Firefox blocking SSLv3 connections

[ESB]

Hello all,

 

I have two isy systems, one is a 994 with a self signed cert. the other is a 99 with out dated cert.  I have been able to remote log in to both systems with the script or basic UD web program with a variety of browsers and phones.  Firefox now blocks access to both the web and Java (admin) console.  IE still works, android browsers still work.

 

My question is will others follow the lead of Firefox, and then what for secure remote access.

 

Question # 2:  Is the upgrade program for my old 99 still available?

 

Regards - Eric

 

 

[Teken]

Hello all,

 

Question # 2: Is the upgrade program for my old 99 still available?

 

Regards - Eric

Yes it is.

 

 

Ideals are peaceful - History is violent

[mwester]

Yes, others will follow the lead of Firefox - but there will always be an option, because there really are a lot of devices out there that cannot be upgraded.  You may have to do some clicking to get rid of some ominous warning dialogs and such, though.

[MWareman]

As a security pro, yes. I strongly recommend blocking SSLv3 everywhere I go. Its over 10 years old (an eternity in computer age) and fundamentally broken.

 

That being said - you can change a preference to re-enable it. I strongly recommend that you don't though!

 

https://support.mozilla.org/en-US/questions/1035913

[ESB]

Now I am confused.  When I query the secure port for the 994, I do not specify a protocol, just https: address:port.  I assumed when firefox blocked it with no work around, that there is no other way to address the secure port for the ISY with firefox.  What am I missing for future reference - please advise- thanks

[MWareman]

https is a suite of protocols, sslv1, sslv2, sslv3, tlsv1, tlsv1.1, tlsv1.2 and tlsv1.3.

 

When your browser contacts a server with https, there is a negotiation that occurs. Normally, the highest common protocol is selected.

 

An isy99i non-pro only supports sslv3.

 

sslv2 was disabled by most protocol stacks about 2 years ago due to its security weaknesses.

 

What happened a few months ago, significant flaws were discovered in sslv3, rendering it unsafe for all purposes. Due to the existence of a downgrade attack, the only safe way to fix the threat is to eliminate sslv3.

 

This is what Firefox has done. Sslv3 is now very old! You can reenable it in Firefox as I described above - there is not 'no workaround'. However, by enabling it you are at serious risk if you do banking, taxes or anything you want to be secure with that browser.

 

The fix is to upgrade to the ISY994i where the lowest protocol level is now tlsv1.1. UDI offers a fantastic price for the upgrade, considering the 99 was end of lifed now a long time ago

Edited March 2, 2015 by MWareman

[ESB]

Thanks for the reply.  The ISY that I have been connecting to remotely is a 994i 256 with 4.0.5 and a self signed certificate.  I still get the ssl v3 warning on that system.  Any guesses why?

 

Thanks Eric

[Teken]

I would start by upgrading your firmware to the latest 4.2.27 so everyone is using the same point of reference.

 

As it included lots of fixs and security updates.

 

Ideals are peaceful - History is violent

Edited March 5, 2015 by Teken

[LeeG]

Release 4.0.5 is old. 4.2.18 is the current Official release with 4.2.27 (RC4) likely being the next Official release.

Edited March 5, 2015 by LeeG

[ESB]

Thanks for the additional info.  I am reluctant to upgrade while I am remote, as I can't fix it if it locks up.  I will surely take your advise as soon as I return.

 

Thanks - Eric

[builderb]

I know I've mentioned this before in other posts here, but startssl.com offers free Class 1 SSL certs. No need to use self-signed certs if you don't want to. You will need a domain name though.

 

 

Sent from my iPad using Tapatalk