It is possible to bypass the BEAST mitigation in place on firefox?
I have an internal web based application that is affected the the fixes put in place by all browsers to help mitigate the BEAST exploit. Is it possible to disable the fixes in place so I can access the HTTPS pages in question? This system is in a closed network so I'm not terribly concerned about loosening the security.
I've tried setting the max security to SSL 3.0 but that does nothing, I still get "The Connection was Reset" when attempting to access the page. If I use Firefox 8 it works fine I just do not know what settings if any can be enabled/disabled to force access.
Any suggestions or help is greatly appreciated.
Wót AdamSuttle
Wšykne wótegrona (9)
I am sorry, but this is not a safe action.
I will not assist you in jeopardizing your safety as a Firefox user.
Contact the support team for the application in question and report the issue to them so that they can repair the application.
Safe action or not it is a closed environment with a product that has no chance to be fixed(company defunct). I appreciate your concern but honestly I'm a bit surprised this has not come up more. If this question has been asked before I cannot find it with any magical combination of keywords either.
Sorry, but most volunteers of Mozilla and the Mozilla support staff members will not assist users in actions that may harm or compromise the user's security.
And I can completely understand not doing it just on a whim but I think the question shows I am not someone's grandmother doing this based on a phishing scam etc. Since you are obviously quite versed with the product can you at least confirm if this is something that can be done within about:config or would it require other steps/access to the OS running the browser? I would appreciate a point in the right direction so I can work on this further. Thanks again for any help.
The majority of Firefox security patches are built-in to the source code.
These security settings cannot be accessed from the about:config
.
See comment 60 in this bug report for workaround, but be aware that this makes you vulnerable to that BEAST attack.
Be sure to remove that environment variable after testing to prevent you from being vulnerable to that exploit.
- Bug 702111 - Servers intolerant to 1/n-1 record splitting. "The connection was reset"
Sadly I have tried that before and it does not work for some reason. I've tried putting it in usr and system variables for Windows with no effect. Thanks for the idea though.
It is however still in the code:
So you may have something else going on.
Be sure to remove the environment variable if you created it in Control Panel > System.
The way to proceed in such a case is to use a cmd file that sets the environment variable and subsequently launches Firefox so it only works for this specific start or Firefox.
I've removed the variable as recommended from my system. If it is still on in the code does that mean that my OS environmental variable is overridden by Firefox? While I grasp the technical details to some degree my knowledge of how the operating system and browser set these controls is obviously lacking lol.