1

The ssllabs.com browser check shows a list of cipher suites supported by my browser. Some are labeled as WEAK, I think because they do not support perfect forward secrecy.

I can disable some of them by going to about:config, typing in ssl3, and then changing the ones I don't want to false. (Yes, they still label it ssl3, but they still apply.) But, the ones shown at ssllabs as having CBC in the name do not appear on the list in Firefox, so I can't figure out how to disable those.

Anyone know how?

Improve this question
1
  • 1
    This is why Firefox allow you to add additional configuration in the @config be very careful you might not be able to access web pages.
    – vssher
    Commented Aug 11, 2023 at 2:21

1 Answer 1

Reset to default
3

They do appear on the list in Firefox; they're just not labelled cbc. At the time they were added to Mozilla, CBC was the only cipher mode supported by SSL anyway, so it wasn't explicitly specified in the name (whereas GCM is a much later addition). You'll find them under aes_128_sha or aes_256_sha in about:config.

Perfect forward secrecy does not depend on the block cipher mode; it's determined by whether the cipher suite uses ephemeral DH – i.e. ECDHE and DHE ciphersuites provide PFS; other ones do not. SSL Labs will mark ciphersuites as weak if they use CBC or if they don't provide PFS.

This only applies up to TLSv1.2. Starting with TLSv1.3, none of the ciphersuites use CBC and all of them are PFS-capable (and the ciphersuite name no longer explicitly mentions "ECDHE" because it's mandatory in TLSv1.3). In the SSL Labs website, 0x13xx are TLSv1.3 ciphersuites, the others are for TLS≤v1.2.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .