I was trying to figure out why my libreoffice-bin is throwing an error when I came across Deactivating the RC4 cipher in Firefox, then I searched for some information about why doing such.
Contents
According to Wikipedia:
A double-byte bias attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013, and it was described as “feasible” in the accompanying presentation at the 22nd USENIX Security Symposium on August 15, 2013. Microsoft recommends disabling RC4 where possible.
Little farther down the excerpt, it says “36.2% (-0.3%) support RC4 suites used with modern browsers” and only “7.6% (+0.3%) not support.” To be honest, I don’t have any clue how the attack is done since I am definitely not possessing any knowledge of Internet security by my own judgment.
However, since there are more far more secured ciphers available, current websites generally support those, and browsers (or protocol?) would choose most secured method (High-grade Encryption) to communicate, therefore I decided it might be a good idea just to disable RC4.
1 Testing available ciphers
You can use the following sites to see a list of ciphers available in your browser, which shouldn’t have RC4 listed once you disable those settings:
2 Disabling in Firefox
2.1 Since Firefox 44
Mozilla has planned to disable RC4 by default on January 26, 2016 with Firefox 44 release. You do not need to anything from this version on. RC4 is gone for good.
2.2 Since Firefox 36
Since February, 2015 with Firefox 36, RC4 has become fallback-only option via security.tls.unrestricted_rc4_fallback. If you want to turn RC4 cipher off, just set the option off and you will be done.
2.3 Before Firefox 36
The steps are easy, just go to about:config and search for rc4, then disable the following six entires by double-clicking on each one to disable them, that is values set to all false:
- security.ssl3.ecdh_ecdsa_rc4_128_sha
- security.ssl3.ecdh_rsa_rc4_128_sha
- security.ssl3.ecdhe_ecdsa_rc4_128_sha
- security.ssl3.ecdhe_rsa_rc4_128_sha
- security.ssl3.rsa_rc4_128_md5
- security.ssl3.rsa_rc4_128_sha
You can try to find one server to test:
$ echo Q | openssl s_client -connect <SERVER>:443 | grep "Cipher" depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 DONE New, TLSv1/SSLv3, Cipher is RC4-SHA Cipher : RC4-SHA
If no cipher options is available to be used, then you will get this typical error when you connect to a RC4-only website in Firefox:
The connection was reset
The connection to the server was reset while the page was loading.
3 Disabling in Chrome
As for Chrome, current 31.0.1650.57:stable, you will need to launch with:
--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
in order to disable the following four ciphers:
Spec | Cipher Suite Name | Key Size | Description |
---|---|---|---|
(00,04) | RSA-RC4128-MD5 | 128 Bit | Key exchange: RSA, encryption: RC4, MAC: MD5. |
(00,05) | RSA-RC4128-SHA | 128 Bit | Key exchange: RSA, encryption: RC4, MAC: SHA1. |
(c0,07) | ECDHE-ECDSA-RC4 128-SHA | 128 Bit | Key exchange: ECDH, encryption: RC4, MAC: SHA1. |
(c0,11) | ECDHE-RSA-RC4128-SHA | 128 Bit | Key exchange: ECDH, encryption: RC4, MAC: SHA1. |
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.