SSL/TLS Client Test

General project discussion

Moderator: satrow

Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
Post Reply
User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 85
Joined: 2018-04-03, 16:17

SSL/TLS Client Test

Post by Sampei Nihira » 2019-07-15, 10:57

I removed the insecure cipher suites from my Firefox-based browsers.
I also applied this change to Chrome-based browsers.
I have practically no problems.
Only one website of the many I use is unattainable.

https://browserleaks.com/ssl

https://www.ssllabs.com/ssltest/viewMyClient.html

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25033
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: SSL/TLS Client Test

Post by Moonchild » 2019-07-15, 12:09

What is your point in relation to Pale Moon?
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 85
Joined: 2018-04-03, 16:17

Re: SSL/TLS Client Test

Post by Sampei Nihira » 2019-07-15, 16:17

Even Pale Moon maintains some insecure cipher suites, highlighted in the tests, which can be fixed.

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1004
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: SSL/TLS Client Test

Post by Isengrim » 2019-07-15, 16:21

Which ciphers are listed as insecure by these tests?

(I cannot run these tests myself at the moment.)
Linux Mint 19.2 Cinnamon (64-bit), Windows 7 (64-bit), Windows 10 build 1803 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 85
Joined: 2018-04-03, 16:17

Re: SSL/TLS Client Test

Post by Sampei Nihira » 2019-07-15, 16:36

See the difference between Chrome (insecure ciphers fixed) and Edge:

Image

Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25033
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: SSL/TLS Client Test

Post by Moonchild » 2019-07-15, 16:41

There's 2 things at work here:
  1. These tests will mark all "CBC" ciphers as "weak" because there have been several attacks against this class of ciphers. IMHO this is both generalizing and incorrect. They are not weak ciphers just because they have a -potential- of getting more of a similar class of attacks launched against them (each of which was easily countered), and even more so they are not insecure. Note that insecure ciphers in Qualys' interface will be marked as such (in red and with the term INSECURE, for e.g. RC4).
    In addition, they mark ciphers with a SHA-1 HMAC as "weak" which is actually kind of silly. While SHA-1 might not be strong enough for signatures, there is no problem using it for HMAC.
    HMAC can be secure even when the underlying hash function is not collision resistant.
    Intuitively, it makes sense that HMAC is secure as a MAC even with SHA-1, because a MAC does not allow a collision search. The only way to find the key would be to compromise the preimage resistance of SHA-1. HMAC in turn prevents length extension attacks and the like that would allow a forgery without knowing the key.
    As an aside, even HMAC-MD5 hasn't been broken.
  2. The browser is a web client, which must maintain the broadest acceptable collection of cipher suites to prevent connectivity issues with sites that have "less than perfect" (according to the security community) scores for their https setups. While you personally might not have run into sites that would break by disabling all CBC ciphers, there are plenty of them out there. Unless the cipher suites involved become actually insecure (and not just "weak") or involving an unacceptable risk for secure connections, they should not be disabled by default in a client.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 85
Joined: 2018-04-03, 16:17

Re: SSL/TLS Client Test

Post by Sampei Nihira » 2019-07-16, 15:26

I thank you for your considerations.
With Pale Moon I prefer to eliminate weak/insecure ciphers.
With Chrome-based browsers it is easy to launch the browser without my modification.
You only need to run the browser without the relevant Command Line Switche.

Only this website of those I use does not work:

https://www.ilsoftware.it/

I wrote to the webmaster but he doesn't intend to change anything soon.

No problems on other websites including your forum. :thumbup:

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6281
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: SSL/TLS Client Test

Post by New Tobin Paradigm » 2019-07-16, 16:36

Then you're a fool.
Image
- This is no place for loafers. Join me or die. Can you do any less? -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25033
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: SSL/TLS Client Test

Post by Moonchild » 2019-07-17, 01:48

https://www.ssllabs.com/ssltest/analyze ... oftware.it

ssl labs gives that site good marks ("A") and there's nothing wrong with the server configuration. Suites with forward secrecy preferred (and using a very strong elliptic curve profile at that), TLS 1.2 support, not vulnerable to any of the "poodle" attacks, etc.

I have to agree with Tobin that you're being foolish for blindly disabling cipher suites in the browser just because you see "weak" marked alongside it which I already explained is being overzealous, and then using a different browser with generally less security-aware defaults for the sites that use still perfectly acceptable settings.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Sampei Nihira
Moon lover
Moon lover
Posts: 85
Joined: 2018-04-03, 16:17

Re: SSL/TLS Client Test

Post by Sampei Nihira » 2019-07-17, 18:44

I know well that the website is secure.
Not only do I know the Director, but I have worked with him in the past on safety issues.

For the judgment of fool, in Italy there is a proverb that reads:

"The ox says horned to the donkey"

to say that one sees the defects only in others.
In fact I have not expressed opinions after the recent events that have affected your forum.
Your job is to express your point of view.
And let others follow their convictions respecting their free will.

Don't judge if you don't want to be judged.

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 486
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: SSL/TLS Client Test

Post by F22 Simpilot » 2019-07-18, 07:37

Wouldn't be prudent to trust the Dev of the browser you use on this forum than your own understanding?
If you're that smart and act like a dork, then you're not that smart after all. :geek:

Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

User avatar
Utnapishtim
Moonbather
Moonbather
Posts: 73
Joined: 2018-07-12, 02:42

Re: SSL/TLS Client Test

Post by Utnapishtim » 2019-07-18, 08:35

Sampei Nihira wrote:
2019-07-17, 18:44
I know well that the website is secure.
Not only do I know the Director, but I have worked with him in the past on safety issues.
Huh? :eh: The point of using strong ciphers is to prevent decryption and impersonation by third parties. Whether you trust the owner's code has no bearing on it. That's like saying that if you send cash by mail, the postal workers will never steal it if the recipient is an honest and safety-aware person.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25033
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: SSL/TLS Client Test

Post by Moonchild » 2019-07-18, 11:06

Off-topic:
Sampei Nihira wrote:
2019-07-17, 18:44
to say that one sees the defects only in others.
In fact I have not expressed opinions after the recent events that have affected your forum.
Your job is to express your point of view.
And let others follow their convictions respecting their free will.
"my" forum is also "your" forum. My "job" is to provide a browser, and -maybe- help with support for it. It's not to express opinions on fora.
If you're wanting to turn this around as somehow being oblivious to my own faults then you should realize that sometimes advice is just that: advice given by someone who has knowledge -- and not an "opinion".
Also, what "recent events" you may be alluding to: if you have issues with the community, then you should remind yourself you are here of your own volition, and it'd be yours to make peace with and solve.

But, I'll be happy to stop providing advice to you; makes my "job" of "providing opinions" less work.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Post Reply