1

The ssllabs.com browser check shows a list of cipher suites supported by my browser. Some are labeled as WEAK, I think because they do not support perfect forward secrecy.

I can disable some of them by going to about:config, typing in ssl3, and then changing the ones I don't want to false. (Yes, they still label it ssl3, but they still apply.) But, the ones shown at ssllabs as having CBC in the name do not appear on the list in Firefox, so I can't figure out how to disable those.

Anyone know how?

Amazon Dies In Darkness
  • 9,990
Roman
  • 143
  • 8

1 Answers1

3

They do appear on the list in Firefox; they're just not labelled cbc. At the time they were added to Mozilla, CBC was the only cipher mode supported by SSL anyway, so it wasn't explicitly specified in the name (whereas GCM is a much later addition). You'll find them under aes_128_sha or aes_256_sha in about:config.

Perfect forward secrecy does not depend on the block cipher mode; it's determined by whether the cipher suite uses ephemeral DH – i.e. ECDHE and DHE ciphersuites provide PFS; other ones do not. SSL Labs will mark ciphersuites as weak if they use CBC or if they don't provide PFS.

This only applies up to TLSv1.2. Starting with TLSv1.3, none of the ciphersuites use CBC and all of them are PFS-capable (and the ciphersuite name no longer explicitly mentions "ECDHE" because it's mandatory in TLSv1.3). In the SSL Labs website, 0x13xx are TLSv1.3 ciphersuites, the others are for TLS≤v1.2.

grawity
  • 501,077