Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

https://discussions.Apple.com has broken encryption

If I set my Firefox preferences to security.ssl.require_safe_negotiation TRUE, no pages within discussions.apple.com will load at all. The error warning tells me that this domain has Broken Encryption (TL5_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2). I have not had this issue with any other site so I can't imagine that it would be difficult to fix. With all of Apple's talk of the importance of privacy and security recently, you'd think they'd have working encryption on their own domain. Can someone else using Firefox test that about:config preference and let me know if you get the same results? Thanks

Posted on Jun 29, 2015 7:47 AM

Reply
9 replies

Jun 29, 2015 8:24 AM in response to ChitlinsCC

If you look at the URL Bar right now, before changing any settings, do you see a triangle with an exclamation point next to the Apple favicon?

User uploaded file


Normally, on an HTTPS page, you would see a lock in that place.

User uploaded file


Clicking on the exclamation triangle gives you a More Information.... pop-out.

User uploaded file


Clicking More Information gives you this:

User uploaded file


Now, if you go into about:config and search "security" you should find the highlighted setting shown in the image below:

User uploaded file


If you change that from FALSE to TRUE so that you Require Safe SSL Negotiation and try to reload this discussion page or try to load any pages within https://discussions.apple.com, I believe you will find, as I have, that you get this:


User uploaded file

Jun 29, 2015 8:54 AM in response to ChitlinsCC

Hmmmmmm.....Well, I have the HTTPS Everywhere add-on, which forces HTTPS connections on sites that attempt to default to HTTP. And I have uBlock Origin, which allows you to selectively choose which third party elements, if any, you want to load on a page and blocks tracking. And I have an Add-on called TinFoil enabled, which prevents things like geolocation, automatic pinging of Google and WebRTC functions like access to camera and mic, etc. I'll see if restarting with any of those disabled changes things, but I don't see how any of them would invalidate apple's own ssl certificate? Do you?

Jun 29, 2015 10:06 AM in response to turingtest2

tt2, do you also have uBlock Origin installed?


While doing a little trouble shooting, I'm finding that discussions.apple.com appears to be secure, as it does for ChitlinsCC, only when all settings requiring secure connections are disabled. As soon as verified encryption is requested or required, through a variety of different settings, the domain is categorized as insecure. I don't know what this means other than it would appear the SSL certs are spoofed-?

https://discussions.Apple.com has broken encryption

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.