Upcoming security improvements in Firefox 27 in regards to TLS support
The SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocol determine how clients communicate with servers using encrypted connections.
Most Internet users are probably unaware of the differences between those protocols. TLS basically improves SSL, and what makes this somewhat difficult to understand is that TLS uses a different version scheme than SSL.
The latest version of SSL is 3.0, while the latest TLS version is 1.2. Most web browsers support SSL 3.0 as the minimum required protocol to establish secure connections. Before that protocol is used, browsers try to use the "newer" TLS protocol first.
If you are running Firefox 26 currently, you may have noticed that your browser is only supported SSL 3.0 and TLS 1.0, but not TLS 1.1 or TLS 1.2 by default.
While the technology has been implemented, the reason that it is not enabled by default is that there is no fallback available in the browser to go from TLS 1.2 or TLS 1.1 to 1.0 or SSL 3.0. The effect in this case is that the connection cannot be established.
It is possible to enable TLS 1.1 or TLS 1.2 anyway in the browser right away. Or, you can wait until Firefox 27 ships as it will set TLS 1.2 as the new maximum version of the TLS protocol in the browser.
Checking the security protocol in Firefox
In older versions of Firefox, a preference was available in the browser's settings that you could use to select which security protocols you wanted the browser to use. Mozilla removed that options for the interface, so that it is now only available using about:config.
You can check the current maximum version in the following way:
- Type about:config in the browser's address bar and hit enter.
- Confirm that you will be careful if you get a warning message.
- Search for the preference security.tls.version
- You get two listings here. First, security.tls.version.max.
- It is set to 1 by default in Firefox 26 and older, indicating that only TLS 1.0 is supported, but not TLS 1.1 or TLS 1.2
- The second preference is security.tls.version.min
- It is set to 0 by default, which indicates that SSL 3.0 is also support and the minimum required protocol for secure connections.
In Firefox 27, security.tls.version.max is changed to 3 by default, which means that both TLS 1.1 and TLS 1.2 are supported by Firefox by default then.
The preference security.tls.version.min determines the minimum protocol version supported by Firefox, while security.tls.version.max the highest protocol version.
Here are all possible values for the preference at the time of writing (this will be modified once newer versions of the TLS protocol come out).
- 0 means SSL 3.0 is the minimum required or maximum support version of the encryption protocol.
- 1 means that TLS 1.0 is the minimum required or maximum support version of the encryption protocol.
- 2 means that TLS 1.1 is the minimum required or maximum support version of the encryption protocol.
- 3 means that TLS 1.2 is the minimum required or maximum support version of the encryption protocol.
- 4 means that TLS 1.3Â is the minimum required or maximum support version of the encryption protocol.
The min and max preference go hand in hand. In Firefox 27, min is set to 0 and max is set to 3, meaning that all protocols are supported, and that Firefox will try to use TLS 1.2 first, then TLS 1.1, then TLS 1.0, and then SSL 3.0.
You can modify that if you want, for instance by changing the min preference from 0 to 1, 2 or 3. This limits which protocols can be used to encrypt the flow of data, which in turn means that you may not be able to connect to web hosts which support only older protocol versions.
While not explicitly mentioned on Mozillazine, it is likely that Mozilla has implemented the fallback mechanism in Firefox 27 so that weaker protocols are used automatically if a server does not support stronger ones. Firefox will always try to use the strongest protocol first before it falls back to a weaker protocol version.
Additional information about Transport Layer Security are available on Wikipedia.
As SSL is known to have a NSA backdoor, it is advised to use the none-NSA-backdoored TLS.
Everyone should watch : To Protect And Infect, Part 2
“The min and max preference go hand in hand. In Firefox 27, min is set to 0 and max is set to 3, meaning that all protocols are supported, and that Firefox will try to use TLS 1.2 first, then TLS 1.1, then TLS 1.0, and then SSL 3.0.”
While Fx now supports TLS 1.1 and 1.2 by default, the browser still tells servers it prefers 1.0 connections. See https://cc.dcsec.uni-hannover.de/. That means it may nudge servers to use 1.0 even if both of them support higher versions. (BTW, Chrome also prefers 1.0 while IE prefers 1.2.)