-
Notifications
You must be signed in to change notification settings - Fork 796
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable weak cipher suites #577
Comments
what about site that only use those ciphers you switch back to http with this settings ?
|
I'm thinking that it may be helpful to have info like this in the ungoogled-chromium-wiki. It'll be nice for users who are informing themselves, and happened to hit ungoogled-chromium early in their learning process. Maybe we could setup a page in the Wiki for extensions and settings to consider? |
Actually I don't know if it works like this (pseudo code):
or like this:
Can you provide some info about it? My suggestion is with the assumption of the second (and I may be wrong). Personally I use HTTPS Everywhere with "Block all unencrypted requests" enabled 99.99% of the time. So if some site attempts to switch to HTTP I would be notified quite well.
Well... maybe, maybe not. As you surely know a false sense of security is worse than being aware of insecurity.
Yes. |
Okay, the site just don't work when blocking ciphers giving back this error (tested with uc v70)
You can reproduce the test with You have a nice setup but i personally don't like "HTTPS Everywhere" at all because of :
Any way here is what i am using right now : Firefox :
UC :
I think in a near future browsers themselves will start blocking http, it would be nice to have a big warning when surfing http as the extension for firefox do... Any way would be cool to have a flag for "--cipher-suite-blacklist=0x000a,0x009c,0x009d,0x002f,0x0035" |
Thanks for confirming that the setting doesn't result in switching to plain HTTP. Thanks also for the info about HTTPS Everywhere. I have emailed you as I have some off-topic questions about all this. |
Unfortunately your server returned:
|
My site is no longer maintained... my mail is intikadev at gmail |
Sent. Thanks!
|
Thanks. Just a note you may want to add: the IDs of the cypher suites must be in the exact format 0x0000. My tests show that any other (e.g. 0x00 or 0x000000) has no effect. |
According to SSL Labs test Chromium 70.0.3538.77 (linux_portable) supports weak cipher suites. Currently I use
--cipher-suite-blacklist=0x000a,0x009c,0x009d,0x002f,0x0035
command line option to disable them. Perhaps it would be good to have some kind of flag (UI) for that or at least to suggest the option in the docs as a recommendation for improved security.The text was updated successfully, but these errors were encountered: