Kërkoni te Asistenca

Shmangni karremëzime gjoja asistence. S’do t’ju kërkojmë kurrë të bëni një thirrje apo të dërgoni tekst te një numër telefoni, apo të na jepni të dhëna personale. Ju lutemi, raportoni veprimtari të dyshimtë duke përdorur mundësinë “Raportoni Abuzim”.

Mësoni Më Tepër

I disabled all cipher suites in Firefox; why am I still able to connect to some https:// sites?

  • 4 përgjigje
  • 1 e ka hasur këtë problem
  • 122 parje
  • Përgjigjja më e re nga bennetthaselton

more options

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting.

However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting. However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

Zgjidhje e zgjedhur

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.

Lexojeni këtë përgjigje brenda kontekstit 👍 0

Krejt Përgjigjet (4)

more options

I was able to enter some pages, but when I asked for new webpages (pages that I've never visited) it prompt me the error. Maybe the certificates have some kind of cache

more options

@Markel that's what I thought too. However, this still looks like buggy behavior, because even if website public key certificate is *cached*, the public key certificate is just used to establish the initial connection, and from that point on, the connection is still encrypted using one of the listed cipher suites. Therefore if you disable all of the cipher suites, the connection should still be impossible.

more options

Did you close and restart Firefox after disabling the cipher suites ?

You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.

  • hold down the Shift key and left-click the Reload button
  • press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  • press "Command + Shift + R" (Mac)
more options

Zgjidhja e Zgjedhur

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.