Αναζήτηση στην υποστήριξη

Προσοχή στις απάτες! Δεν θα σας ζητήσουμε ποτέ να καλέσετε ή να στείλετε μήνυμα σε κάποιον αριθμό τηλεφώνου ή να μοιραστείτε προσωπικά δεδομένα. Αναφέρετε τυχόν ύποπτη δραστηριότητα μέσω της επιλογής «Αναφορά κατάχρησης».

Μάθετε περισσότερα

I disabled all cipher suites in Firefox; why am I still able to connect to some https:// sites?

  • 4 απαντήσεις
  • 1 έχει αυτό το πρόβλημα
  • 2 προβολές
  • Τελευταία απάντηση από bennetthaselton

more options

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting.

However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

I was experimenting with whether I could disable certain cipher suites in Firefox in order to force a remote website to negotiate a different one. However I found that if I went into about:config and searched for settings with "ssl3" in the name, and set ALL of them to false (security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, etc. -- there were 15 of them), I am still able to connect to https://www.instagram.com/ , https://www.google.com/ , and https://www.paypal.com/ with no error, even after restarting. However, https://support.mozilla.org/ does give me the "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" error. On the other hand, https://www.mozilla.org/ works with no error. I cannot discern any pattern as to why some sites work and some don't, even after disabling all cipher suites. Why are *any* of them accessible?

Επιλεγμένη λύση

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.

Ανάγνωση απάντησης σε πλαίσιο 👍 0

Όλες οι απαντήσεις (4)

more options

I was able to enter some pages, but when I asked for new webpages (pages that I've never visited) it prompt me the error. Maybe the certificates have some kind of cache

more options

@Markel that's what I thought too. However, this still looks like buggy behavior, because even if website public key certificate is *cached*, the public key certificate is just used to establish the initial connection, and from that point on, the connection is still encrypted using one of the listed cipher suites. Therefore if you disable all of the cipher suites, the connection should still be impossible.

more options

Did you close and restart Firefox after disabling the cipher suites ?

You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.

  • hold down the Shift key and left-click the Reload button
  • press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
  • press "Command + Shift + R" (Mac)
more options

Επιλεγμένη λύση

Problem solved. I figured if you can't disable cipher suites properly, this might qualify as a security bug, so I submitted it here and got a response: https://bugzilla.mozilla.org/show_bug.cgi?id=1631240 Basically, the cipher suite settings in about:config only apply to TLS 1.0 through 1.2 connections. The configuration options for TLS 1.3 connections are not listed in about:config. So the websites which continued to work for me (after I thought I disabled "all" cipher suites) were TLS 1.3 sites.