Upgrading Firefox TLS support

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Upgrading Firefox TLS support

Post by Thrawn » Sat Aug 10, 2013 4:14 am

If you're running Firefox 23 or newer, you can now choose to support newer and safer TLS encryption versions. Unfortunately, there are some very broken websites that choke if your browser declares support for these newer versions, so Mozilla has not enabled it by default.

To upgrade your TLS version, go to about:config and search for 'security.tls.max_version' (only Firefox 23 and newer have this setting).
  • 0 = SSL 3.0. This should be your minimum.
  • 1 = TLS 1.0. Firefox <= 22 supports this.
  • 2 = TLS 1.1. Firefox 23 supports this.
  • 3 = TLS 1.2. Firefox 24 will support this.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
therube
Ambassador
Posts: 7669
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Upgrading Firefox TLS support

Post by therube » Sat Aug 10, 2013 12:16 pm

> there are some very broken websites ...

Example: https://wcis.iwif.com/sso/Login.do
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 SeaMonkey/2.22a2

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Upgrading Firefox TLS support

Post by dhouwn » Sat Aug 24, 2013 9:04 am

Thanks!
Though, does this really make it a significant difference security-wise as long as falling back to old versions (down to SSL 3.0, thank goodness not 2.0 any more) is still supported? You would have to change security.tls.version.min too, but this is then certainly going to break a lot more (see slide 37 of http://blog.ivanristic.com/downloads/Qualys_SSL_Labs-State_of_SSL_2010-v1.6.pdf for TLS version support stats from 2010).

/edit:
https://bugzil.la/861266#c15 wrote:Given that 24 is already in Aurora, and even TLS v1.1 is not yet implemented (but in progress), this bug will not be fixed in ESR 24.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Upgrading Firefox TLS support

Post by Thrawn » Sat Aug 24, 2013 9:37 am

dhouwn wrote:Thanks!
Though, does this really make it a significant difference security-wise as long as falling back to old versions (down to SSL 3.0, thank goodness not 2.0 any more) is still supported?

It makes a difference to some attacks, yes. An attacker would have to interfere with your traffic and persuade everyone to downgrade, which is harder than just snooping.

I've also taken to disabling RC4 cipher suites (using the CipherFox extension, but you can do it manually by searching for rc4 in about:config). Unfortunately my bank uses RC4 exclusively :s
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
therube
Ambassador
Posts: 7669
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Upgrading Firefox TLS support

Post by therube » Sat Aug 24, 2013 11:34 am

> as long as falling back to old versions ... is still supported?

You can switch back from 1.1 to say 1.0, but it is not done automatically, as of yet.
(Bug exists, but don't know which ATM.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 SeaMonkey/2.22a2

Post Reply