Re: Wich web browser on CentOS6 ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, February 10, 2017 15:44, Alice Wonder wrote:
> On 02/10/2017 12:34 PM, James B. Byrne wrote:
>>
>> On Fri, February 10, 2017 06:26, Patrick Begou wrote:
>>> Hello
>>>
>>> I have more and more troubles using firefox in professional
>>> environment with
>>> CentOS6. The latest version is 45.7.0 But I can't use it anymore to
>>> access some
>>> old server hardware (IDRAC7 of DELL C6100) because of
>>> "/SSL_ERROR_WEAK_SERVER_CERT_KEY/".  I had to install an old
>>> Firefox32
>>> version
>>> to administrate these servers.
>>>
>>> Today I upgrade the firmware of 2 DELL switch and now Firefox
>>> cannot
>>> connect to them anymore saying: /An error occurred during a
>>> connection to xxx.xxx.xxx.xxx. The server rejected
>>> the handshake because the client downgraded to a lower TLS version
>>> than the server supports// //SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT
>>>
>>> /Is there a CentOS6 recommended web browser allowing continuous
>>> connections to olds and new base level (and local) system
>>> administration services ?
>>>
>>
>> This situation arises because older, dare I say old, equipment
>> released with embedded software and using http/https as the
>> administrative front end were shipped with minimally compliant x-509
>> certificates.  Often self-signed with 1kb keys and md5 signature
>> hashes. Not to mention many are past their expiry dates.
>>
>> However, given the revelations of state sanctioned snooping on
>> network
>> traffic browsers are being pushed to implement increased compliance
>> checking for the overall security of users. Firefox is simply
>> implementing what various 'authorities' are recommending as secure
>> practices with respect to authentication using pki and x-509
>> certificates.
>>
>> The present situation is a PIA.  It could be a lot more
>> user-friendly
>> if FF so chose. They could have easily allowed one to turn off these
>> advanced compliance checks for specific IP and DNS addresses so that
>> the intended benefit remained but the interference with existing
>> infrastructure was minimised.
>>
>> But, FF is on its own chosen path to oblivion and the idea of
>> compromise is totally absent from their project plan.
>>
>>
>
> IMHO FireFox is doing the right thing. Compromises in policy is how
> system compromises often happen.
>
> If you can change the setting to be more forgiving of certain bad
> vendors, then so can malware.
>
> What we really need to do is demand better from the manufacturers of
> products we use in a "professional environment" - and it is extremely
> important we demand better from them now, during the dawn of IoT.
>
>

It is a bit difficult for an end user to insist that a vendor improve
a ten year old piece of equipment.  Sure, that might be as simple as a
firmware update. But why not insist that people buy new product
instead and thereby add to the bottom line?  Which way do see most
commercial firms going?

FF is a consumer item that is being shipped with a supposedly
Enterprise Linux distribution.  This leads to problems that are
created by the divergence between the target audience and Enterprise
users.  Enterprises tend to have a much more robustly secured gateware
to the wider Internet than consumers.  Which for that audience makes a
lot of the more esoteric security enhancements rather useless.  If an
intruder can carry out a MTM attack on your internal LAN then nothing
FF can do is going to have much of an effect.

A professional organisation would not simply cut administrators off
from the devices that they are required to manage. Nor would it
dictate how a company spends its money on hardware.  A bunch of
self-righteous zealots might.  Which may account for the fact that FF
(all versions) market share is now less than 10%.[1]

[1]
https://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0&qptimeframe=M&qpsp=216&qpfilter=ColumnName%09LK%09Fire*


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux