How to disable weak ephemeral Diffie-Hellman public key error

markrcarterjdphd

markrcarterjdphd last edited by

Last week, I started getting the Diffie-Hellman error when logging into my online softphone. Opera was the only browser that correctly enabled the phone. I worked-around the problem by deleting browsing data. At first a day would work. Then, I had to delete a week, then a month. Now even a month won't work. I managed to login by opening a private window. That stopped working today.

blackbird71

blackbird71 last edited by

At root, this breaks down to a question of convenience versus security, which is an age old conflict. Ultimately, employing any degree of security protection inherently implies a corresponding degree of inconvenience. Some of those software makers who supply a communications portal for users believe they have an obligation to protect user security to the best degree possible, even if that means breaking communications paths for those link partners not employing up-to-date security protocols (and hence certificates). Because any user setting that allows the user to bypass a portal security protection opens up the possibility of exploitation, either directly or inadvertantly and either immediately or later on, some security-conscious software makers elect not to provide user bypass options for their built-in security protection elements. Opera is such a maker. Possibly Mozilla will be as well, depending on how they implement their DH fix.

One can argue endlessly about whether a software maker should protect a user from himself, or to what degree. Experienced users may indeed be wise enough to intelligently and carefully relax certain security settings for certain situations; but all too often, either those settings are neglected to be reversed thereafter or inexperienced users relax the settings just to make some favorite 'trivial' site work properly and never think to reverse them for sites where true security/privacy really matter.

In any case, the ultimate industry goal is that all websites and all browsers be upgraded to omit such evident https encryption and secure protocol weaknesses. One of the few practical ways to push that to happen is to migrate browser designs to become incompatible with weak encryption techniques, which in turn will deprive offending sites of visitors and deluge them with user complaints. Ultimately, those sites will have to update their servers and certs if they want to continue supplying https connections; otherwise, they will either drop back to the http level of protection they are in reality offering by weak encryption/protocols or go extinct.

One can elect to use a browser that still allows weak DH encryption for https connections, of course, and run the various risks entailed in keeping the connection private or exploit-free. But it's my belief that fewer such browsers will remain available for much longer.

Deleted User

Deleted User last edited by

This is utter horseshit. This error should absolutely appear by default to protect the average user, but to not even provide a means by which to bypass it is absurd. I am a network/systems administrator - I know exactly what the hell I'm doing, and if I want to run the risks associated with a weak security key when using my own computer, the browser had better get the fuck out of my way.

I have been recommending Opera to my end users for quite some time, and I had intended to make the switch from Chrome to Opera for all of my browsing and resource management needs, but at this point I refuse to support Opera in any way, if only out of principal. Back to Google's memory hogging BS, I guess. Opera is officially uninstalled from my machine, and I will start vehemently discouraging my end users from using it.

Bye, Felicia.

vikont

vikont last edited by

Oops! Looks like Firefox will be going this way at the end of June. See:
https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

My Firefox is at version 38.0.5, and I can still connect to Freephoneline.ca site normally. But I still cannot connect with Opera.

Opera is trying to be a nanny-browser when no one asks it to. Logjam is not an easy exploit to, well, exploit, and it's not like I'm trying to connect to a compromised banking site. With this enforcement policy, Opera found a way to drive its single-digit market share even lower.

Every good security policy states that at the end of the day security should be in the hands of customers. The product must provide all the tools to enable "perfect" security and flag all known issues, but it must be up to the end user to make the ultimate decision whether to take a perceived risk.

zrqmlao

zrqmlao last edited by

Totally unacceptable! I need to access a school site to take a quiz and opera is blocking my login. Warning is acceptable but not allowing me to connect to a known site is an unwarranted intrusion.

byakuichi

byakuichi last edited by

Firefox 39 do the same now.

cibron

cibron last edited by

It's ridiculous. To implement the things people don't ask, as ignore real necessary requests (or even omit them).
I can't access https websites even in local network.
There always must be a choice for every security issues, e.g. for developers.

I was using and recommending Opera since 2003, once was Opera Campus Crew evangelist, but sorry, can't go anymore with browser stubborn on dumb inflexibility.

lando242

lando242 last edited by

I can't access https websites even in local network.

Sounds to me like you have Turbo enabled.

msubulldog

msubulldog last edited by

Whenever I try contacting support for www.tutor.com, I get that message. But when I use another browser like Google Chrome for the same site, everything is OK.

iwashereonce

iwashereonce last edited by

I have also had this issue on my Galaxy S5. My Galaxy S4 gave me the option to continue and the 5 won't. I also was a network administer so it's really frustrating. I had to sites that I needed to get access to and I found an internet that allows you to. I hope this helps you all out. Download the Dolphin browser and no more headaches.

A Former User

A Former User last edited by

Oops! Looks like Firefox will be going this way at the end of June. See:
https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/

My Firefox is at version 38.0.5, and I can still connect to Freephoneline.ca site normally. But I still cannot connect with Opera.
Opera is trying to be a nanny-browser when no one asks it to. Logjam is not an easy exploit to, well, exploit, and it's not like I'm trying to connect to a compromised banking site. With this enforcement policy, Opera found a way to drive its single-digit market share even lower.
Every good security policy states that at the end of the day security should be in the hands of customers. The product must provide all the tools to enable "perfect" security and flag all known issues, but it must be up to the end user to make the ultimate decision whether to take a perceived risk.

I have no problem connecting freephone.ca using the latest stable version of Opera (33)looks like they may have fixed the problem