SSL/TLS Client Test

General project discussion.
Use this as a last resort if your topic does not fit in any of the other boards but it still on-topic.
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Sampei Nihira

SSL/TLS Client Test

Unread post by Sampei Nihira » 2019-07-15, 10:57

I removed the insecure cipher suites from my Firefox-based browsers.
I also applied this change to Chrome-based browsers.
I have practically no problems.
Only one website of the many I use is unattainable.

https://browserleaks.com/ssl

https://www.ssllabs.com/ssltest/viewMyClient.html

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: SSL/TLS Client Test

Unread post by Moonchild » 2019-07-15, 12:09

What is your point in relation to Pale Moon?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: SSL/TLS Client Test

Unread post by Sampei Nihira » 2019-07-15, 16:17

Even Pale Moon maintains some insecure cipher suites, highlighted in the tests, which can be fixed.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: SSL/TLS Client Test

Unread post by Isengrim » 2019-07-15, 16:21

Which ciphers are listed as insecure by these tests?

(I cannot run these tests myself at the moment.)
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

Sampei Nihira

Re: SSL/TLS Client Test

Unread post by Sampei Nihira » 2019-07-15, 16:36

See the difference between Chrome (insecure ciphers fixed) and Edge:

Image

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: SSL/TLS Client Test

Unread post by Moonchild » 2019-07-15, 16:41

There's 2 things at work here:
  1. These tests will mark all "CBC" ciphers as "weak" because there have been several attacks against this class of ciphers. IMHO this is both generalizing and incorrect. They are not weak ciphers just because they have a -potential- of getting more of a similar class of attacks launched against them (each of which was easily countered), and even more so they are not insecure. Note that insecure ciphers in Qualys' interface will be marked as such (in red and with the term INSECURE, for e.g. RC4).
    In addition, they mark ciphers with a SHA-1 HMAC as "weak" which is actually kind of silly. While SHA-1 might not be strong enough for signatures, there is no problem using it for HMAC.
    HMAC can be secure even when the underlying hash function is not collision resistant.
    Intuitively, it makes sense that HMAC is secure as a MAC even with SHA-1, because a MAC does not allow a collision search. The only way to find the key would be to compromise the preimage resistance of SHA-1. HMAC in turn prevents length extension attacks and the like that would allow a forgery without knowing the key.
    As an aside, even HMAC-MD5 hasn't been broken.
  2. The browser is a web client, which must maintain the broadest acceptable collection of cipher suites to prevent connectivity issues with sites that have "less than perfect" (according to the security community) scores for their https setups. While you personally might not have run into sites that would break by disabling all CBC ciphers, there are plenty of them out there. Unless the cipher suites involved become actually insecure (and not just "weak") or involving an unacceptable risk for secure connections, they should not be disabled by default in a client.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: SSL/TLS Client Test

Unread post by Sampei Nihira » 2019-07-16, 15:26

I thank you for your considerations.
With Pale Moon I prefer to eliminate weak/insecure ciphers.
With Chrome-based browsers it is easy to launch the browser without my modification.
You only need to run the browser without the relevant Command Line Switche.

Only this website of those I use does not work:

https://www.ilsoftware.it/

I wrote to the webmaster but he doesn't intend to change anything soon.

No problems on other websites including your forum. :thumbup:

New Tobin Paradigm

Re: SSL/TLS Client Test

Unread post by New Tobin Paradigm » 2019-07-16, 16:36

Then you're a fool.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: SSL/TLS Client Test

Unread post by Moonchild » 2019-07-17, 01:48

https://www.ssllabs.com/ssltest/analyze ... oftware.it

ssl labs gives that site good marks ("A") and there's nothing wrong with the server configuration. Suites with forward secrecy preferred (and using a very strong elliptic curve profile at that), TLS 1.2 support, not vulnerable to any of the "poodle" attacks, etc.

I have to agree with Tobin that you're being foolish for blindly disabling cipher suites in the browser just because you see "weak" marked alongside it which I already explained is being overzealous, and then using a different browser with generally less security-aware defaults for the sites that use still perfectly acceptable settings.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Sampei Nihira

Re: SSL/TLS Client Test

Unread post by Sampei Nihira » 2019-07-17, 18:44

I know well that the website is secure.
Not only do I know the Director, but I have worked with him in the past on safety issues.

For the judgment of fool, in Italy there is a proverb that reads:

"The ox says horned to the donkey"

to say that one sees the defects only in others.
In fact I have not expressed opinions after the recent events that have affected your forum.
Your job is to express your point of view.
And let others follow their convictions respecting their free will.

Don't judge if you don't want to be judged.

John connor

Re: SSL/TLS Client Test

Unread post by John connor » 2019-07-18, 07:37

Wouldn't be prudent to trust the Dev of the browser you use on this forum than your own understanding?

User avatar
Utnapishtim
Fanatic
Fanatic
Posts: 141
Joined: 2018-07-12, 02:42
Location: Win7

Re: SSL/TLS Client Test

Unread post by Utnapishtim » 2019-07-18, 08:35

Sampei Nihira wrote:
2019-07-17, 18:44
I know well that the website is secure.
Not only do I know the Director, but I have worked with him in the past on safety issues.
Huh? :eh: The point of using strong ciphers is to prevent decryption and impersonation by third parties. Whether you trust the owner's code has no bearing on it. That's like saying that if you send cash by mail, the postal workers will never steal it if the recipient is an honest and safety-aware person.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: SSL/TLS Client Test

Unread post by Moonchild » 2019-07-18, 11:06

Off-topic:
Sampei Nihira wrote:
2019-07-17, 18:44
to say that one sees the defects only in others.
In fact I have not expressed opinions after the recent events that have affected your forum.
Your job is to express your point of view.
And let others follow their convictions respecting their free will.
"my" forum is also "your" forum. My "job" is to provide a browser, and -maybe- help with support for it. It's not to express opinions on fora.
If you're wanting to turn this around as somehow being oblivious to my own faults then you should realize that sometimes advice is just that: advice given by someone who has knowledge -- and not an "opinion".
Also, what "recent events" you may be alluding to: if you have issues with the community, then you should remind yourself you are here of your own volition, and it'd be yours to make peace with and solve.

But, I'll be happy to stop providing advice to you; makes my "job" of "providing opinions" less work.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked