Mozilla announced on September 30, 2016 that it made the decision to enforce stronger Diffie-Hellman keys in the Firefox web browser.
Firefox users who visit websites that use weak — now less than1023 bits — will see a connection error message in the web browser instead of the actual site.
The message reads “secure connection failed” and the reason given is the following one:
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
The page lists a learn more link that leads to the Firefox “what does your connection is not secure mean” support page on Mozilla Support.
The error page itself lists a “try again” button but no option to override the policy and open the actual website.
In case you are wondering, this is how other browser’s are handling sites with weak Diffie-Hellman keys:
- Google Chrome, Opera and Vivaldi throw a “this site can’t provide a secure connection” error with no override option. Other Chrome or Chromium-based browsers are likely throwing the same error message.
- Pale Moon throws a “secure connection failed” error.
- Microsoft Edge displays “hmm, we can’t reach this page” error instead.
- Internet Explorer throws the error “this page can’t be displayed.
According to Mozilla, a small number of servers are still configured to use weak keys that are vulnerable to attack.
In response to recent developments attacking Diffie-Hellman key exchange (https://weakdh.org/) and to protect the privacy of Firefox users, we have increased the minimum key size for TLS handshakes using Diffie-Hellman key exchange to 1023 bits. A small number of servers are not configured to use strong enough keys. If a user attempts to connect to such a server, they will encounter the error “ssl_error_weak_server_ephemeral_dh_key”.
The organization mentions the Logjam attack in particular which attacks the TLS protocol.
All major browsers block sites that use weak Diffie-Hellman keys now with no override option. In case you are wondering, Firefox’s preference to override weak security certificates is not working either.