The server does not support Forward Secrecy with the reference browsers.
This is misleading. It should say, "Some of the reference browsers choose not to select a forward-secrecy cipher." The server
supports forward secrecy if the client requests it, and in fact most browsers do select a FS cipher. The server also allows non-FS ciphers because, among ciphers supported by older browsers, the non-FS ciphers are stronger.
This thread made me investigate my browsers security which was horrible.
I did some digging for mozilla based browsers. FF/PM/WF ect.
My life is pretty much boring, this made it a little bit more exciting to do some security cleanup work internally of my browser, modification of the profile is never ending, even after 3-4 years of modifications :p .
So here it goes.
My Palemoon browser was utilizing 128 bit on bitcointalk.org.
What I did to force it to utilize tls1.2 or tls 1.1 & AES 256-bit RSA 2048-bit:sha1 on bitcointalk.org.
In about:config search security.ssl3 , below, leave as is, and disable the rest.
OP:
http://forum.palemoon.org/viewtopic.php?p=21731&sid=a065e58e6b465b89c238c38aa872ccda#p21731http://forum.palemoon.org/viewtopic.php?p=22512&sid=a065e58e6b465b89c238c38aa872ccda#p22512security.ssl3.dhe_dss_aes_256_sha;true
security.ssl3.dhe_dss_camellia_256_sha;true
security.ssl3.dhe_rsa_aes_256_sha;true
security.ssl3.dhe_rsa_camellia_256_sha;true
security.ssl3.ecdh_ecdsa_aes_256_sha;true
security.ssl3.ecdh_rsa_aes_256_sha;true
security.ssl3.ecdhe_ecdsa_aes_256_sha;true
security.ssl3.ecdhe_rsa_aes_256_sha;true
security.ssl3.rsa_aes_256_sha;true
security.ssl3.rsa_camellia_256_sha;true
Going to
https://www.howsmyssl.com/ before setting set above, rating was BAD.
After above settings, going to
https://www.howsmyssl.com/ , rating went to good "Your client is using TLS 1.2"
This might be outdated, but I did use some stuff inside as references.
http://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.htmlSo, even though I just secured my browser, going to
https://www.ssllabs.com/ssltest/analyze.html?d=bitcointalk.org still shows A-.
I think the client side "my browser" is as tight as it can get, i think.
Also, I hope I may redeem myself from the past by helping the community and you out by helping them/you securing their/yours mozilla based brower.
So with that. Theymos or anyone else, would you have any recommendations to secure the browsers any more than what they are with above?
Please continue with this subject, and hope above info helps ppl out, I like to help.
Edit:
I had tried
security.tls.version.min : 3
security.tls.version.max : 3
but certain sites like support.mozilla.org would not load.
Edit2:
Btw, I am using
https://addons.mozilla.org/en-US/firefox/addon/cipherfox/to see the encryption type.
Edit3:
Ok, I ran into a problem with a certain tls enabled site, I had to drop my security.tls.version.min down to the setting of 1.
So I'm guessing
security.tls.version.min : 1
security.tls.version.max : 3
is best for security and compatibility.
