firefox 25 is out

Discussion in 'other software & services' started by mantra, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Yeah I just found out HTML5 is indeed working without that addon, so I've removed it.

    I'm REALLY liking Firefox right now! Awesome improvements! I'd like to see them focus on ironing out bugs/improving upon what's already here instead of looking to change things and reinvent the wheel. Because what they have right now is a very good thing. I'd like to see a 25.1, 25.2, etc... instead of a 26.
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    I'm just learning about FIPS. Do you have it enabled in Firefox settings or only in the Calomel extension? Is it FIPS and/or PFS that's breaking one of your sites? Do you think enabling FIPS makes for better security over all?

    OK, enabled FIPS in Firefox and also in Calomel SSL. Unfortunately I can't also use the "Perfect Forward Secrecy ciphers" option in Calomel since it breaks my bank site.
     
    Last edited: Oct 29, 2013
  3. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    It's either FIPS and/or PFS that it can't match. So the only option is to disable it temporarily for that site and use it's own (inferior) encryption.

    And the really disconcerting thing is that this website is Paypal, of all things. I would expect more from them.

    I also have to do it on Amazon to get things to display properly. The site works (technically), but the page is gibberish until I toggle it off.
     
  4. niki

    niki Registered Member

    Joined:
    Jun 9, 2010
    Posts:
    365
    Thanks ronjor. I'll take the outcome with a grain of salt though. Below are the scores of my 3 browsers.

    IE10: 320 + 6 bonus points
    Firefox v 25.0: 414 + 14 bonus points
    Palemoon 24.0.2: 434 + 14 bonus points
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Yeah, I'm seeing that on Amazon.com too. I need to toggle off the FIPS option in Calomel and restart the browser for the site to display properly.
     
  6. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
    I have been testing some with Calomel and it can be a useful tool. Wilders for example prefers RC4 without forward secrecy while it also offers AES with forward secrecy. I also noticed that you can use FIPS mode only and FIPS+Forward Secrecy, but not FS alone, if you restart FF after enabling it, it is disabled again, and if you already had both enabled and then only disable FIPS but not FS, both are disabled after FF restart.
    IMO the FIPS mode is a bit agressive, as it only allows AES 256 bit, no not only does it disable RC4, it also disables Camellia (both 128 and 256 bit) which is comparable to AES, and it also disables AES 128 bit. Of all the disabled ciphers, all variants are disabled, including ones that offer FS.

    Btw, Cipherfox has been updated as well, you can now set it to show the full cipher, which is handy to always be able to view it without having to click anything, and if you right-click the displayed cipher, there is a handy option to analyze the current website with SSLlabs.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Thanks for the details. I noticed Cipherfox wasn't working with v25 so I removed it, but the new version is working fine and better than before :thumb:

    Regarding web security it seems to me the browsers are way ahead of most of the websites. It's not much help having TLS 1.2 support in FF if my bank and PayPal and Amazon, etc, etc, don't support it. Hopefully they will catch up.
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    After further review, about half of the videos on Youtube don't work with just the native HTML5. So I've once again added the addon "YouTube ALL HTML5"
     
  10. hayc59

    hayc59 Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,843
    Location:
    KEEP USA GREAT
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Is there an advantage to playing Youtube video with HTML 5 Vs flash?
     
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,005
    I'd love to be able to escape all the cpu issues I get with flash videos... maybe that's possible?
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    HTML5 is lighter, seems more stable, and I believe it is more secure. I no longer have videos freezing, lagging or restarting on me as I once did. It doesn't try to store things on your computer like Adobe Flash did, at least to my knowledge, like Flash/Super cookies. It's less cumbersome. Not a separate entity on your box that you must maintain and update, built into the browser and updates with it, AFAIK.

    And I just like that there's a choice now period. Before it was like Adobe had a monopoly going... there was no alternative but to use it's flash player.
     
  14. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    830
    Location:
    Ireland
    Try SMPlayer.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
    It would be great if someone created an addon with different enabled cipher profiles that redoes the TLS handshake with another cipher profile when the current fails to connect. For a basic example you create 3 profiles, one with only AES-GCM ciphers enabled(once supported by FF), one with AES and Camellia and one with RC4. If a you then connect to a server that has 3 ciphers enabled with RC4 as preferred cipher, second Camellia and third AES-GCM, then you will end up with a AES-GCM connection. But if the connection fails because the server only supports RC4 or Camellia, then the browser will automatically retry with the second and if necessary again with the third cipher profile. More profiles could be added and edited to prefer Forward Secrecy ciphers etc. So it is basically like Calomels FIPS and FPS modes, but much more expansive and should the connection fail because the server doesn't support better ciphers, the handshake is automatically retried until a matching profile is found. That way any webpage will load normally, only the ones with weak ciphers will have a slightly longer loading time. That could even perhaps be remedied with some sort of cache that remembers the matching profile and also the supported cipher list from the server so the cache can be automatically updated should the server update to stronger ciphers.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Will you be working on this? :)

    How does it work now? If both the website and the browser are able to connect using more than one standard how do they sort out which one to use?
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
    Unfortunately I can't, I don't know how as I'm not a developer.

    Usually in order of server preference, here's an example of SSLlabs analysis of Wilders:
    Untitled2.png
    So in this case, if the browser supports all ciphers, TLS_RSA_WITH_RC4_128_SHA will be chosen, if it doesn't support that, then TLS_RSA_WITH_AES_128_CBC_SHA will be chosen etc. Sometimes the server has no preference, then the order of preference from the browser will be used. (You can view your browsers preference at the SSL Client test: https://www.ssllabs.com/ssltest/viewMyClient.html)
    So it seems with the current standards for HTTPS connections, the only way to ignore the server's order of preference is by disabling ciphers in your browser, by doing it manually or using something like Calomel.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Very informative, thank you!
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,005
    Thanks... I was thinking of streaming flash video mostly, from various web sites... I guess VLC is another option for video in general too....
     
  20. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    Thanks! Good to know.
     
  21. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    567
    Firefox 25 is not remembering exclusions for popup blocker if set when a popup is being blocked. I have to reopen firefox and then add the site manually under exclusions to make it remember.
     
  22. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    460
    Sorry, I read this 3 times and am still not sure what I should do - can anyone explain in newbie terms what I should do to make FF more secure? :D

    thanks
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
    If you want it more secure you can go to about:config in your adressbar and disable SSL 3 by setting security.tls.version.min to 1. This however makes only a very tiny difference as TLS 1.0 is still insecure. You can disable TLS 1.0 as well by setting that value to 2, but that will break very many sites as there are still tons who don't support newer TLS versions.
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    As BoerenkoolMetWorst said enable TLS 1.2 - you do this by entering "about:config" in the address bar so you can access the advanced settings and entering TLS in the search bar to bring up the TLS max setting to change. By enabling TLS 1.2 Firefox will be able to negotiate a connection more securely with websites that employ TLS 1.2. Also changing the minimum TLS setting from "0" to "1" prevents Firefox from using SSL 3.0 - you gain a little more security without generally causing problems.

    Here are the the complete settings strings:

    security.tls.version.max = 3
    security.tls.version.min = 1

    By default "max" will be "1" and min will be "0". Double click the entries and change max to 3 and min to 1.

    For additional security you can also try using the HTTPS finder, HTTPS Everywhere, Perspectives, and Calomel SSL Validation extensions.
     
    Last edited: Nov 2, 2013
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,611
    Location:
    Outer space
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.