firefox 25 is out

Discussion in 'other software & services' started by mantra, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,152
    hi
    firefox 25 is out
    sadly again can't find the change logs

    you can get it here

    all languages
    _ftp://ftp.mozilla.org/pub/firefox/releases/25.0/win32/

    enlgish
    _ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/25.0/win32/en-US/Firefox%20Setup%2025.0.exe

    maybe someone can find the changelogs

    cheers
     
  2. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
  3. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    v25 is being offered through the internal updater already - nice. Supposedly this version supports TLS 1.2, but that's not mentioned on the phoronix page. We need BoerenkoolMetWorst to check it out for us :)

    Edit:

    TLS defaults are still 1 and 0

    security.tls.version.max = 1
    security.tls.version.min = 0
     
    Last edited: Oct 29, 2013
  4. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,135
    Location:
    R.I.P. Roger(roddy32)
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Yes, TLS 1.1 and 1.2 are still disabled by default :doubt:

    They do now finally show details on the used SSL cipher:
    Untitled.png
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    I wonder if forcing TLS to max=2 and min=1 works now? And by the way there's an update for Calomel SSL Validation.
     
  7. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,135
    Location:
    R.I.P. Roger(roddy32)
    Is the a real benefit changing this?? thanks
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I don't know why it shouldn't work, I have it to max=3 for quite a while now.
    If you want to be sure what TLS/SSL versions and ciphers are enabled you can check it here:
    https://www.ssllabs.com/ssltest/viewMyClient.html
    https://mikestoolbox.net

    You mean enabling TLS 1.1 and 1.2 manually?
    Yes, because Beast and Crime attack only work on TLS 1.0 and SSL 3.0
     
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Ah, I see that TLS max needs to be set to "3" to enable TLS 1.2, thanks. I also changed TLS min to "2", but I'm seeing that SSL 3 is still enabled. Does SSL 3 need to be manually disabled and would you recommend that?

    Edit: Just noticed if I set TLS Min=2 I can't load the Bank of America website so Changed TLS Min back to 1. Maybe I should tell them to upgrade their TLS implementation? I'm sure they'd listen :cautious:

    Edit 2: Is this related at all to FIPS? Do you have FIPS enabled too?

    Edit 3: Answering my own question here: https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation
     
    Last edited: Oct 29, 2013
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    If you set TLS min to 1 or higher SSL3 will be disabled, but as noted on the test, only the highest enabled protocols can be reliably detected. Afaik TLS 1.0 is a tiny bit more secure than SSL 3, so for security you can disable it.
    Unfortunately there are still a lot of sites that don't support TLS 1.1 and/or 1.2, so if you disable SSL 3 and TLS 1.0 by setting TLS Min=2 that can break a lot of sites. Just disabling SSL 3 should be fine though. Contacting sites about it is a good incentive but big institutions are indeed less likely to listen..
    You answered it already yourself, but keep in mind that while FIPS mode is nice, it disables RC4 ciphers. Because the BEAST attack exploits a vulnerability in AES in CBC mode (Which is afaik almost all commonly used AES ciphers, except the new AES in GCM mode, but support for that is even less than TLS 1.2 support) at the time is was suggested for websites to disable AES-CBC and use the older RC4. RC4 is however cryptographically weaker and not much later, a practical attack against RC4 was discovered. Also, AES-CBC is safe from BEAST in TLS 1.1 and higher. Unfortunately there are still a lot of sites that only support RC4 ciphers.

    Firefox is really lagging behind the other major browsers :(
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    The option to disable updating using a background service is gone from the GUI..
    I can't find it in about:config, though I can't find it in about:config in v24 either.
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,785
    Location:
    Texas
    Still shows here on V 25.
     

    Attached Files:

  14. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    If you install FF, using the full installer, and decline the updater installation (by doing a custom install), you don't get the background service option (because it doesn't exist!)

    I haven't ever had the option because I manually upgrade with the full installer package (not the online updater or stub installer.)
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    They have seriously priority issues (see: supporting XP users)
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Link please....
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Vulnerabilities fixed:

    Fixed in Firefox 25
    MFSA 2013-102 Use-after-free in HTML document templates
    MFSA 2013-101 Memory corruption in workers
    MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
    MFSA 2013-99 Security bypass of PDF.js checks using iframes
    MFSA 2013-98 Use-after-free when updating offline cache
    MFSA 2013-97 Writing to cycle collected object during image decoding
    MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
    MFSA 2013-95 Access violation with XSLT and uninitialized data
    MFSA 2013-94 Spoofing addressbar though SELECT element
    MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

    https://www.mozilla.org/security/known-vulnerabilities/firefox.html

    Yes, you're correct, thanks :)
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
  20. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    It isn't on it's own. Mozilla have shown that their dev team just isn't anywhere near as capable as the Chromium team, and push very few changes with each release. Many releases have had random useless features (e.g. social crap) when people are sitting wondering when they will work on 64bit support, separate threads, sandboxing, TLS 1.2 support, the list goes on.

    This is what I mean by priority issues.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Ok, thanks for the explanation. I would also like to see them make faster progress implementing the latest security standards. FWIW TLS 1.2 appears to work in v25, it's just not ON by default.

    Regarding security, have a look at the latest version of the Calomel SSL Validation extension.
     
  22. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thanks for the heads up. This is a huge update that I've been waiting for for awhile.

    And Calomel is really on the ball too, right there with an update of their own to accommodate the changes. I've been waiting to tick that box for TLS 1.2 support for awhile now, and now have. I make the mods manually in the about:config first, but look at the ticked boxes in Calomel as a way of sort of locking them in and protecting from modification.

    I have TLS max set to 3, and min to 2. SSL3 disabled. And have the FIPS and PFS boxes checked as well. All but 1 site I use is working fine with the new settings.

    And I don't see why Firefox wouldn't still put emphasis on an OS that is still being supported by Microsoft, is probably the most loved OS ever created, and still used by many people, especially businesses. I don't get why this angers people. It shouldn't prevent them from also putting priority on the newer OS's... I'm sure they have enough people working for them to handle both tasks.
     
  23. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thx, while chrome is faster to start up and faster to run with all the addons and extensions, I trust firefox since its open source and not nsa connected:)
     
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Does anybody know anything about whether HTML5 was integrated into this version? I've heard that it was supposed to be. As of now I'm using an addon for it. If it's no longer necessary I'd like to be able to remove it and be able to use it natively through the browser.
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,785
    Location:
    Texas
Loading...
Thread Status:
Not open for further replies.