[GRLUG] FF 33 & SSL

Michael Mol mikemol at gmail.com
Wed Nov 5 13:54:23 EST 2014


My theory would be that Firefox would work fine with this setup:

2048-bit CA signing a 2048-bit * server cert, which is used by the
proxy server to spoof destination servers.

So, in order:

1) Firefox connects to proxy server
2) Firefox issues CONNECT to try to reach a host over SSL
3) Firefox doesn't know it, but the proxy server intercepts the CONNECT
4) Proxy server sets up an HTTPS connection within the CONNECT
channel, using its strong * cert, with SNI used to have Firefox tell
it where it's going.
5) Firefox doesn't complain about this, since it trusts the CA the
proxy server's cert was issued from, and all the certs in question are
strong.
6) Proxy server makes a connection out its back end to the servers
with weak certs, completing the connection. With Firefox none the
wiser.

And regarding negligence....LVL's servers in question sound like
they're intranet, not public-facing. If the strength of those certs is
an issue (meaning he faces MITM on the way there), then he's got a
MITM attacker on his internal network, which is a much bigger issue on
its own than a weak cert on an intranet server.


On Tue, Nov 4, 2014 at 5:29 PM, Mark Farver <mfarver at mindbent.org> wrote:
> As far as I know Firefox stopped trusting CAs with certs less than 1024
> bits.  I would not expect this to have any effect on self signed certs.
>
> And it is negligent in the extreme to have been creating certs and CAs with
> less than 2048bits and/or MD5 hashes for at least the last 5 years.
>
> Yes it will suck but fix it anyway.  If it is worth doing crypto it is worth
> doing crypto right.
>
> Mark
>
> On Nov 4, 2014 5:06 PM, "L. V. Lammert" <lvl at omnitec.net> wrote:
>>
>> Just found out that FF 33 is now blockig SSL connections with certs less
>> than 1024 bits, .. which is a show-stopper for me as I have many systems
>> (e.g. Webmin) on local machines and I would prefer to NOT have to diddle
>> them to regenerate certs.
>>
>> Has anyone figured out a way to get FF 33 to connect to 512 bit
>> connections?
>>
>>         Lee
>> _______________________________________________
>> grlug mailing list
>> grlug at grlug.org
>> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug



-- 
:wq


More information about the grlug mailing list