Archive

Archive for January, 2014

Deactivating RC4 in mainstream browsers

January 6, 2014 Leave a comment

Although for IT guys this is pretty much well known, but with all the revelations of the last weeks and months, some sort of security awareness grew within the crowd of non-IT people. So over christmas i was asked by several people out of my family on how to disable insecure encryption from their browsers as they learned that most of the browsers still use an outdated encryption algorithm: RC4

So while assisting members of my family or non-IT friends in securing their systems with these little steps, i did came across a bunch of mainstream browsers i’d like to share the necessary settings to deactivate RC4.

Unfortunately i’ve not found any way to disable RC4 ciphers in Safari. So if someone has a hint, please let me know through the comments and i’ll add it to the post.

Firefox

If you’re using Firefox like i do, open a new firefox session (a new window or tab) and type the URL about:config into the address bar. You should see a warning page appearing, telling you that everything beyond that will be out of warranty. Klick the button acknowledging that you’ll be careful. You should see a window looking pretty much like this (of course in your configured language).

Firefox - about:config

The really good thing here: the name of the keys are english anyways, so there’s no way to miss the keys we’re looking for.

Within the search box type „RC4“. Your list should reduce automatically to six keys:

Firefox RC4 1

 Flip all of them from their standard configuration true to a custom configuration false by double clicking them. Firefox will bold them automatically as soon as you’ve changed them which is a good verifier. By closing the window or tab your Firefox is no longer using RC4 and you’re just a bit more secure.

Internet Explorer

If you’re using Microsoft Internet Explorer, you’ve to tweak your registry. Therefor you have to create the following keys in the hive „HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CIPHERS“ using a registry editor and setting and DWORD value called „ENABLED“ with the value of 00000000:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
There also should be an update that’s about to disable the weak RC4 encryption on windows systems but sometimes it’s better to double things up.
 
Chrome / Chromium
 
If you’re using Chrome or Chromium you’ve to add the the RC4 ciphers that should be deactivated as a blacklist in the command line that is starting your browser. The odd part about this: there is no documentation about that. Everything has to be looked up in the code (which is open). So your new command line will look like this:
 

chromium-browser –cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83

 Opera
 
I’ve not found anything reg. RC4 in the settings of Opera. Searching the Internet just brought up that you’re increasing your security by disabling anything using MD5 in Opera (potentially causing some issues with pages offering MD5 only) by using the extended menu, security options, security protocoly, details and disabling all MD5 based methods. 
Attention: i’ve not tested this one on my own so please be careful.
 
Last but not least
 
Last but not least i’d like to share a link to check which ciphers are leveraged by you’re browser of choice: https://cc.dcsec.uni-hannover.de
Categories: Encryption, Security

30C3 talk on Identity Ecosystems

January 2, 2014 Leave a comment

During the 30th Chaos Communication Congress hosted by the Chaos Computer Club in Hamburg, Germany, which took place between 12/27th to 12/30th 2013, Christoph Engemann gave a talk on NSTIC and COM 238, which are the two identity policy proposals of NIST (USA) and the european commission, highlighting similarities, differences and potential conflicts.

A complete recording of the talk can be found here: CCC-TV – Europe, the USA and Identity Ecosystems

Enjoy.

Categories: IAM, Identity, IDM

Happy New Year

January 2, 2014 Leave a comment

I wish all readers, identirati, friends and colleagues a happy new year, some accomplished resolutions, health and successful projects all over the globe. Let’s move forward into 2014.

Categories: Blog