InformAction Forums

http://arstechnica.com/security/2016/08 ... top-sites/

1) How is haxxor supposed to gain MITM if they has to inject their JS on a page that's HTTPS to start with? Doesn't that already mean the attack is not as "practical" as the article suggests?
And isn't it impossible for haxxor's JS to stay alive after their page is closed?

2) Being a NoScript user where such JS would presumably be blocked, and since I'm going to update my browser soon anyway, is there any point in disabling the affected cypher(s)? If so how to do it?
(I found a "security.ssl3.rsa_des_ede3_sha" in about:config but don't know if it's related?)

barbaz wrote:1) How is haxxor supposed to gain MITM if they has to inject their JS on a page that's HTTPS to start with?

From what I've read, the JavaScript can be the attacker's own website, so it's not really injection.

And isn't it impossible for haxxor's JS to stay alive after their page is closed?

Generally yes. I think the attack assumes that the page stays open. Not unreasonable in many cases.

2) Being a NoScript user where such JS would presumably be blocked, and since I'm going to update my browser soon anyway, is there any point in disabling the affected cypher(s)? If so how to do it?
(I found a "security.ssl3.rsa_des_ede3_sha" in about:config but don't know if it's related?)

Not sure, but that might be the one. I suggest that you disable it and check whether any sites break.

Thanks Thrawn for the clarifications!

So far I haven't had any issues from disabling that cypher...

How's My SSL lists these cyphers for my browser now

Here is my list and i didn't found any problems.

@yes_noscript: Do you know why Pale Moon disables those 128 cyphers in my list and does the reasoning apply to me and my SeaMonkey based on Gecko 45 (and soon to be Gecko 49)?

Dont no. Are the 128bit ciphers disabled by default?

Moonchild disable all 3DES cipher by default in next update.

yes_noscript wrote:Dont no. Are the 128bit ciphers disabled by default?

Well, again, I'm just comparing the cypher list you posted to the cypher list I posted...

I don't enable any cyphers that aren't enabled by default, my only custom cypher configuration is disabling some.
Looking at your post here viewtopic.php?p=82063#p82063 only one of the 128 cyphers is disabled relative to my output, so I assumed (incorrectly?) that you're using default Pale Moon configuration for cyphers?

And once again rate limiting would make this attack substantially harder.

I pitched the idea to Moonchild, but he rejected it.

Ah now i understand your question.
No i use not the default ciphers. I disable a lot.

yes_noscript wrote:No i use not the default ciphers. I disable a lot.

OK that's even better, thanks! What is your reasoning for disabling them, and given the browser(s) I'm using should I be concerned and do the same?

I read in the web a lot and then disable that not so secure ciphers.
Until now i doesn't found a website which doesn't work.

So yes, i would say i have a better SSL/ TLS security now because only good ciphers are available.
Here is my list from Pale Moon 27:

Good so it sounds like there is no immediate concern but it's still worth trying disabling them in case it saves me time and security. Thanks yes_noscript!