How to disable weak ephemeral Diffie-Hellman public key error

vikont

vikont

Starting in Opera 30, Opera prevents the HTTPS connection to servers with the D-H group lower than 1024 bits (susceptible to "logjam" attacks). When attempted to connect, you receive this message:

"Server has a weak ephemeral Diffie-Hellman public key.
This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case the server needs to be fixed. Opera won't use insecure connections in order to protect your privacy."

This is nice, but there needs to be a way (via developers flags, for example) to disable the enforcement. I am aware of weakened security for some sites but need to connect to them anyways - locking the users out is not a solution because we do not control the server settings! Warning is fine, but locking out is unacceptable - besides, on some sites I may not even care that much about perfect security in the first place.

Is there a workaround solution to get around this - short of downgrading to Opera 29, or using other browsers, ALL of which still allow the connections (at least for now)?

leocg

leocg Moderator Volunteer

Not that I know.

charlieb3

charlieb3

I agree with vikont - There needs to be a way for the user to make the choice whether to proceed or not. I'm an Instructor of Web Development at a local University and I can't get to the University web site using Opera - I can with every other browser, but not Opera! I certainly will tell all my students not to go near the Opera browser in my class if this isn't fixed.

jm4444

jm4444

If you post a link to a page that throws that error, someone here might be able to help (maybe).

vikont

vikont

Here you are: https://www.freephoneline.ca

Surprisingly enough, this site allows for a non-encrypted http connection (that's bad!), and Opera is perfectly OK with it...

leocg

leocg Moderator Volunteer

I don't think you will be able to disable the block: http://blogs.opera.com/security/2015/06/unjam-the-logjam/

slovardzen

slovardzen

This is very severe. Users should be able to choose what they want to do.

I was the only guy here at an industrial software company that was a defender for Opera. Not anymore.

60% of the sites I am using to work are returning this message. I can't stay all day long copying and pasting the links from Opera to Chrome.

Unfortunately, I will stop using Opera. Hope the developers fix this issue asap.

jm4444

jm4444

Oops! Looks like Firefox will be going this way at the end of June. See:

https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

markrcarterjdphd

markrcarterjdphd

Last week, I started getting the Diffie-Hellman error when logging into my online softphone. Opera was the only browser that correctly enabled the phone. I worked-around the problem by deleting browsing data. At first a day would work. Then, I had to delete a week, then a month. Now even a month won't work. I managed to login by opening a private window. That stopped working today.

blackbird71

blackbird71

At root, this breaks down to a question of convenience versus security, which is an age old conflict. Ultimately, employing any degree of security protection inherently implies a corresponding degree of inconvenience. Some of those software makers who supply a communications portal for users believe they have an obligation to protect user security to the best degree possible, even if that means breaking communications paths for those link partners not employing up-to-date security protocols (and hence certificates). Because any user setting that allows the user to bypass a portal security protection opens up the possibility of exploitation, either directly or inadvertantly and either immediately or later on, some security-conscious software makers elect not to provide user bypass options for their built-in security protection elements. Opera is such a maker. Possibly Mozilla will be as well, depending on how they implement their DH fix.

One can argue endlessly about whether a software maker should protect a user from himself, or to what degree. Experienced users may indeed be wise enough to intelligently and carefully relax certain security settings for certain situations; but all too often, either those settings are neglected to be reversed thereafter or inexperienced users relax the settings just to make some favorite 'trivial' site work properly and never think to reverse them for sites where true security/privacy really matter.

In any case, the ultimate industry goal is that all websites and all browsers be upgraded to omit such evident https encryption and secure protocol weaknesses. One of the few practical ways to push that to happen is to migrate browser designs to become incompatible with weak encryption techniques, which in turn will deprive offending sites of visitors and deluge them with user complaints. Ultimately, those sites will have to update their servers and certs if they want to continue supplying https connections; otherwise, they will either drop back to the http level of protection they are in reality offering by weak encryption/protocols or go extinct.

One can elect to use a browser that still allows weak DH encryption for https connections, of course, and run the various risks entailed in keeping the connection private or exploit-free. But it's my belief that fewer such browsers will remain available for much longer.

Deleted User

Deleted User

This is utter horseshit. This error should absolutely appear by default to protect the average user, but to not even provide a means by which to bypass it is absurd. I am a network/systems administrator - I know exactly what the hell I'm doing, and if I want to run the risks associated with a weak security key when using my own computer, the browser had better get the fuck out of my way.

I have been recommending Opera to my end users for quite some time, and I had intended to make the switch from Chrome to Opera for all of my browsing and resource management needs, but at this point I refuse to support Opera in any way, if only out of principal. Back to Google's memory hogging BS, I guess. Opera is officially uninstalled from my machine, and I will start vehemently discouraging my end users from using it.

Bye, Felicia.

vikont

vikont

Oops! Looks like Firefox will be going this way at the end of June. See:
https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

My Firefox is at version 38.0.5, and I can still connect to Freephoneline.ca site normally. But I still cannot connect with Opera.

Opera is trying to be a nanny-browser when no one asks it to. Logjam is not an easy exploit to, well, exploit, and it's not like I'm trying to connect to a compromised banking site. With this enforcement policy, Opera found a way to drive its single-digit market share even lower.

Every good security policy states that at the end of the day security should be in the hands of customers. The product must provide all the tools to enable "perfect" security and flag all known issues, but it must be up to the end user to make the ultimate decision whether to take a perceived risk.

zrqmlao

zrqmlao

Totally unacceptable! I need to access a school site to take a quiz and opera is blocking my login. Warning is acceptable but not allowing me to connect to a known site is an unwarranted intrusion.

byakuichi

byakuichi

Firefox 39 do the same now.

cibron

cibron

It's ridiculous. To implement the things people don't ask, as ignore real necessary requests (or even omit them).
I can't access https websites even in local network.
There always must be a choice for every security issues, e.g. for developers.

I was using and recommending Opera since 2003, once was Opera Campus Crew evangelist, but sorry, can't go anymore with browser stubborn on dumb inflexibility.

lando242

lando242

I can't access https websites even in local network.

Sounds to me like you have Turbo enabled.

msubulldog

msubulldog

Whenever I try contacting support for www.tutor.com, I get that message. But when I use another browser like Google Chrome for the same site, everything is OK.

iwashereonce

iwashereonce

I have also had this issue on my Galaxy S5. My Galaxy S4 gave me the option to continue and the 5 won't. I also was a network administer so it's really frustrating. I had to sites that I needed to get access to and I found an internet that allows you to. I hope this helps you all out. Download the Dolphin browser and no more headaches.

A Former User

Oops! Looks like Firefox will be going this way at the end of June. See:
https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

My Firefox is at version 38.0.5, and I can still connect to Freephoneline.ca site normally. But I still cannot connect with Opera.
Opera is trying to be a nanny-browser when no one asks it to. Logjam is not an easy exploit to, well, exploit, and it's not like I'm trying to connect to a compromised banking site. With this enforcement policy, Opera found a way to drive its single-digit market share even lower.
Every good security policy states that at the end of the day security should be in the hands of customers. The product must provide all the tools to enable "perfect" security and flag all known issues, but it must be up to the end user to make the ultimate decision whether to take a perceived risk.

I have no problem connecting freephone.ca using the latest stable version of Opera (33)looks like they may have fixed the problem