Open
Bug 949564
Opened 10 years ago
Updated 1 year ago
Information about supported ciphers and preference order (about:cipher)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
NEW
People
(Reporter: micmon, Unassigned)
Details
There should be a way to get information about the supported ciphers (and preference order) of the running Firefox build. I was thinking about a simple about: page like "about:cipher" which just lists the supported cipher suits in OpenSSL format. Why is this information important? Right now it is very hard to find out which cipher suits a given version of Firefox is supposed to support (if there already is a way to get this information please tell me). This information is very useful when choosing cipher suits on the server side.
|
||
Comment 1•9 years ago
|
||
see also, just wondered why aes128 were preferred of aes256 ? Some links illustrating the reasoning behind: - http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html - https://briansmith.org/browser-ciphersuites-01.html - https://wiki.mozilla.org/Security/Server_Side_TLS I still would like to be able to see what order my current v35.0.1 firefox uses without going to the program sources... see also bug 430875
|
||
Comment 2•9 years ago
|
||
You should be able to find that information by doing a client ssl check on ssllabs.com: https://www.ssllabs.com/ssltest/viewMyClient.html
|
|
||
Comment 3•9 years ago
|
||
Good to have a third party providing that info! Since I have no clue who is running that site and how reliable they are, I still prefer *my* browser-client of choice to convey that info directly to me. Anyway, ssllabs appears to be "good" for now and it hints at TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 currently being the favourite with firefox and chrome (https://code.google.com/p/chromium/issues/detail?id=442572 and https://code.google.com/p/chromium/issues/detail?id=58833) Microsoft on the contrary prefers AES256 since april 2014 as per https://support.microsoft.com/kb/2929781
|
|
||
Comment 4•9 years ago
|
||
Since there are multiple other trustworthy third-parties providing that information [1][2], I really don't think it's necessary to have a dedicated about:ciphers page for that. Btw i.a. Qualys is the security company that found the 14y/o GHOST vulnerability that is currently keeping the internet on fire[3]. [1] https://www.howsmyssl.com/ [2] https://cc.dcsec.uni-hannover.de/ [3] https://www.istheinternetonfire.com/
|
|
||
Comment 5•9 years ago
|
||
see also Bug 1126830
|
|
||
Comment 6•9 years ago
|
||
You can see the enabled ciphers by searching for "ssl3" in "about:config" as per attachment 8556893 [details] - just the apparently often server-ignored preference order is not visible with that.
|
||
Updated•1 year ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•