Join us and the lead editor of IRL, Mozilla's multi-award-winning podcast, for a behind-the-scenes look at the pod and to contribute your ideas for the next season, themed: "AI and ME." Mark your calendar and join our Community Call on Wednesday, Aug 7, 17:00–17:45 UTC. See you there!

Avatar for Username

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Chủ đề này đã được lưu trữ. Vui lòng hỏi một câu hỏi mới nếu bạn cần giúp đỡ.

I disabled all cipher suites in Firefox; why am I still able to connect to some https:// sites?

  • 4 trả lời
  • 1 gặp vấn đề này
  • 2 lượt xem
  • Trả lời mới nhất được viết bởi bennetthaselton

bennetthaselton
bennetthaselton
more options

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting.

However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting. However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

Giải pháp được chọn

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.

Đọc câu trả lời này trong ngữ cảnh 👍 0

Tất cả các câu trả lời (4)

Markel
Markel
more options

I was able to enter some pages, but when I asked for new webpages (pages that I've never visited) it prompt me the error. Maybe the certificates have some kind of cache

bennetthaselton
bennetthaselton Người tạo câu hỏi
more options

@Markel that's what I thought too. However, this still looks like buggy behavior, because even if website public key certificate is *cached*, the public key certificate is just used to establish the initial connection, and from that point on, the connection is still encrypted using one of the listed cipher suites. Therefore if you disable all of the cipher suites, the connection should still be impossible.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Did you close and restart Firefox after disabling the cipher suites ?

You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.

  • hold down the Shift key and left-click the Reload button
  • press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  • press "Command + Shift + R" (Mac)
bennetthaselton
bennetthaselton Người tạo câu hỏi
more options

Giải pháp được chọn

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.