Open Bug 949564 Opened 11 years ago Updated 4 months ago

Information about supported ciphers and preference order (about:cipher)

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement

Tracking

()

People

(Reporter: micmon, Unassigned)

Details

There should be a way to get information about the supported ciphers (and preference order) of the running Firefox build. I was thinking about a simple about: page like "about:cipher" which just lists the supported cipher suits in OpenSSL format. Why is this information important? Right now it is very hard to find out which cipher suits a given version of Firefox is supposed to support (if there already is a way to get this information please tell me). This information is very useful when choosing cipher suits on the server side.
see also, just wondered why aes128 were preferred of aes256 ? Some links illustrating the reasoning behind: - http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html - https://briansmith.org/browser-ciphersuites-01.html - https://wiki.mozilla.org/Security/Server_Side_TLS I still would like to be able to see what order my current v35.0.1 firefox uses without going to the program sources... see also bug 430875
You should be able to find that information by doing a client ssl check on ssllabs.com: https://www.ssllabs.com/ssltest/viewMyClient.html
Good to have a third party providing that info! Since I have no clue who is running that site and how reliable they are, I still prefer *my* browser-client of choice to convey that info directly to me. Anyway, ssllabs appears to be "good" for now and it hints at TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 currently being the favourite with firefox and chrome (https://code.google.com/p/chromium/issues/detail?id=442572 and https://code.google.com/p/chromium/issues/detail?id=58833) Microsoft on the contrary prefers AES256 since april 2014 as per https://support.microsoft.com/kb/2929781
Since there are multiple other trustworthy third-parties providing that information [1][2], I really don't think it's necessary to have a dedicated about:ciphers page for that. Btw i.a. Qualys is the security company that found the 14y/o GHOST vulnerability that is currently keeping the internet on fire[3]. [1] https://www.howsmyssl.com/ [2] https://cc.dcsec.uni-hannover.de/ [3] https://www.istheinternetonfire.com/
see also Bug 1126830
You can see the enabled ciphers by searching for "ssl3" in "about:config" as per attachment 8556893 [details] - just the apparently often server-ignored preference order is not visible with that.
Severity: normal → S3
Type: defect → enhancement
You need to log in before you can comment on or make changes to this bug.