Securing your browsers: Firefox

As a continuation of my previous post, I will now show you how to use secure settings with your Firefox browser. We still have to do the following:

• Disable SSLv3 (this counters POODLE)
• Disable RC4 cipher suites as much as possible
• Disable SHA1 cipher suites as much as possible
• Disable DES3 cipher suites as much as possible

I will use the most current version of Firefox, which is version 34.0(.5) as of now. The development team decided it was time to drop SSLv3 support by default, so they conveniently  took care of the first point.

To get to the security settings, open the about:config page in the address bar. Take notice of the warning and proceed. Now type ‘ssl’ in the search box that has appeared and press Enter. You will see all SSL related settings. On the bottom of your page are the cipher suites. The last column indicates if the cipher suite is enabled or not. True is enabled, false is disabled.

Again, I have tested several cipher suites in the last months and have come to a workable situation. I advise you to disable the following settings starting from the bottom:

• security.ssl3.rsa_rc4_128_md5;false
• security.ssl3.rsa_camellia_256_sha;false
• security.ssl3.rsa_camellia_128_sha;false
• security.ssl3.ecdhe_rsa_rc4_128_sha;false
• security.ssl3.ecdhe_rsa_des_ede3_sha;false
• security.ssl3.ecdhe_ecdsa_rc4_128_sha;false
• security.ssl3.dhe_rsa_des_ede3_sha;false
• security.ssl3.dhe_rsa_camellia_256_sha;false
• security.ssl3.dhe_rsa_camellia_128_sha;false
• security.ssl3.dhe_dss_aes_256_sha;false
• security.ssl3.dhe_dss_aes_128_sha;false

Some will be disabled by default.

In addition, I advise you to enable the following cipher suites, again starting for the bottom of the page. These are cipher suites that can provide Perfect Forward Secrecy and are not (publicly) know to have been compromised:

• security.ssl3.rsa_rc4_128_sha;true (fallback cipher suite)
• security.ssl3.rsa_aes_256_sha;true (fallback cipher suite)
• security.ssl3.ecdhe_rsa_aes_256_sha;true
• security.ssl3.ecdhe_rsa_aes_128_sha;true
• security.ssl3.ecdhe_rsa_aes_128_gcm_sha256;true
• security.ssl3.ecdhe_ecdsa_aes_256_sha;true
• security.ssl3.ecdhe_ecdsa_aes_128_sha;true
• security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256;true
• security.ssl3.dhe_rsa_aes_256_sha;true
• security.ssl3.dhe_rsa_aes_128_sha;true

Additionally, you can disable ssl3.rsa_aes_128_sha too in favor of ssl3.rsa_aes_256_sha, ssl3.dhe_rsa_aes_128_sha in favor of ssl3.dhe_rsa_aes_256_sha and ssl3.ecdhe_ecdsa_aes_128_sha in favor of ssl3.ecdhe_ecdsa_aes_256_sha. Almost all servers support the 256bit version if the 128bit version is also offered, so this way I force the one with the strongest encryption. Mind you, I have not tested this thoroughly.

Firefox will prefer other cipher suites before ssl3.rsa_rc4_128_sha, so this will really act as a fallback cipher suite. Your result should be similar to this:

Now, to check SSLv3 is disabled, type in ‘tls’ in the search box. You will see the setting security.tls.version.min;1. It should have the value ‘1’. Value ‘0’ will allow SSLv3.

You can test your browser and the cipher suites it uses here or here. It should be these:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_RC4_128_SHA

or these:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_RC4_128_SHA

Next post will handle the same settings for Internet Explorer.