We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Mozilla Support में खोजें

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

It is possible to bypass the BEAST mitigation in place on firefox?

  • 9 प्रत्युत्तर
  • 1 यह समस्या है
  • 2 views
  • के द्वारा अंतिम प्रतियुतर AdamSuttle

more options

I have an internal web based application that is affected the the fixes put in place by all browsers to help mitigate the BEAST exploit. Is it possible to disable the fixes in place so I can access the HTTPS pages in question? This system is in a closed network so I'm not terribly concerned about loosening the security.

I've tried setting the max security to SSL 3.0 but that does nothing, I still get "The Connection was Reset" when attempting to access the page. If I use Firefox 8 it works fine I just do not know what settings if any can be enabled/disabled to force access.

Any suggestions or help is greatly appreciated.

I have an internal web based application that is affected the the fixes put in place by all browsers to help mitigate the BEAST exploit. Is it possible to disable the fixes in place so I can access the HTTPS pages in question? This system is in a closed network so I'm not terribly concerned about loosening the security. I've tried setting the max security to SSL 3.0 but that does nothing, I still get "The Connection was Reset" when attempting to access the page. If I use Firefox 8 it works fine I just do not know what settings if any can be enabled/disabled to force access. Any suggestions or help is greatly appreciated.

AdamSuttle द्वारा सम्पादित

All Replies (9)

more options

I am sorry, but this is not a safe action.
I will not assist you in jeopardizing your safety as a Firefox user.

Contact the support team for the application in question and report the issue to them so that they can repair the application.

more options

Safe action or not it is a closed environment with a product that has no chance to be fixed(company defunct). I appreciate your concern but honestly I'm a bit surprised this has not come up more. If this question has been asked before I cannot find it with any magical combination of keywords either.

more options

Sorry, but most volunteers of Mozilla and the Mozilla support staff members will not assist users in actions that may harm or compromise the user's security.

more options

And I can completely understand not doing it just on a whim but I think the question shows I am not someone's grandmother doing this based on a phishing scam etc. Since you are obviously quite versed with the product can you at least confirm if this is something that can be done within about:config or would it require other steps/access to the OS running the browser? I would appreciate a point in the right direction so I can work on this further. Thanks again for any help.

more options

The majority of Firefox security patches are built-in to the source code.
These security settings cannot be accessed from the about:config.

more options

See comment 60 in this bug report for workaround, but be aware that this makes you vulnerable to that BEAST attack.

Be sure to remove that environment variable after testing to prevent you from being vulnerable to that exploit.

  • Bug 702111 - Servers intolerant to 1/n-1 record splitting. "The connection was reset"
more options

Sadly I have tried that before and it does not work for some reason. I've tried putting it in usr and system variables for Windows with no effect. Thanks for the idea though.

more options

It is however still in the code:

So you may have something else going on.

Be sure to remove the environment variable if you created it in Control Panel > System.
The way to proceed in such a case is to use a cmd file that sets the environment variable and subsequently launches Firefox so it only works for this specific start or Firefox.

more options

I've removed the variable as recommended from my system. If it is still on in the code does that mean that my OS environmental variable is overridden by Firefox? While I grasp the technical details to some degree my knowledge of how the operating system and browser set these controls is obviously lacking lol.