InformAction Forums

If you're running Firefox 23 or newer, you can now choose to support newer and safer TLS encryption versions. Unfortunately, there are some very broken websites that choke if your browser declares support for these newer versions, so Mozilla has not enabled it by default.

To upgrade your TLS version, go to about:config and search for 'security.tls.max_version' (only Firefox 23 and newer have this setting).

• 0 = SSL 3.0. This should be your minimum.
• 1 = TLS 1.0. Firefox <= 22 supports this.
• 2 = TLS 1.1. Firefox 23 supports this.
• 3 = TLS 1.2. Firefox 24 will support this.

> there are some very broken websites ...

Example: https://wcis.iwif.com/sso/Login.do

Thanks!
Though, does this really make it a significant difference security-wise as long as falling back to old versions (down to SSL 3.0, thank goodness not 2.0 any more) is still supported? You would have to change security.tls.version.min too, but this is then certainly going to break a lot more (see slide 37 of http://blog.ivanristic.com/downloads/Qu ... 0-v1.6.pdf for TLS version support stats from 2010).

/edit:

https://bugzil.la/861266#c15 wrote:Given that 24 is already in Aurora, and even TLS v1.1 is not yet implemented (but in progress), this bug will not be fixed in ESR 24.

dhouwn wrote:Thanks!
Though, does this really make it a significant difference security-wise as long as falling back to old versions (down to SSL 3.0, thank goodness not 2.0 any more) is still supported?

It makes a difference to some attacks, yes. An attacker would have to interfere with your traffic and persuade everyone to downgrade, which is harder than just snooping.

I've also taken to disabling RC4 cipher suites (using the CipherFox extension, but you can do it manually by searching for rc4 in about:config). Unfortunately my bank uses RC4 exclusively :s

> as long as falling back to old versions ... is still supported?

You can switch back from 1.1 to say 1.0, but it is not done automatically, as of yet.
(Bug exists, but don't know which ATM.)