After having tweaked Firefox to only use TLS version 1.2, one website can verify that the tweak worked and another can test it.
But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.
For the benefit of search engines, the error reads
The security protocol it refers to is TLS. There are three problems, however, with this Firefox error message.
For one thing, TLS 1.0 and 1.1, which the website is using, is indeed supported by Firefox – its just that a particular instance of the browser was configured not to use them. And, annoyingly, the message does not say what unsupported version it encountered.
Finally, the bottom of the message is a trap. Specifically, the note that “It looks like your network security settings might be causing this. Do you want the default settings to be restored?” along with the blue “Restore default settings” button.
I consider this a trap because it resets Firefox to again accept the older, less secure TLS versions (1.0 and 1.1) .
You may go months before encountering a website that does not support TLS 1.2. In that case, how do you know the tweaking of Firefox really worked?
In this blog I have repeatedly praised the SSL Server test from Qualys/SSL Labs. The same company also offers the reverse test. That is, rather than test websites, it tests your web browser.
Visit the SSL Client Test site and the test runs automatically. Scroll down to the Protocols section. If the tweaking worked as expected, you should see a “Yes” for TLS 1.2 and a “No” for TLS 1.1, TLS 1.0, SSL 3 and SSL 2. That’s good Defensive Computing. It also reports on TLS 1.3, but as this version is still in draft mode, it can be ignored.
There are two test websites, one that only supports TLS version 1.1 and another that only supports version 1.0. They are
If you try to load these pages in a normal web browser, all is well. But try to load them in a copy of Firefox that has been restricted to TLS 1.2 and they fail.
Finally, is limiting Firefox to TLS 1.2 really worth the trouble?
Qualys thinks so. At their SSL server test, any website that does not support TLS 1.2, can’t score higher than a C. Deservedly so.
Still to come: limiting Chrome and Internet Explorer to TLS 1.2, and doing the same with the Endless browser on iOS.
FEEDBACK Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.
