Why isn't youtube working anymore without setting "security.ssl3.rsa_rc4_128_sha" back to true?
After it turned out rc4 is not safe anymore, I changed all security.ssl3-variables containing the substring rc4 to false. Everything was still working fine, including youtube. But 2-3 weeks ago, youtube started to make problems: about 70% of the time, the first video clicked on, gave back an error. I had to delete the cookie (although I'm not sure if this was really necessary) and reload the page. After some tries it would eventually work and so did all following video-requests, until I closed firefox (and thus deleted the cookie) or deleted the youtube-cookie. It was kind of annoying, but the videos were always played after a couple of tries. Since the middle of this week, the described method is not working anymore. I figured out, that now I have to allow rc4 again, by changing "security.ssl3.rsa_rc4_128_sha" back to true. I am not sure if the error is due to firefox or google/youtube. I meen why would google downgrade to only allowing an insecure encryption-method? On the other hand: were there any updates in firefox affecting rc4?
So my questions are: on which side is the bug? And are there any secure workarounds to ban rc4 again, while still using youtube?
Chosen solution
That is a problem with the server that hosts the video files and Google has chosen to only support this one cipher suit (speed issues?) although the server supports TLS 1.2 according to the test report, but I do not know if that makes a difference as opposed to using SSL3.
Read this answer in context 👍 4All Replies (10)
Google doesn't use a RC4 cipher suite when accessed with a recent version of Firefox. As of FF 27 TLS 1.2 is supported and negotiated.
https://www.ssllabs.com/ssltest/analyze.html?d=www.youtube.com&s=173.194.115.14
You probably messed up your security settings. Restore the defaults for the things you changed and try again.
Alternatively try with a new profile.
It is possible that there are ads displayed that come from server that only works with such older cipher suits and refreshing a few times can select an ads that comes from a different server.
There are still severs with such old software as I sometimes see that loading a CSS file that is hosted on such a server fails to load causing the page to show without CSS rules applied.
@christ1: I didn't change any security settings in the last couple of weeks. Therefore the fault has to be in an Firefox or youtube-Update. It worked fine until 2-3 weeks ago with following changed settings (only the ones made in about:config):
- browser.cache.disk.enable . . . . . . . . . . . . true -> false
- browser.cache.memory.enable . . . . . . . . . true -> false
- browser.display.use_document_fonts . . . . 1 -> 0
- browser.sessionhistory.max_entries . . . . . 50 -> 10
- dom.storage.enabled . . . . . . . . . . . . . . . . true -> false
- network.http.sendRefererHeader . . . . . . . 2 -> 0
- security.ssl3.ecdhe_ecdsa_rc4_128_sha . true -> false
- security.ssl3.ecdhe_rsa_rc4_128_sha . . . true -> false
- security.ssl3.rsa_rc4_128_md5 .. . . . . . . . true -> false
- (security.ssl3.rsa_rc4_128_sha .. . . . . . . . true -> false)
@cor-el: If this was the case, I would have experienced these problems after changing all rc4-variables to false. But it worked all fine for months...
Furthermore it wouldn't explain, why videos were only played after a couple of tries 1-3 weeks ago and aren't played at all as of this week.
If it is a problem with youtube or their ad-servers, why did they downgrade to only allowing rc4? And is it even possible, to use youtube right now, with security.ssl3.rsa_rc4_128_sha being set to false?
Modified by httpssl
I don't really see the point disabling RC4 cipher suites. If this is the best cipher suite a server negotiates, disabling it in FF will make things only worse.
Having said that, your Youtube issues are probably not related to SSL/TLS. It's more likely you have issues with cookies/cache or with Flash.
Another possibility is that contents get blocked by add-ons like AdblockPlus, NoScript, etc.
As previously suggested, try a new profile and see what happens.
I have read, that it is safer to disable RC4, as it is not considered safe anymore, and thereby forcing the server to use another ssl-method. If I used another profile, youtube would work, but only because security.ssl3.rsa_rc4_128_sha would be set to true. It would have the same effect, as setting security.ssl3.rsa_rc4_128_sha back to true in my current profile.
The whole point is to force the server to use a safe ssl-method instead of rc4, by banning its use in Firefox, which, as I said earlier, worked fine until 2-3 weeks ago.
I can confirm that you need to enable security.ssl3.rsa_rc4_128_sha to make YouTube work, otherwise I get an error that the video is not available.
Apparently there is a server that needs to be accessed and that has old software and that only works with this RC4 cipher.
You can consider to use a second (separate) to view those YouTube videos.
Only one Cipher Suite available:
Cipher Suites (sorted by strength; the server has no preference) TLS_RSA_WITH_RC4_128_SHA (0x5)
Thanks cor-el! So, basicly I can choose between using a second profile or another browser for youtube, which allows rc4, or, easier but less safe, use a http-connection.
Is there any explanation, on why google/youtube downgraded to only allowing the use of the unsafe ssl-method rc4?
Chosen Solution
That is a problem with the server that hosts the video files and Google has chosen to only support this one cipher suit (speed issues?) although the server supports TLS 1.2 according to the test report, but I do not know if that makes a difference as opposed to using SSL3.
I have the same problem. The point is not that youtube downgraded the servers. The thing is that they now force https.
That is assumption and guesswork on your part. It could quite easily be that the servers are miss-configured accidentally or maliciously in order to track youtube users.
I would escalate this issue to Google and get an authoritative answer from them