Bypass or Disable error – Server has a weak, ephemeral Diffie-Hellman public key

Sometimes when browser vendors try to help make the world more secure, they actually cause more inconvenience that necessary. Recently both Firefox and Chrome/Chromium stopped supporting weak ephemeral Diffie-Hellman public keys – this was in the hope of mitigating the LogJam attack that surfaced a few months ago.

The problem is that many industry standard bits of kit use such keys, and they are not going to be upgraded in a hurry. Most annoyingly, the browser vendors decided not to provide a way for the user to over-ride this nanny internet intervention.

In the broader context of security this makes NO SENSE! I mean, you can go to a website riddled with Malware, and still choose to continue onwards – what could be worse? The real world chances of falling victim to the logjam attack are pretty remote, and if you are the sort of person who only logs into known trusted sites, then those chances are incredibly remote.

Further more, if the browser vendors were so up tight about security, why not simply refuse any http connection in favour of https? Anyway – interventions like this really GRIND MY GEARS – so here’s a way around for Firefox and Chrome – Don’t forget to restart your browser afterwards.

Firefox

go to about:config in the address bar. Ignore the warnings, and type ‘dhe’ into the search box.

  • Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it to false (disable Firefox from using this cipher)
  • Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it to false (disable Firefox from using this cipher)

To revert Firefox to it’s normal behaviour, just set those two parameters back to true,

Chrome

For OSX users

simply open terminal.app and run this command

open -a "Google Chrome" --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

To make life easier, just add this to your .bash_profile

alias chrome='open -a "Google Chrome" --args --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013'

Then you will only need to type ‘chrome’ to open Chrome without the ciphers that cause the issue. Of course, if you open Chrome normally from the desktop, then Chrome will still open normally.

For Window users

Alter the Chrome shortcut icon properties to

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.