in which the client  provides the server with a list of supported cipher suites, and information about the preferred cipher suite and SSL/TLS protocol version.

The server may then accept the client's preferences if supported, or ignore them to deliver a cipher suite of its own which it prioritizes.

In the end, client and server either agree on the use of a cipher suite or the connection attempt fails.

Managing cipher suites in Firefox

Browsers like Firefox support several cipher suites to ensure compatibility with secure servers and sites on the Internet.

While that is a good thing, it may sometimes mean that insecure or vulnerable cipher suites are being used or are still supported.

A recent example is the RC4 Cipher which many browsers have deprecated recently because it is not secure anymore. While many companies who produce browsers have reacted to this threat, you could have blocked RC4 manually before those changes took affect.

You can check SSL on sites like How's My SSL or QUALY's SSL Labs which highlight what the browser supports, and whether anything is problematic from a security point of view.

Using about:config

firefox cipher suites

Firefox users can control the cipher suites in the browser on about:config.

  1. Type about:config in the browser's address bar and hit enter.
  2. You may receive a prompt that warns you about the dangers of using this in the browser if this is your first time opening the page. Click continue to proceed.
  3. Search for ssl3 using the search field at the top.

Firefox lists all cipher suites as a result, and you may enable or disable any of those by toggling the value with a double-click on the preference name.

A value of true means the cipher suite is enabled, one of false that it is not available.

Firefox Add-ons

toggle cipher suites

Toggle Cipher Suites is a new browser extension for the Firefox web browser that enables you to manage cipher suites in the browser.

Basically, what it does is provide you with an interface to enable or disable individual cipher suites so that you don't need to open about:config to do so.

The extension adds an icon to the main toolbar of Firefox, and a click on it reveals all supported cipher suites and their state.

You can click on the menu next to any cipher suite to toggle it, for instance from enabled to disabled.

The add-on links furthermore to the two SSL tests linked above so that you can run a check of the new configuration right after you make modifications.

Closing Words

Webmasters may use the add-on or the manual method to disable certain cipher suites to test web servers, and users to block cipher suites that are no longer secure.

Summary
Manage cipher suites in Firefox
Article Name
Manage cipher suites in Firefox
Description
Web browsers like Firefox ship with sets of cipher suites that the browser uses to protect data that is transferred between the web browser and secure websites.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. CHEF-KOCH said on April 18, 2016 at 5:22 pm
      Reply

      Way to late for such addons, since FF removed all insecure ones + it get now more monitored.

      1. gh said on April 18, 2016 at 6:06 pm
        Reply

        Yes, too late. Mozilla’s decision to remove (vs just set false by default) some of the older ciphers has left many corporate deployments clinging to firefox ESR.

    2. Dave said on April 18, 2016 at 5:48 pm
      Reply

      This is the stuff that makes Firefox cool

    3. Tom Hawack said on April 18, 2016 at 6:06 pm
      Reply

      The idea of such an add-on seems pertinent. In my case I have to rely on what I learn here and there when it comes to ciphers (and not only them!) and set accordingly advised parameters in about:config : I have no idea as to when and why I should enable or disable a cipher in a given situation, which is I guess the purpose of this add-on.

    4. Alan Robertson said on April 18, 2016 at 6:33 pm
      Reply

      Use these and disable the rest (about:config in Firefox):
      security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
      security.ssl3.ecdhe_ecdsa_aes_256_sha
      security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
      security.ssl3.ecdhe_rsa_aes_256_sha
      security.ssl3.rsa_aes_256_sha

      You can test them at SSL Labs:
      https://www.ssllabs.com/ssltest/viewMyClient.html

      and at Fortify:
      https://www.fortify.net/sslcheck.html

    5. Freddy Krugger said on April 19, 2016 at 5:46 pm
      Reply

      Very helpful, Alan Robertson. I have been looking for this type of advice for a while.
      Incidentally, I read somewhere ( but I can’t find the link to that advice at the moment) that “security.ssl3.rsa_aes_256_sha” had been broken and it is recommended to disable that also.

      1. Dave said on April 19, 2016 at 9:57 pm
        Reply

        Yes, let’s all blindly trust random comments on the internet. That will lead to the best outcome.

      2. Alan Robertson said on April 20, 2016 at 3:02 am
        Reply

        Hi Freddy – no problem. Yes, that’s a fly in the ointment but some sites won’t connect with https otherwise. It’s a bit of a compromise but you should be immune to Logjam, Freak and Poodle (where do they get these names from?)

        You could try switching it off and see how you get on – if the TLS connection fails then just re-enable it. You don’t need to restart Firefox.

    6. Georgie Boy said on April 19, 2016 at 7:04 pm
      Reply

      To prevent man in the middle (MITM) attacks does anybody have an opinion on setting these configurations in ‘about:config’?:

      security.ssl.require_safe_negotiation = true

      security.ssl.treat_unsafe_negotiation_as_broken= true

      See:
      https://www.mulle-kybernetik.com/weblog/2013/why_do_i_get_ssl_error_unsafe.html

    7. Freddy Krugger said on April 19, 2016 at 7:11 pm
      Reply

      Reference my earlier comment on ‘security.ssl3.rsa_aes_256_sha’ see section on “Perfect forward secrecy” here https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
      Quote from that page not from me:
      If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break lots of stuff.

      security.ssl3.rsa_aes_256_sha=false

    8. pd said on April 20, 2016 at 6:14 am
      Reply

      FWIW, SSleuth appears to offer a similar facility. Load this URL for easiest access:

      chrome://ssleuth/content/preferences.xul

      then see the “Cipher suites” tab.

    Leave a Reply