Category: Chrome

Server has a weak ephemeral Diffie-Hellman public key

weak

The other day my neighbor headed to a United Airlines affiliated site in Chrome to book a trip and was greeted with “Server has a weak ephemeral Diffie-Hellman public key.”  Full stop.  She could not continue on to the site.  This is occurring because there is an attack in the wild that takes advantage of a flaw in the Transport Layer Security protocol (a fancy way of saying the supposedly secure way in which a web server communicates to your browser) in order to watch your traffic.  This is called a Man in The Middle Attack.  Essentially it inserts itself between you and your destination and logs your conversation.  You can read more about this here.

The solution is, unfortunately, out of your hands.  Your browser isn’t broken –  The site you’re trying to get to is.  And, as evidenced by it affecting a United Airlines site, there are some heavy hitters who are vulnerable. Any site that’s running 1024 bit or less encryption needs to upgrade to 2048 to close the hole.

But in the meantime, what if you really, really need to get to that site?  I’d tell you to try to contact the site owners and tell them to get it together, but realistically that’s not so easy (can you imagine calling United’s customer service and saying to the phone jockey who answered “Hey, y’all need to upgrade your public keys on your site because currently it’s vulnerable to the Logjam attack and any decent browser isn’t allowing your site to resolve.”  Yeah, you’ll get traction there).  So how do you get to the site?  So far there doesn’t appear to be a way to tell Chrome to continue.  You can try switching from HTTPS to HTTP, but most likely you’re hitting a login page and will be forced back to HTTPS (and the error).  You can, however, weaken Firefox to allow navigation on these sites.   Open a new tab and in the address field enter:

about:config

This opens the browser’s sekrit settings.  Get past the warning, and then locate these two settings:

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

By default these are set to True.  Change them to False and you’ll be able to hit the effected site.  I STRONGLY recommend only doing this on a site you absolutely trust, and only in situations where there’s absolutely no other recourse, and I recommend changing these back to True as soon as you’re done on that site.

0 Day Java Exploit. How to disable Java in your browser.

A JRE exploit has reportedly hit the wild. Context here.  Some kind Redditor has posted instructions on disabling the JRE in various browsers:

  • In Firefox : Press Firefox button -> Add-ons, go to Plugins and click the “Disable” button next to anything named “Java”.
  • In Chrome : Type in: “chrome://plugins/” into the address bar (no quotes). Scroll down to Java and click disable.
  • In Opera: Type in “opera:plugins” into the address bar (no quotes). Scroll down to:
    • Java(TM) Platform <click on> Disable.
    • Java Deployment Toolkit <click on> Disable.
  • In Internet Explorer:
    • Disable UAC (if enabled) and restart.
    • Open the Java app in Control Panel.
    • Go to advanced tab.
    • Expand Default Java for browsers.
    • The checkbox next to IE is grayed out.  Select Microsoft Internet Explorer and press spacebar. Click OK.
    • You can re-enable UAC and restart now.

 

Return to Chrome

I used Chrome occasionally in the past.  I liked its speed but, at the time, was put off by its lack of customization.  I couldn’t surf without FireFox and its AdBlocking, XMarking, LastPassing, NoScripting powers.   Visiting the web without them was a jarring experience, akin to watching “real” television – like commercials, I’d gone so long without intrusive ads, popups, hijacks and javascript silliness that I forgot they’re out there.  And oh boy are they.

Fast forward a bit.  XMarks announces it’s going under.  Sadness ensues.  Switch to FireFox sync.  Fast forward a bit more.  FireFox begins releasing its beta builds of FF4.  Sync is built in.  4 seems delicious – and then I tried to manage my bookmarks.  Slow.  Painfully, mind numbingly slow.  Inoperable, in fact.  It seems that FF4 uses SQLite for its bookmark containment, and everything went into the shitter as of SQLite 3.7.x.

Meanwhile LastPass purchased XMarks (probably for a song, having waited until the 11th hour to do so) and Chrome has since opened up, finally supporting 3rd party plug ins.  Time to try again!

So far, so good.  Word of warning, however.  If you configure data sync in Chrome (Options > Personal Stuff > Sync) and you install XMarks, the two services will begin a bloody battle, duplicating and triplifrying your bookmarks.  From what I’ve sussed both of them insert a unique bit of unseen markup to each bookmark, effectively making them unique again and again and again.  Like this:

Xmarks: Hey!  I found a bookmark!  I’ll sync it and slip a date string in it!

GSyng: Hey! I found a bookmark with a funny date string in it!  It must be new – I’ll sync it and put my own bit of something in it!

Xmarks: Hey!  I found a bookmark that’s startlingly similar to the one I just synced, but it has a new little bit of something!  It must be different – I’ll add it and update its date.

GSync: Holy cow!  There’s a familiar looking bookmark – but that funny date string is different.  I should totally add that!

…and so on and so forth.  Long story short, only use one bookmark sync method lest you wind up like me, writing a script to identify and strip duplicates from your 5000 item large bookmarks list.