On Fri, February 10, 2017 15:44, Alice Wonder wrote:> On 02/10/2017 12:34 PM, James B. Byrne wrote:
>>
>> On Fri, February 10, 2017 06:26, Patrick Begou wrote:
>>> Hello
>>>
>>> I have more and more troubles using firefox in professional
>>> environment with
>>> CentOS6. The latest version is 45.7.0 But I can't use it
anymore to
>>> access some
>>> old server hardware (IDRAC7 of DELL C6100) because of
>>> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/". I had to install an
old
>>> Firefox32
>>> version
>>> to administrate these servers.
>>>
>>> Today I upgrade the firmware of 2 DELL switch and now Firefox
>>> cannot
>>> connect to them anymore saying: /An error occurred during a
>>> connection to xxx.xxx.xxx.xxx. The server rejected
>>> the handshake because the client downgraded to a lower TLS version
>>> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT
>>>
>>> /Is there a CentOS6 recommended web browser allowing continuous
>>> connections to olds and new base level (and local) system
>>> administration services ?
>>>
>>
>> This situation arises because older, dare I say old, equipment
>> released with embedded software and using http/https as the
>> administrative front end were shipped with minimally compliant x-509
>> certificates. Often self-signed with 1kb keys and md5 signature
>> hashes. Not to mention many are past their expiry dates.
>>
>> However, given the revelations of state sanctioned snooping on
>> network
>> traffic browsers are being pushed to implement increased compliance
>> checking for the overall security of users. Firefox is simply
>> implementing what various 'authorities' are recommending as
secure
>> practices with respect to authentication using pki and x-509
>> certificates.
>>
>> The present situation is a PIA. It could be a lot more
>> user-friendly
>> if FF so chose. They could have easily allowed one to turn off these
>> advanced compliance checks for specific IP and DNS addresses so that
>> the intended benefit remained but the interference with existing
>> infrastructure was minimised.
>>
>> But, FF is on its own chosen path to oblivion and the idea of
>> compromise is totally absent from their project plan.
>>
>>
>
> IMHO FireFox is doing the right thing. Compromises in policy is how
> system compromises often happen.
>
> If you can change the setting to be more forgiving of certain bad
> vendors, then so can malware.
>
> What we really need to do is demand better from the manufacturers of
> products we use in a "professional environment" - and it is
extremely
> important we demand better from them now, during the dawn of IoT.
>
>
It is a bit difficult for an end user to insist that a vendor improve
a ten year old piece of equipment. Sure, that might be as simple as a
firmware update. But why not insist that people buy new product
instead and thereby add to the bottom line? Which way do see most
commercial firms going?
FF is a consumer item that is being shipped with a supposedly
Enterprise Linux distribution. This leads to problems that are
created by the divergence between the target audience and Enterprise
users. Enterprises tend to have a much more robustly secured gateware
to the wider Internet than consumers. Which for that audience makes a
lot of the more esoteric security enhancements rather useless. If an
intruder can carry out a MTM attack on your internal LAN then nothing
FF can do is going to have much of an effect.
A professional organisation would not simply cut administrators off
from the devices that they are required to manage. Nor would it
dictate how a company spends its money on hardware. A bunch of
self-righteous zealots might. Which may account for the fact that FF
(all versions) market share is now less than 10%.[1]
[1]
https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qptimeframe=M&qpsp=216&qpfilter=ColumnName%09LK%09Fire*
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3