Friday, March 25, 2016

How to make Firefox more secure in a few clicks

I've messing a lot with cipher suites lately and something I always do in my firefox browsers will stop all the non forward secrecy ciphers.

What Forward Secrecy does is use a second dynamic key when encrypting your traffic. So even if the bad guys break a private key on your server's certificate at the later date your traffic is encrypted by another layer.  If you don't use forward secrecy and they capture your data and find the private key it's easy to decrypt. Wireshark will do it on the fly.

So in Firefox

type about:config in the address bar



It will bring up a warning saying be careful.  Click yes you know.

In the search box below the address bar type ssl.  Look at the bottom of the list and find the ones that start security.ssl3.rsa and double click them and will change enabled to false. You should also disable anything that mentions rc4.  The ones that have dhe are good, the ones that have ecdhe are better, and the ones that have chacha20 are best but not everything supports them.




Try you websites and you might need to re-enable some if, say your bank doesn't work.  Alternatively run your bank against this site

https://www.htbridge.com/ssl/

and let them know if they don't get a good score.

No comments: