Verifying and testing that Firefox is restricted to TLS 1.2
Credit to Author: Michael Horowitz| Date: Sun, 16 Jul 2017 12:56:00 -0700
TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.
But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.
The error message from Firefox 54 when a website does not support TLS 1.2 and it only supports TLS 1.2
For the benefit of search engines, the error reads
The security protocol it refers to is TLS. There are three problems, however, with this Firefox error message.
For one thing, TLS 1.0 and 1.1, which the website is using, is indeed supported by Firefox – its just that a particular instance of the browser was configured not to use them. And, annoyingly, the message does not say what unsupported version it encountered.
Finally, the bottom of the message is a trap. Specifically, the note that “It looks like your network security settings might be causing this. Do you want the default settings to be restored?” along with the blue “Restore default settings” button.
I consider this a trap because it resets Firefox to again accept the older, less secure TLS versions (1.0 and 1.1).
The screen shot is from Firefox version 54 Windows, the error message on OS X is the same. On Android, however, Firefox 54 does not say that your network security settings are the issue and there is no button to restore the default settings.
VERIFYING THE TWEAK
You may go months before encountering a website that does not support TLS 1.2. In that case, how do you know the tweaking of Firefox really worked?
In this blog I have repeatedly praised the SSL Server test from Qualys/SSL Labs. The same company also offers the reverse test. That is, rather than test websites, it tests your web browser.
Visit the SSL Client Test site and the test runs automatically. Scroll down to the Protocols section. If the tweaking worked as expected, you should see a “Yes” for TLS 1.2 and a “No” for TLS 1.1, TLS 1.0, SSL 3 and SSL 2. That’s good Defensive Computing. It also reports on TLS 1.3, but as this version is still in draft mode, it can be ignored.
LIVE TESTING
Tester pages are available at the badssl.com site, which is maintained by April King from Mozilla and Lucas Garron from Google.
There are two test websites, one that only supports TLS version 1.1 and another that only supports version 1.0. They are
TLS 1.1=> https://tls-v1-1.badssl.com:1011
TLS 1.0=> https://tls-v1-0.badssl.com:1010
If you try to load these pages in a normal web browser, all is well. But try to load them in a copy of Firefox that has been restricted to TLS 1.2 and they fail.
Finally, is limiting Firefox to TLS 1.2 really worth the trouble?
Qualys thinks so. At their SSL server test, any website that does not support TLS 1.2, can’t score higher than a C. Deservedly so.
Still to come: limiting Chrome and Internet Explorer to TLS 1.2, and doing the same with the Endless browser on iOS.
FEEDBACK
Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.