Whats behind the curtain of HTTPS is TLS. There are three versions of the TLS protocol and there is no reason to still support the oldest two versions. A simple tweak of Firefox can insure it only supports the most secure version, TLS 1.2.
Last September, I took Apple to task for not having all their ducks in a row, writing that some of their security oversights allowed Apple websites to leak passwords.
The detailed technical information in that article came from the excellent SSL Server Test from SSL Labs, a division of Qualys. The test analyzes secure websites, reports on the full gory technical details and assigns a letter grade. Many do not get an A rating. Lots of ducks are not being lined up correctly around the web.
Sites that support all three versions of TLS can get an A rating from Qualys, a decision that I find questionable.
As a Defensive Computing guy, I would not trust a website that does not support TLS version 1.2. Fortunately, I don’t have to.
The steps below let you disable TLS 1.0 and TLS 1.1 along with the ancient SSL version 3. After doing so, Firefox will only display secure websites that support TLS 1.2. Insecure HTTP websites are not affected. We are, in effect, lining up the first duck.
This tweak of Firefox was recently tested using version 54 on Windows and Android, and version 50 on OS X. It is not supported by Firefox 7.5 on iOS 10. It’s also nothing new, it was first introduced in April 2013.
1. Enter about: config in the address bar
2. Click through the warning about voiding your warranty
3. In the Search bar, search for » security.tls »
4. This should end up displaying about 10 configuration options. The entry for » security.tls.version.min » should be at its default value of 1.
5. Double-click on » security.tls.version.min »
5. Set it to 3 and click the OK button.
The result should look like the image below (from Firefox 54 on Windows) .
Tweaking Firefox to only use TLS version 1.2
Now, you will be browsing the web a bit more securely.
I changed this a while ago in my copy of Firefox and for the most part, it has been fine. That is, almost every website that supports TLS at all, supports version 1.2. Still, we are safer by avoiding TLS 1.0 and 1.1.
FEEDBACK Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.
