Does anyone know how soon before Firefox is no longer subject to Logjam?
Just a quickie for the development team. Have several individuals asking me how long before the Logjam vulnerability in Firefox is fixed? Thanks
Tất cả các câu trả lời (6)
It will be fixed in either Firefox 38.0.5 (which comes out in two weeks) or 39 (two weeks after that) depending on how quickly Security teams can review the fix.
Temporary workaround is to disable the insecure ciphers as follows:
(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)
That's it, you can test on this page: https://www.ssllabs.com/ssltest/viewMyClient.html
Hi, my Firefox version is 35.0.5 but if I check this browser version against https://weakdh.org/, this version is still coming up as vulnerable. Please advise if there is a continued issue with 35.0.5, or if there shouldn't be, what diagnostic information is required to figure out what's going on.
The fix for logjam will be in Firefox 39, coming out in two weeks.
If you'd like to patch Firefox in the meantime, you can install https://addons.mozilla.org/en-US/firefox/addon/disable-dhe (note this add-on won't be necessary after Firefox 39 comes out)
Note that all this extension does is disabling the two involved cipher suites by setting the above mentioned prefs to false.
- security.ssl3.dhe_rsa_aes_128_sha
- security.ssl3.dhe_rsa_aes_256_sha
You can easily do this in any Firefox version on the about:config page.
- Bug 1138554 - NSS accepts export-length DHE keys with regular DHE cipher suites
Thanks, I did the about:config settings change. Appreciate it.