Damn Small Linux (DSL) Forums
Welcome, Guest. Please login or register.
Did you miss your activation email?
December 22, 2014, 10:07:42 PM

Login with username, password and session length
News
The new DSL forums are now open.
Stats
297849 Posts in 294161 Topics by 223 Members
Latest Member: Robertfat
Search:     Advanced search
* Home Help Search Login Register
Get The Official Damn Small Linux Book. Great VPS hosting provided by Tektonic

+  Damn Small Linux (DSL) Forums
|-+  Damn Small Linux
| |-+  DSL Ideas and Suggestions
| | |-+  Firefox/Bon Echo needs SSL3 disabled cause of Poodle
« previous next »
Pages: [1] Print
Author Topic: Firefox/Bon Echo needs SSL3 disabled cause of Poodle  (Read 378 times)
Veeshush
Newbie
*
Posts: 5


View Profile
« on: October 26, 2014, 01:01:12 AM »

See: https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

Here's a test: https://www.ssllabs.com/ssltest/viewMyClient.html


Also here's some search engines to possibly add (particularly StartPage): https://prism-break.org/en/subcategories/gnu-linux-web-search/

And some addons: https://prism-break.org/en/subcategories/gnu-linux-web-browser-addons/ But I don't know if any of them would even work on Bon Echo. My thinking is that with Adblock Edge and Noscript especially, browsing would be a lot quicker on older machines that get hung up on scripts and ads. Not as fast as Dillo, but better than nothing. Just a thought, if it's even possible.

But the main thing is that SSL 3 should be disabled.
Logged
CNK
Full Member
***
Posts: 156


View Profile
« Reply #1 on: October 26, 2014, 09:41:37 PM »

Disabling it is easy:

Edit > Preferences > Advanced > Encryption > and deselect "Use SSL 3.0" in the protocols area. I'm not too concerned about this sort of thing (if I was, I probably wouldn't be using Firefox 2 anyway), though I have just disabled SSL 3.0 because it looks like nothing uses it nowadays anyway.

Sure enough, that test website now says my browser isn't vulnerable to any stray POODLEs lurking in the interwebs (though I think the work involved in that attack would be far less than worthwhile for anyone looking at my internet data.

Actually I would rather my Email was secure than my Web browsing, though my Slypheed logs don't make it clear what encryption method is used with my IMAP accounts. I might look into that some time, but I'm still not that fussed.


As for those plugins. I'm not going to go through that web page, but the NoScript Download Page (https://noscript.net/getit) says under "Direct Download":

"Users of Firefox 2.0 and below are urged to upgrade their very unsafe browser. For those few who can't, latest legacy-compatible NoScript version is 1.10."

With a link to V. 1.10. So that's easy.

AdBlock Edge is too new for Firefox 2.0 support, but AdBlock Plus which it's based on will work if you use the old V. 1.0.2 (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/?page=2#version-1.0.2). Though funnilly enough, the Firefox website is now so broken with Firefox 2.0 that the download link doesn't seem to work.

After looking at the page's source code (one gets used to this technique after using Firefox 2 for a while these days), here's the download URL (https://addons.mozilla.org/firefox/downloads/file/51047/adblock_plus-1.0.2-fx+sm+tb.xpi).

Finally, that first web page you linked to doesn't work in Forefox 2 (it uses a later encryption method (probably TLS 1.2 or 1.1) that Firefox 2 doesn't support and for sume silly reason they haven't enabled TLS 1.0 as a fallback), so here's a link to the Google cache of the page (http://webcache.googleusercontent.com/search?hl=en-AU&q=cache:RmrAAP0cnwwJ:https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack%2Bhttps://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack&gbv=2&&ct=clnk). Though of course that means revealing to Google that you are worried about angry POODLEs, and archive.org doesn't have it archived! Ahh!!! Oh, wait, there's a link to add it to the archive... The power of collective web users triumphs again! (https://web.archive.org/web/20141026212757/https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack)
Logged
Veeshush
Newbie
*
Posts: 5


View Profile
« Reply #2 on: October 27, 2014, 03:19:36 PM »

Edit > Preferences > Advanced > Encryption > and deselect "Use SSL 3.0" in the protocols area. I'm not too concerned about this sort of thing (if I was, I probably wouldn't be using Firefox 2 anyway), though I have just disabled SSL 3.0 because it looks like nothing uses it nowadays anyway.

Sure enough, that test website now says my browser isn't vulnerable to any stray POODLEs lurking in the interwebs (though I think the work involved in that attack would be far less than worthwhile for anyone looking at my internet data.

More so than that too, most web servers will hopefully disable SSL3 on their end. But also obviously as you mention,

Quote
Finally, that first web page you linked to doesn't work in Forefox 2 (it uses a later encryption method (probably TLS 1.2 or 1.1) that Firefox 2 doesn't support and for sume silly reason they haven't enabled TLS 1.0 as a fallback)

So if there's not a way to enable 1.1 or 1.2 then most sites are going to end up not working anyway. This is more an issue after the Snowden leaks because now more than ever are sites using HTTPS where as 3 year ago they wouldn't had unless they were a shopping/banking site. https://www.eff.org/https-everywhere/deploying-https (To be fair also, this is somewhat an issue with Dillo until it gets better HTTPS support http://www.dillo.org/FAQ.html#q12 )

Quote
As for those plugins. I'm not going to go through that web page, but the NoScript Download Page (https://noscript.net/getit) says under "Direct Download":

"Users of Firefox 2.0 and below are urged to upgrade their very unsafe browser. For those few who can't, latest legacy-compatible NoScript version is 1.10."

With a link to V. 1.10. So that's easy.

Yeah, at the very least having some version of Noscript would be a ton better than nothing. (thanks for that btw, I'll give it a try later)

Quote
AdBlock Edge is too new for Firefox 2.0 support, but AdBlock Plus which it's based on will work if you use the old V. 1.0.2 (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/?page=2#version-1.0.2). Though funnilly enough, the Firefox website is now so broken with Firefox 2.0 that the download link doesn't seem to work.

Actually, the more I got thinking about it the more I'd try to avoid any version of Adblock for DSL. Adblock can be pretty cpu/ram heavy on modern machines at times. I think just Noscript would be the way to go.


All in all, there's probably also a ton of unpatched browser exploits that Bon Echo is vulnerable to as well. That, along with it being pretty draining on older system with little ram compared to Dillo. Like, I can easily run the latest Firefox on another system I have, and it's just a 500mhz AMD K6 III rig with 512mb ram- yet if you have a 83mhz Pentium (which is my DSL rig) then Bon Echo chugs until you close it. I mean, I get Bon Echo was never meant to be more than what it is, but I'm just wondering if it's worth the hassle these days. (but don't confuse me in saying it should be straight out scrapped altogether, I'm just thinking outloud of all the difficulties).
« Last Edit: October 27, 2014, 03:21:28 PM by Veeshush » Logged
Pages: [1] Print 
« previous next »
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines
Mercury design by Bloc