Open
Bug 949564
Opened 11 years ago
Updated 4 months ago
Information about supported ciphers and preference order (about:cipher)
Categories
(Firefox :: Security, enhancement)
Firefox
Security
Tracking
()
NEW
People
(Reporter: micmon, Unassigned)
Details
There should be a way to get information about the supported ciphers (and preference order) of the running Firefox build. I was thinking about a simple about: page like "about:cipher" which just lists the supported cipher suits in OpenSSL format.
Why is this information important? Right now it is very hard to find out which cipher suits a given version of Firefox is supposed to support (if there already is a way to get this information please tell me). This information is very useful when choosing cipher suits on the server side.
Comment 1•10 years ago
|
||
see also, just wondered why aes128 were preferred of aes256 ?
Some links illustrating the reasoning behind:
- http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html
- https://briansmith.org/browser-ciphersuites-01.html
- https://wiki.mozilla.org/Security/Server_Side_TLS
I still would like to be able to see what order my current v35.0.1 firefox uses without going to the program sources...
see also bug 430875
Comment 2•10 years ago
|
||
You should be able to find that information by doing a client ssl check on ssllabs.com:
https://www.ssllabs.com/ssltest/viewMyClient.html
Comment 3•10 years ago
|
||
Good to have a third party providing that info!
Since I have no clue who is running that site and how reliable they are, I still prefer *my* browser-client of choice to convey that info directly to me.
Anyway, ssllabs appears to be "good" for now and it hints at TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 currently being the favourite with firefox and chrome (https://code.google.com/p/chromium/issues/detail?id=442572 and https://code.google.com/p/chromium/issues/detail?id=58833)
Microsoft on the contrary prefers AES256 since april 2014 as per https://support.microsoft.com/kb/2929781
Comment 4•10 years ago
|
||
Since there are multiple other trustworthy third-parties providing that information [1][2], I really don't think it's necessary to have a dedicated about:ciphers page for that. Btw i.a. Qualys is the security company that found the 14y/o GHOST vulnerability that is currently keeping the internet on fire[3].
[1] https://www.howsmyssl.com/
[2] https://cc.dcsec.uni-hannover.de/
[3] https://www.istheinternetonfire.com/
Comment 5•10 years ago
|
||
see also Bug 1126830
Comment 6•10 years ago
|
||
You can see the enabled ciphers by searching for "ssl3" in "about:config" as per attachment 8556893 [details] - just the apparently often server-ignored preference order is not visible with that.
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•