Category: Firefox

Server has a weak ephemeral Diffie-Hellman public key

weak

The other day my neighbor headed to a United Airlines affiliated site in Chrome to book a trip and was greeted with “Server has a weak ephemeral Diffie-Hellman public key.”  Full stop.  She could not continue on to the site.  This is occurring because there is an attack in the wild that takes advantage of a flaw in the Transport Layer Security protocol (a fancy way of saying the supposedly secure way in which a web server communicates to your browser) in order to watch your traffic.  This is called a Man in The Middle Attack.  Essentially it inserts itself between you and your destination and logs your conversation.  You can read more about this here.

The solution is, unfortunately, out of your hands.  Your browser isn’t broken –  The site you’re trying to get to is.  And, as evidenced by it affecting a United Airlines site, there are some heavy hitters who are vulnerable. Any site that’s running 1024 bit or less encryption needs to upgrade to 2048 to close the hole.

But in the meantime, what if you really, really need to get to that site?  I’d tell you to try to contact the site owners and tell them to get it together, but realistically that’s not so easy (can you imagine calling United’s customer service and saying to the phone jockey who answered “Hey, y’all need to upgrade your public keys on your site because currently it’s vulnerable to the Logjam attack and any decent browser isn’t allowing your site to resolve.”  Yeah, you’ll get traction there).  So how do you get to the site?  So far there doesn’t appear to be a way to tell Chrome to continue.  You can try switching from HTTPS to HTTP, but most likely you’re hitting a login page and will be forced back to HTTPS (and the error).  You can, however, weaken Firefox to allow navigation on these sites.   Open a new tab and in the address field enter:

about:config

This opens the browser’s sekrit settings.  Get past the warning, and then locate these two settings:

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

By default these are set to True.  Change them to False and you’ll be able to hit the effected site.  I STRONGLY recommend only doing this on a site you absolutely trust, and only in situations where there’s absolutely no other recourse, and I recommend changing these back to True as soon as you’re done on that site.

Tracking Protection in Firefox – let it help you

By turning on tracking protection in Firefox you’ll not only get some help in blocking sites known to track their visitors, but you’ll reduce your page load time.  Win win!

  1. In the URL/Location bar in Firefox, enter about:config and hit enter.
  2. You’ll get a friendly warning that you’re poking around under the hood.  Promise to be careful to continue.
  3. Search for privacy.trackingprotection.enabled and set it to True.

That’s it!

TTRSS

I love me some TTRSS.  Ever since Google shuttered their RSS feed reader I’ve been using it.  It’s nice to not be beholden to another provider for RSS content management.  It’s also a well supported little free system. I definitely recommend it.  The support forums, however, can be pretty rough on the less savvy crowd.  Hell, there’s an entire sticky thread dedicated to a discussion about how the place is overrun with assholes.  If you go there you’ll get help, but make sure you’ve done your due diligence first.

When I upgraded to the latest version of TTRSS (v1.12) my views went all wonky.  The Mark As Read button was hidden from the top bar and things generally looked assy.  What I discovered is that Firefox (speaking of – FF 28 sure has been crashing a lot) had cached some style settings and mixed the old with the new, creating a mess.  hitting SHIFT+F5 while on the site cleared it all up lickety split.

Firefox download warning when closing browser

More than once I’ve closed Firefox whilst in the midst of a download that cannot be resumed.  When I do it, it makes me crazy.  But the fix is easy.

  1. Get to the Firefox config info by typing about:config in the URL line of the browser.
  2. Seek out the line browser.download.manager.quitBehavior
  3. Set its pref from 0 to 2.

 

On Privacy

Online privacy’s been a thing for me for years now.  Not because I’m doing anything “wrong,” but simply because I feel it’s my right – and your right – not to be snooped on.

I don’t pretend to be an expert at this (or at anything, for that matter), but here are a few things I use and recommend to try to keep prying eyes away:

Use Firefox.  I used to be a Chrome fan, but Google’s a big part of the problem.  No organization is perfect, but Mozilla – thus far – seems much more interested in our individual well being than that of any other browser offering.  And the very first step in locking down Firefox is to navigate to Tools > Options > Privacy and choose “Tell sites that I do not want to be tracked.”  

Next, a slew of Firefox add-ons:

  1. HTTPS Everywhere – An EFF offering (and are you a member of EFF? You should be.) that forces a secure connection to your surfing destination whenever possible.
  2. DoNotTrackMe – a tracking blocker.
  3. disconnect – another tracking blocker, this one specifically tailored towards social media.
  4. Ghostery – a configurable tracker/cookie blocker.
  5. AdBlock Plus – perhaps not so much so for privacy, but for sanity.  Surfing the web without ABP freaks me out.
  6. DuckDuckGo – Make DuckDuckGo your search engine of choice.  Simply go to the site, and then click the icon next to the search field (to the right of the URL field in Firefox) and add it.

Other security/privacy conscious items I use include:

  • TrueCrypt – I use TC for create encrypted containers to store all my sensitive data, personal and client related.  It adds a much needed layer of comfort to using sync services such as Dropbox or Windows Live.  Granted, it makes it a pain in the ass to sync (the whole container must be resynced rather than just the changed files within it), but with a decent connection and some common sense container sizing it’s worth it.  I also use TC whole disk encryption on all my family’s laptops.  If someone swipes your ‘top, at least they’re not getting your data!
  • VPN – Securitykiss is but one of many VPN services.  I can’t speak to their effectiveness specifically – I include them only as an example.  A Google search will pull up a wealth of free and paid VPN options, along with plenty of reviews.  VPN is essentially a tunnel between your computer and a remote gateway, through which your online requests are routed.  The theory is that your traffic is effectively anonymized by way of emanating from a shared point of entry to the ‘net (the gateway), meaning it’s undifferentiated from the traffic of everyone else utilizing the gateway.  The tunnel between you and the gateway is also secured via encryption.  Ultimately the effectiveness of VPN relies on the provider, as they have the ability to log your activity in their tunnel.  In other words, do your research and choose wisely.

There are lots of other privacy options out there, like TOR, but the few things I’ve listed above are the simplest ways to start securing your privacy.

0 Day Java Exploit. How to disable Java in your browser.

A JRE exploit has reportedly hit the wild. Context here.  Some kind Redditor has posted instructions on disabling the JRE in various browsers:

  • In Firefox : Press Firefox button -> Add-ons, go to Plugins and click the “Disable” button next to anything named “Java”.
  • In Chrome : Type in: “chrome://plugins/” into the address bar (no quotes). Scroll down to Java and click disable.
  • In Opera: Type in “opera:plugins” into the address bar (no quotes). Scroll down to:
    • Java(TM) Platform <click on> Disable.
    • Java Deployment Toolkit <click on> Disable.
  • In Internet Explorer:
    • Disable UAC (if enabled) and restart.
    • Open the Java app in Control Panel.
    • Go to advanced tab.
    • Expand Default Java for browsers.
    • The checkbox next to IE is grayed out.  Select Microsoft Internet Explorer and press spacebar. Click OK.
    • You can re-enable UAC and restart now.

 

Return to Chrome

I used Chrome occasionally in the past.  I liked its speed but, at the time, was put off by its lack of customization.  I couldn’t surf without FireFox and its AdBlocking, XMarking, LastPassing, NoScripting powers.   Visiting the web without them was a jarring experience, akin to watching “real” television – like commercials, I’d gone so long without intrusive ads, popups, hijacks and javascript silliness that I forgot they’re out there.  And oh boy are they.

Fast forward a bit.  XMarks announces it’s going under.  Sadness ensues.  Switch to FireFox sync.  Fast forward a bit more.  FireFox begins releasing its beta builds of FF4.  Sync is built in.  4 seems delicious – and then I tried to manage my bookmarks.  Slow.  Painfully, mind numbingly slow.  Inoperable, in fact.  It seems that FF4 uses SQLite for its bookmark containment, and everything went into the shitter as of SQLite 3.7.x.

Meanwhile LastPass purchased XMarks (probably for a song, having waited until the 11th hour to do so) and Chrome has since opened up, finally supporting 3rd party plug ins.  Time to try again!

So far, so good.  Word of warning, however.  If you configure data sync in Chrome (Options > Personal Stuff > Sync) and you install XMarks, the two services will begin a bloody battle, duplicating and triplifrying your bookmarks.  From what I’ve sussed both of them insert a unique bit of unseen markup to each bookmark, effectively making them unique again and again and again.  Like this:

Xmarks: Hey!  I found a bookmark!  I’ll sync it and slip a date string in it!

GSyng: Hey! I found a bookmark with a funny date string in it!  It must be new – I’ll sync it and put my own bit of something in it!

Xmarks: Hey!  I found a bookmark that’s startlingly similar to the one I just synced, but it has a new little bit of something!  It must be different – I’ll add it and update its date.

GSync: Holy cow!  There’s a familiar looking bookmark – but that funny date string is different.  I should totally add that!

…and so on and so forth.  Long story short, only use one bookmark sync method lest you wind up like me, writing a script to identify and strip duplicates from your 5000 item large bookmarks list.

Safe(r) Surfing

I don’t do a whole lot online that really warrants anonymity, but I still don’t care for the idea of being watched.  Further, I’m no fan of the growing trend of linking logins, such as the ubiquity of Facebook, or of browser tracking.  Just because I’m not doing anything wrong doesn’t mean I don’t want privacy.  Regardless of the existence of darknets and freenet I don’t think there’s a way to really hide online if the right (or wrong) people really want to find you – but there are definitely ways to make it more difficult.

  1. Use Firefox (or, conversely, Chrome) and not IE.
  2. Install the Adblock Plus addon for Firefox.
  3. Install the NoScript addon for Firefox.  This one’s a pain in the ass to initially configure, but soon you’ll get used to it and find approving (and not approving) sites will become second nature.  NoScript not only covers your tracks, it prevents other nasties like malicious code execution and cross-site scripting.  You’ll be amazed to see just how many connections you’re actually making when you hit a single site.
  4. Install and use HotSpot Shield, a free IPSec VPN solution that masks your originating IP address and encrypts your traffic.  Bonus:  although HSS is ad-revenue based, you’ll never see a single banner pushed from it if you have the aforementioned Adblock Plus installed.  Good times.

There are other paid options for online anonymity as well as TOR – which is almost unbearably slow in its default configuration, not to mentioned riddled with its own dark corners and dangers – but the above represents the easiest free as in beer way to cover some of your tracks online.