Bitcoin Forum

https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org

Discuss?

This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.

This thread made me investigate my browsers security which was horrible.

I did some digging for mozilla based browsers. FF/PM/WF ect.

My life is pretty much boring, this made it a little bit more exciting to do some security cleanup work internally of my browser, modification of the profile is never ending, even after 3-4 years of modifications :p .

So here it goes.

My Palemoon browser was utilizing 128 bit on bitcointalk.org.

What I did to force it to utilize tls1.2 or tls 1.1 & AES 256-bit RSA 2048-bit:sha1 on bitcointalk.org.


In about:config search security.ssl3 , below, leave as is, and disable the rest.
OP: http://forum.palemoon.org/viewtopic.php?p=21731&sid=a065e58e6b465b89c238c38aa872ccda#p21731

http://forum.palemoon.org/viewtopic.php?p=22512&sid=a065e58e6b465b89c238c38aa872ccda#p22512

Going to https://www.howsmyssl.com/ before setting set above, rating was BAD.
After above settings, going to https://www.howsmyssl.com/ , rating went to good "Your client is using TLS 1.2"

This might be outdated, but I did use some stuff inside as references.
http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html

So, even though I just secured my browser, going to https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org still shows A-.

I think the client side "my browser" is as tight as it can get, i think.

Also, I hope I may redeem myself from the past by helping the community and you out by helping them/you securing their/yours mozilla based brower.

So with that. Theymos or anyone else, would you have any recommendations to secure the browsers any more than what they are with above?

Please continue with this subject, and hope above info helps ppl out, I like to help.

Edit:

I had tried


but certain sites like support.mozilla.org would not load.

Edit2:

Btw, I am using
https://addons.mozilla.org/en-US/firefox/addon/cipherfox/

to see the encryption type.

Edit3:
Ok, I ran into a problem with a certain tls enabled site, I had to drop my security.tls.version.min down to the setting of 1.

So I'm guessing

is best for security and compatibility.

Disabling ciphers may cause some sites to stop working. I'd only disable the very weak ones (if any very weak ones are enabled). Especially since HTTPS authentication is nearly useless anyway.

With TLS, the client sends a list of ciphers and then the server picks one. Sometimes (as with bitcointalk.org), the server picks the first supported cipher listed by the client. You should be able to tell Firefox the order in which to list ciphers, but there's no support for this AFAIK.

For choosing cipher suites:
- GCM is better than CBC.
- (EC)DHE provides forward secrecy. (Forward secrecy means that if someone records the encrypted network traffic, they can't later decrypt the traffic by obtaining a private key from the server.)
- AES is the best encryption algorithm. I wouldn't be surprised if effective attacks against RC4 are known to the NSA. Camellia is not as well-studied as AES, but it is preferred by most browsers for no apparent reason, which makes me suspicious.

Very new to me. Interesting much indeed. Makes sense, I disabled all Camellia in about:config, forcing a certain site to now use AES instead of Camellia.

Seems like the standard is
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.rsa_aes_256_sha

Good to know!

Hopefully whether it helps or not, as I seen u stated "HTTPS authentication is nearly useless anyway", this clears up anybody wondering like myself.

I will give enabled


a test run for a week or so. Any complications happen, I'll revert.

Does this help at all? I don't quite follow as what Moonchild has done, but seems to me it might be related to above quoted in bold.

http://forum.palemoon.org/viewtopic.php?f=1&t=3848&sid=2309b57228f8968e551c0187bee0e64e

Yes, though I assume he did that in the code. It should be user-configurable.

How is it that other sites score better then?
Example:
https://www.ssllabs.com/ssltest/analyze.html?d=transmitly.com

This is alarming.

https://www.ssllabs.com/ssltest/analyze.html?d=bitcoin.org

LOL

Excellent. How much more do we have to wait until it has been updated/upgraded? This leaves so much room for a potential second hack.

Looks like it's been fixed.

Very nice.

LOL.

https://i.imgur.com/NW2Fr31.png

good to see its fixed..

+1

It used to be an F. It's not perfect, but it's been improved a great deal.

Now it is okay, but an A+ is always welcome.

Why was it an F? What could possibly have been done?

I forget what the problem was specifically and there's no way to look back either.

So how about implementing HSTS?

It is implemented, just not long-term.

How come?

?

IMO there'd be a much higher chance of it causing problems than preventing an attack.

Try to think of an attack that the forum's current HSTS setup wouldn't protect against.

How would it cause a problem?  If you don't have the ability to operate using https you simply shouldn't be operating (this goes for any site which needs to secure communication between server and client).   If something results in you losing your TLS cert for a period of time it would be better to not operate the site until it is restored.   If anything the only useful value for HSTS would be infinite (i.e. NEVER UNTIL THE END OF TIME CONNECT TO THIS DOMAIN INSECURELY) but since that is not an option a very long HSTS value is used as a proxy.

A? good joke