PFS in Firefox

Tags: crypto, pfs,

Added: 2014-05-08T00:00

PFS in Firefox

During an SSL negotiation, SSL clients suggest a list of ciphers to the server, but the server can pick one with lower security than you'd perhaps like.

If you want to ensure that Firefox only uses PFS-enabled ciphers to connect to websites, you can manually disable all the other ones.
I don't know of any plugin to make this process nicer - if you do, please tell me.

To always use PFS, you want to disable any SSL ciphers that aren't "ephemeral" - ones that don't use Diffie-Hellman Ephemeral (DHE) or Elliptic-curve Diffie-Hellman Ephemeral (ECDHE).
It would make sense at the same time to disable weak ciphers (DES, RC4), and small key sizes (64, 128 bit).

In Firefox go to about:config
Search for _rc4, and change them all to false.
Do the same with _des, _128, _dss, _seed and _md5

Now change the filter to security.ssl, and review. The only enabled ciphers should be:
dhe/ecdhe, rsa/dss, aes/camellia 256 sha.

You can check when ciphers are now supported by your browser at the very good SSL Labs site.

Once you have done this, you can be sure that you'll be using a PFS cipher. However, you may encounter websites that don't support any of your enabled ciphers. This will cause an SSL error, and mean you're unable to connect. Examples of this are Wikipedia or Lloyds Bank online.
Both of these don't support any PFS ciphers. As the SSL Labs Server test says, this is "NOT DESIRABLE".

Your options are either to not use the site, or to enable a cipher that the site supports (such as security.ssl3.rsa_aes_256_sha).

I'd much prefer a plugin that allowed you to specify the order of ciphers to use, with a warning if it was not one of the desired ones.

If you run a webserver, please check that you enable PFS ciphers. If you're particularly strict, you might even want to only allow PFS ciphers (although this will prevent people with older browsers from being able to use your site).

Posted by Calum on 2014-05-08T00:00 under: crypto, pfs,
Add a comment

Your IP:
Please enter 3891944 here: