Firefox blocks weak Diffie-Hellman keys

Martin Brinkmann
Oct 3, 2016
Firefox
|
6

Mozilla announced on September 30, 2016 that it made the decision to enforce stronger Diffie-Hellman keys in the Firefox web browser.

Firefox users who visit websites that use weak -- now less than1023 bits -- will see a connection error message in the web browser instead of the actual site.

The message reads "secure connection failed" and the reason given is the following one:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

The page lists a learn more link that leads to the Firefox "what does your connection is not secure mean" support page on Mozilla Support.

firefox secure connectio nfailed

The error page itself lists a "try again" button but no option to override the policy and open the actual website.

In case you are wondering, this is how other browser's are handling sites with weak Diffie-Hellman keys:

  1. Google Chrome, Opera and Vivaldi throw a "this site can't provide a secure connection" error with no override option. Other Chrome or Chromium-based browsers are likely throwing the same error message.
  2. Pale Moon throws a "secure connection failed" error.
  3. Microsoft Edge displays "hmm, we can't reach this page" error instead.
  4. Internet Explorer throws the error "this page can't be displayed.

According to Mozilla, a small number of servers are still configured to use weak keys that are vulnerable to attack.

In response to recent developments attacking Diffie-Hellman key exchange (https://weakdh.org/) and to protect the privacy of Firefox users, we have increased the minimum key size for TLS handshakes using Diffie-Hellman key exchange to 1023 bits. A small number of servers are not configured to use strong enough keys. If a user attempts to connect to such a server, they will encounter the error “ssl_error_weak_server_ephemeral_dh_key”.

The organization mentions the Logjam attack in particular which attacks the TLS protocol.

All major browsers block sites that use weak Diffie-Hellman keys now with no override option. In case you are wondering, Firefox's preference to override weak security certificates is not working either.

Summary
Firefox blocks weak Diffie-Hellman keys
Article Name
Firefox blocks weak Diffie-Hellman keys
Description
Mozilla announced on September 30, 2016 that it made the decision to enforce stronger Diffie-Hellman keys in the Firefox web browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. FX said on October 4, 2016 at 12:51 am
    Reply

    https://bugzilla.mozilla.org/show_bug.cgi?id=1269807

    “Remove support for all NPAPI plugins except for Flash, behind a pref. Tests that use the testplugin for now set the pref to keep it working. This will be disabled for ESR 52, but enabled for release 52. In the next cycle, the pref will be removed and this will be hardcoded.”

    NPAPI is finally dead, biggest source of crashes and security issues due to buggy insecure plugins is finally gone, hooray.

    1. Dave said on October 4, 2016 at 2:15 pm
      Reply

      To be fair, you didn’t have to use NPAPI plugins. I don’t think I use any plugins, because it’s not 2003 anymore.

  2. Dave said on October 3, 2016 at 8:54 pm
    Reply

    Interesting. The error message is ridiculous though. How about “This website cannot provide the secure connection that is required.” That makes sense to the average person, and it conveys all the necessary information.

  3. George P. Burdell said on October 3, 2016 at 7:30 pm
    Reply

    About that message illustrated above that says “Please contact the website owners to inform them of this problem.”

    Maybe I can send them a snail mail postal card, since their web site is now unreachable with any known browser.

    1. Martin Brinkmann said on October 3, 2016 at 7:31 pm
      Reply

      That is a good point George. You could run a whois and send an email to the administrative or technical contact of the domain: https://who.is/

      1. Jason said on October 3, 2016 at 11:28 pm
        Reply

        I did that once and reached a very surprised administrator who had no idea her email was listed on the internet. :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.