firefox 25 is out

Yeah I just found out HTML5 is indeed working without that addon, so I've removed it.

I'm REALLY liking Firefox right now! Awesome improvements! I'd like to see them focus on ironing out bugs/improving upon what's already here instead of looking to change things and reinvent the wheel. Because what they have right now is a very good thing. I'd like to see a 25.1, 25.2, etc... instead of a 26.

 

I'm just learning about FIPS. Do you have it enabled in Firefox settings or only in the Calomel extension? Is it FIPS and/or PFS that's breaking one of your sites? Do you think enabling FIPS makes for better security over all?

OK, enabled FIPS in Firefox and also in Calomel SSL. Unfortunately I can't also use the "Perfect Forward Secrecy ciphers" option in Calomel since it breaks my bank site.

 

It's either FIPS and/or PFS that it can't match. So the only option is to disable it temporarily for that site and use it's own (inferior) encryption.

And the really disconcerting thing is that this website is Paypal, of all things. I would expect more from them.

I also have to do it on Amazon to get things to display properly. The site works (technically), but the page is gibberish until I toggle it off.

 

Thanks ronjor. I'll take the outcome with a grain of salt though. Below are the scores of my 3 browsers.

IE10: 320 + 6 bonus points
Firefox v 25.0: 414 + 14 bonus points
Palemoon 24.0.2: 434 + 14 bonus points

 

Yeah, I'm seeing that on Amazon.com too. I need to toggle off the FIPS option in Calomel and restart the browser for the site to display properly.

 

Some ramblings from the Mozilla Project some may have missed and would be interested in reading.

https://blog.mozilla.org/blog/2013/...refox-completes-web-as-a-platform-for-gaming/

 

I have been testing some with Calomel and it can be a useful tool. Wilders for example prefers RC4 without forward secrecy while it also offers AES with forward secrecy. I also noticed that you can use FIPS mode only and FIPS+Forward Secrecy, but not FS alone, if you restart FF after enabling it, it is disabled again, and if you already had both enabled and then only disable FIPS but not FS, both are disabled after FF restart.
IMO the FIPS mode is a bit agressive, as it only allows AES 256 bit, no not only does it disable RC4, it also disables Camellia (both 128 and 256 bit) which is comparable to AES, and it also disables AES 128 bit. Of all the disabled ciphers, all variants are disabled, including ones that offer FS.

Btw, Cipherfox has been updated as well, you can now set it to show the full cipher, which is handy to always be able to view it without having to click anything, and if you right-click the displayed cipher, there is a handy option to analyze the current website with SSLlabs.

 

Thanks for the details. I noticed Cipherfox wasn't working with v25 so I removed it, but the new version is working fine and better than before

Regarding web security it seems to me the browsers are way ahead of most of the websites. It's not much help having TLS 1.2 support in FF if my bank and PayPal and Amazon, etc, etc, don't support it. Hopefully they will catch up.

 

After further review, about half of the videos on Youtube don't work with just the native HTML5. So I've once again added the addon "YouTube ALL HTML5"

 

409 out of 500

second test

425 out 555?(beta one)
http://beta.html5test.com/

 

Is there an advantage to playing Youtube video with HTML 5 Vs flash?

 

I'd love to be able to escape all the cpu issues I get with flash videos... maybe that's possible?

 

HTML5 is lighter, seems more stable, and I believe it is more secure. I no longer have videos freezing, lagging or restarting on me as I once did. It doesn't try to store things on your computer like Adobe Flash did, at least to my knowledge, like Flash/Super cookies. It's less cumbersome. Not a separate entity on your box that you must maintain and update, built into the browser and updates with it, AFAIK.

And I just like that there's a choice now period. Before it was like Adobe had a monopoly going... there was no alternative but to use it's flash player.

 

Try SMPlayer.

 

It would be great if someone created an addon with different enabled cipher profiles that redoes the TLS handshake with another cipher profile when the current fails to connect. For a basic example you create 3 profiles, one with only AES-GCM ciphers enabled(once supported by FF), one with AES and Camellia and one with RC4. If a you then connect to a server that has 3 ciphers enabled with RC4 as preferred cipher, second Camellia and third AES-GCM, then you will end up with a AES-GCM connection. But if the connection fails because the server only supports RC4 or Camellia, then the browser will automatically retry with the second and if necessary again with the third cipher profile. More profiles could be added and edited to prefer Forward Secrecy ciphers etc. So it is basically like Calomels FIPS and FPS modes, but much more expansive and should the connection fail because the server doesn't support better ciphers, the handshake is automatically retried until a matching profile is found. That way any webpage will load normally, only the ones with weak ciphers will have a slightly longer loading time. That could even perhaps be remedied with some sort of cache that remembers the matching profile and also the supported cipher list from the server so the cache can be automatically updated should the server update to stronger ciphers.

 

Will you be working on this?

How does it work now? If both the website and the browser are able to connect using more than one standard how do they sort out which one to use?

 

Unfortunately I can't, I don't know how as I'm not a developer.

Usually in order of server preference, here's an example of SSLlabs analysis of Wilders:

So in this case, if the browser supports all ciphers, TLS_RSA_WITH_RC4_128_SHA will be chosen, if it doesn't support that, then TLS_RSA_WITH_AES_128_CBC_SHA will be chosen etc. Sometimes the server has no preference, then the order of preference from the browser will be used. (You can view your browsers preference at the SSL Client test: https://www.ssllabs.com/ssltest/viewMyClient.html)
So it seems with the current standards for HTTPS connections, the only way to ignore the server's order of preference is by disabling ciphers in your browser, by doing it manually or using something like Calomel.

 

Very informative, thank you!

 

Thanks... I was thinking of streaming flash video mostly, from various web sites... I guess VLC is another option for video in general too....

 

Thanks! Good to know.

 

Firefox 25 is not remembering exclusions for popup blocker if set when a popup is being blocked. I have to reopen firefox and then add the site manually under exclusions to make it remember.

 

Sorry, I read this 3 times and am still not sure what I should do - can anyone explain in newbie terms what I should do to make FF more secure?

thanks

 

If you want it more secure you can go to about:config in your adressbar and disable SSL 3 by setting security.tls.version.min to 1. This however makes only a very tiny difference as TLS 1.0 is still insecure. You can disable TLS 1.0 as well by setting that value to 2, but that will break very many sites as there are still tons who don't support newer TLS versions.

 

As BoerenkoolMetWorst said enable TLS 1.2 - you do this by entering "about:config" in the address bar so you can access the advanced settings and entering TLS in the search bar to bring up the TLS max setting to change. By enabling TLS 1.2 Firefox will be able to negotiate a connection more securely with websites that employ TLS 1.2. Also changing the minimum TLS setting from "0" to "1" prevents Firefox from using SSL 3.0 - you gain a little more security without generally causing problems.

Here are the the complete settings strings:

security.tls.version.max = 3
security.tls.version.min = 1

By default "max" will be "1" and min will be "0". Double click the entries and change max to 3 and min to 1.

For additional security you can also try using the HTTPS finder, HTTPS Everywhere, Perspectives, and Calomel SSL Validation extensions.

 

More options removing madness, now they want to remove cipher prefence from about:config
https://bugzilla.mozilla.org/show_bug.cgi?id=934663