Disable weak cipher suites

[ghost]

According to SSL Labs test Chromium 70.0.3538.77 (linux_portable) supports weak cipher suites. Currently I use --cipher-suite-blacklist=0x000a,0x009c,0x009d,0x002f,0x0035 command line option to disable them. Perhaps it would be good to have some kind of flag (UI) for that or at least to suggest the option in the docs as a recommendation for improved security.

[intika]

what about site that only use those ciphers you switch back to http with this settings ?
(using https with those ciphers is better than http...)

• a flag could be useful
• its may be the work of an extensions like https... back in the days there was an extension for that in firefox

[Eloston]

I'm thinking that it may be helpful to have info like this in the ungoogled-chromium-wiki. It'll be nice for users who are informing themselves, and happened to hit ungoogled-chromium early in their learning process.

Maybe we could setup a page in the Wiki for extensions and settings to consider?

[ghost]

what about site that only use those ciphers you switch back to http with this settings ?

Actually I don't know if it works like this (pseudo code):

if (cipher is disabled) { use_plain_HTTP() }

or like this:

if (cipher is disabled) { use_strong_cipher() }
if (strong cypher is unavailable) { drop_connection_with_error_message() }

Can you provide some info about it?

My suggestion is with the assumption of the second (and I may be wrong). Personally I use HTTPS Everywhere with "Block all unencrypted requests" enabled 99.99% of the time. So if some site attempts to switch to HTTP I would be notified quite well.

(using https with those ciphers is better than http...)

Well... maybe, maybe not. As you surely know a false sense of security is worse than being aware of insecurity.

Maybe we could setup a page in the Wiki for extensions and settings to consider?

Yes.

[intika]

Okay, the site just don't work when blocking ciphers giving back this error (tested with uc v70)

This site can’t provide a secure connection intika.be uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

You can reproduce the test with --cipher-suite-blacklist=0xC02F,0xC030,0xC013,0xC014,0x009C,0x009D,0x002F,0x003C,0x0035,0x003D
and navigating to https://intika.be

You have a nice setup but i personally don't like "HTTPS Everywhere" at all because of :

• The code quality is very poor (make the extension huge resources eater)
• How web extensions works to monitor traffic is in itself a resources eater method, and when the code is not good... (try browsing an hour or two without it you will see a huge difference in speed)
• Last time i checked the extensions does not always work
• I did found some glitch about privacy in the code that i did not like back when i reviewed the extension
• Having an extension that is sized 1.7 Mo (compressed) that have access to all what i do ?! no thanks... any simple script that does exactly the same thing would never go over 50kb (compressed)
• I wrote my own https redirector some times ago (i did not publish it...) and the main js code was about 5kb and it did works exactly as expected link-1 link-2

Any way here is what i am using right now :

Firefox :

• "security.mixed_content..." settings
• "security.insecure_connection" settings
• And NoHttp and or Http...

UC :

• #enable-potentially-annoying-security-features flag
• #disallow-unsafe-http-downloads
• #enable-mark-http-as

I think in a near future browsers themselves will start blocking http, it would be nice to have a big warning when surfing http as the extension for firefox do...

Any way would be cool to have a flag for "--cipher-suite-blacklist=0x000a,0x009c,0x009d,0x002f,0x0035"

[ghost]

Thanks for confirming that the setting doesn't result in switching to plain HTTP.

Thanks also for the info about HTTPS Everywhere. I have emailed you as I have some off-topic questions about all this.

[ghost]

Unfortunately your server returned:

<postmaster@ [...] 550 sorry, user over quota [mail153] (#5.1.1) (in reply to RCPT TO command)

[intika]

My site is no longer maintained... my mail is intikadev at gmail

[ghost]

Sent. Thanks!

[ghost]

Thanks. Just a note you may want to add: the IDs of the cypher suites must be in the exact format 0x0000. My tests show that any other (e.g. 0x00 or 0x000000) has no effect.