[SOLVED] Ssl3 bug disable in iceweasel

[stevesr0]

There has recently been reported to be a bug in ssl3 that has led to the recommendation to disable ssl3 in browsers. I have followed instructions to do so (using about:config and searching for tls and changing the item security.tls.min from a value of "0" to "1" or using an addon from Mozilla "SSL Version Control".

I am not a security or ssl expert, so check before following this suggestion.

When I did change the value from "0" to"1", nothing got broken but YMMV.

Hope that is helpful.

Steve

[pako]

There has recently been reported to be a bug in ssl3 that has led to the recommendation to disable ssl3 in browsers. I have followed instructions to do so (using about:config and searching for tls and changing the item security.tls.min from a value of "0" to "1" or using an addon from Mozilla "SSL Version Control".

I am not a security or ssl expert, so check before following this suggestion.

When I did change the value from "0" to"1", nothing got broken but YMMV.

Hope that is helpful.

Steve

That's not enough, I believe:
http://web.nvd.nist.gov/view/vuln/detai ... -2014-1574


CVE-2014-1574

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.


Those who are using true firefox (instead of iceweasel) the problems are already fixed in version 33.0. Iceweasel users see:

https://security-tracker.debian.org/tra ... -2014-1574

and wait for update...

[pako]

"and wait for update..."

Why, iceweasel from sid runs fine in jessie beta 2.

It's still unclear to me if all the bugs are fixed. And it seems that the ssl3 bug
is not fixed even in Firefox 33.0 (my mistake, sorry). The correct instruction
(for firefox 33.0, where all the other bugs are fixed) can be found from:

https://blog.mozilla.org/security/2014/ ... f-ssl-3-0/

where you can find an add-on to fix the problem:

SSL Version Control 0.2 by Mozilla
Turns off SSLv3 by default, and adds a simple preference to set the minimum SSL version that Firefox will accept (in Tools / Add-ons).

https://addons.mozilla.org/en-US/firefo ... n-control/


About this Add-on
SSLv3 is now insecure, and is soon going to be disabled by default.
https://blog.mozilla.org/security/2014/ ... f-ssl-3-0/

In the meantime, you can use this extension to turn off SSLv3 in your copy of Firefox. When you install the add-on, it will set the minimum TLS version to TLS 1.0 (disabling SSLv3). If you want to change that setting later, like if you really need to access an SSLv3 site, just go to Tools / Add-ons and click the "Preferences" button next to the add-on. That will give you a drop-down menu to select the minimum TLS version you want to allow.

As of version 0.2, this add-on should work with all Mozilla products, including Firefox, Firefox for Android, Thunderbird, and Seamonkey.




For Debian/iceweasel, see

https://security-tracker.debian.org/tra ... /iceweasel

Especially aboput ssl3-bug, (sid fix status is unknown).

https://security-tracker.debian.org/tra ... -2014-3566

CVE-2014-3566

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

[stevesr0]

@pako (and anyone else),

So, you think my comment about the virtue of disabling ssl3 in iceweasel is incorrect or a bad idea or ok but not enough to make iceweasel invulnerable <g>?

That is, at the moment, if nothing else, people should (or shouldn't disable ssl3 (either with the Mozilla tool or manually)?

[pako]

@pako (and anyone else),
So, you think my comment about the virtue of disabling ssl3 in iceweasel is incorrect or a bad idea or ok but not enough to make iceweasel invulnerable <g>?
That is, at the moment, if nothing else, people should (or shouldn't disable ssl3 (either with the Mozilla tool or manually)?

Yeah, it's a good idea, but there are other issues as well (and sorry that I made myself unclear...)

As a summary (based on todays info):

If concerned about security due recently discovered bundle of security threats:

a1) use either firefox 33.0, or
a2) wheezy (security) 31.2.0esr-2~deb7u1 (or sid version 31.2.0esr-2) version of iceweasel, and
b) Disable ssl3 (either with the Mozilla tool or manually)

For more info:

iceweasel: https://security-tracker.debian.org/tra ... /iceweasel
Mozilla: https://blog.mozilla.org/security/

[craigevil]

http://forums.mozillazine.org/viewtopic ... &t=2880119

Update to 33.

iceweasel (33.0-2) experimental; urgency=medium * debian/control*, debian/rules: Do not build depend on gstreamer 1.0 when building a backport. * netwerk/base/public/security-prefs.js, security/manager/ssl/src/nsNSSComponent.cpp: Disable SSLv3 to address CVE-2014-3566. bz#1076983.

[stevesr0]

Thanks for replies to upgrade.

I have been using iceweasel as my primary browser in all my debian installs.

I tried to upgrade to iceweasel 31 which appeared in the wheezy security repository on 15 October.

However, the new version freezes within a few seconds of launch. I didn't analyze the error messages (I routine launch from a terminal and didn't think about starting iceweasel in a safe mode), before uninstalling it.

Then I installed chromium from the debian repositories to have a graphical browser while I sorted out the problems with iceweasel.

Mea culpa.

I reinstalled the previous version a few minutes ago, that had been installed on this system (24.4.0esr-1~deb7u2 which has vulnerabilities. That is running ok, but I would like to use an iceweasel browser without unnecessary vulnerabilities. I may try firefox 33 as another browser - since that is so similar to iceweasel, it may be informative if it does/doesn't freeze on my system. If I understand craigevil's advice, one option is to use a version of iceweasel from a non wheezy repository. I have read many messages here against mixing stable and nonstable repositories, so if that is the case here, I will pass on that option (appreciate clarification, if that is not the case).

I am reporting this in case there are bugs in iceweasel 31 that are causing freezes for many people. I did a routine search engine look and didn't see any other complaints about this, but... It would help me understand the nature of the problem if lots of other people have a similar issue.

I am posting it in/on this thread because iceweasel 31 is presented as one of the options to solve the ssl3 bug (in addition to other ones).

(Hope this doesn't fall in the tl:dr category <g>.)

[craigevil]

or just install Firefox.

https://ftp.mozilla.org/pub/mozilla.org ... .0.tar.bz2

or
https://ftp.mozilla.org/pub/mozilla.org ... .0.tar.bz2


My personal preference is to use Firefox. But I also run Aurora not the release version.

User Agent : Mozilla/5.0 (Android; Mobile; rv:35.0) Gecko/35.0 Firefox/35.0

Milk is always better directly from the cow.

[kreemoweet]

Or have your Iceweasel track the latest Firefox release, available here: http://mozilla.debian.net/.

[stevesr0]

I may have solved my problem with upgrading to iceweasel 31.

After reinstalling the new version, I found it was seemingly having problems with an addon - virtru (an e-mail encryption application). After removing that addon today, iceweasel 31 seems to work fine.

(I posted a message about the details on this forum today, with the subject "virtru and new iceweasel in wheezy" http://forums.debian.net/viewtopic.php?f=5&t=118361.)

I will mark this solved if I don't encounter problems in the next few weeks.

Steve