Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google)
Mozilla released Firefox 74.0 Stable to the public on March 10, 2020. The new version of Firefox came with a number of changes and improvements; among them the deprecation of the security protocols TLS 1.0 and TLS 1.1 in the Firefox web browser.
The functionality has not been removed from Firefox but the default status of both protocols has been set to disabled in Firefox 74.0 by Mozilla.
A consortium of browser makers, among them Mozilla, Google, Microsoft and Apple, vowed to remove TLS 1.0 and 1.1 from their browsers in order to improve the security and performance of Internet connections by relying on TLS 1.2 and TLS 1.3 for secure connections.
Mozilla has re-enabled TLS 1.0 and 1.1 in the Firefox Stable and Beta browser; it is unclear when Mozilla did that but an update on the Firefox release notes page highlights why the protocols have been enabled again. Mozilla notes:
We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.
According to the update posted on the release notes page, Mozilla made the decision because some government sites still rely on the old protocols. Mozilla does not provide any examples of government sites that still rely on these dated protocols.
The organization's independent Site Compatibility website offers more details:
Mozilla is going to temporarily re-enable the TLS 1.0/1.1 support in Firefox 74 and 75 Beta. The preference change will be remotely applied to Firefox 74, which has already been shipped. This is because many people are currently forced to work at home and relying on online tools amid the novel coronavirus (COVID-19) outbreak, but some of critical government sites still don’t support TLS 1.2 yet.
A new bug on Mozilla's bug tracking site provides additional information and another reason entirely. Mozilla highlights that Google postponed Chrome releases and that it is unlikely that Google will disable TLS 1.0 and 1.1 in the Chrome browser for the time being and that this would leave Firefox as the sole browser with the protocols disabled in the Stable version.
The consequence is that Mozilla re-enabled TLS 1.0 and 1.1 in Firefox Stable and Firefox Beta. Firefox users may still disable the protocols manually in the browser by setting the preference security.tls.version.min to 3 to allow TLS 1.2 or higher only.
Now You: What is your take on the decision? (via Born)
We should think that leaving TLS 1.0 and TLS 1.1 available for any time longer, is NOT an option anymore for those people who want to be secure against being spyed on. If a government still requires that… is their problem of strategy. The old protocols can be spyed into because of all their long-inherited problems. NSA still celebrates a feast. Also: the RSA plain handshakes are still around? why? CBC ciphers as well. Middleboxes can passively decrypt those sessions in many cases. Deep-packet-inspection. So, content-sniffing the one or the other way is still a thing as long as we are not entirely (!) getting rid of all those obsolete things and bugs. Restricting to ECDHE entirely, put RSA plain away and retire CBC. TLS 1.3 everywhere. This is the main directive. And while seeing what many servers worldwirde still support from their side, this gets me vomiting, literally.
To anyone who has voiced concern about preferences being remotely changed,
Every application you use could have any arbitrary code baked in without your knowledge. When a development team exposes features with flags and preferences, it should be celebrated. Having a means to fix mistakes or change decisions without waiting for a stable release is a good thing.
Unless you read every line of code that has changed before updating an application, then there is no breach of trust or scary conspiracy at all. These things have not been hidden from public knowledge and there is a way to opt out.
I do think it is odd to revert the security change. But as the article states, having the protocols enabled is business as usual in the other major browsers.
hi Martin
while Mozilla re-enables TLS 1.0 & 1.1 with their recent Firefox releases, Microsoft on the other hand plans to disable TLS 1.0 & 1.1 in their Chromium Edge, Legacy Edge & IE11 browsers sometime in the 2nd half of 2020:
https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/
why would they not install security updates on “critical government sites”? most people would just read the news sites not some abandoned government site that no one even knows about
“why would they not install security updates on “critical government sites”? most people would just read the news sites not some abandoned government site that no one even knows about”
My impression is that the government has a huge legacy of decades-old custom-made software written by developers who are no longer around to support it, running on old operating systems that are no longer supported either. Despite efforts to standardize and modernize pieces of it (which means lots of outsourcing and use of “management platforms” and an increase the risk of supply chain attacks like the one last year involving SolarWinds), a large chunk of the government’s most critical infrastructure is decentralized and idiosyncratic. Updating the bits and pieces is expensive and requires a political process to get the money appropriated, and carries its own risks.
I getting tired of the lack of coverage of FF’s about:config shenanigans and I’m not allowing any more FF updates to FF 74/later. I feel its been Google’s influence on the Mozilla Foundation and really the Antitrust regulators need to clamp down on Google, MS, and some others as well.
I’m happy to be on Linux(Mint 19.3) but getting tired of Firefox and would rather skip the feature creep and instead have security/stability over any of that new and shiny in web browsers that’s just added to help the big interests.
Windows/Windows 10 has become a stability train wreck at the worst of possible times and I’m really not liking being forced by MS to suffer all that is broken in Windows and thrown out to the end users in that broken condition. I’ve got all of my Windows 7/7 Pro laptops dual booting with Mint 19.3 and 7/EOL safely offline and FF is my browser currently but I may try something else if I have to.
I’ve got a new Windows 10 laptop that’s waiting for Mint to get the Linux 5.6 kernel and that laptop’s AMD 3000H series APU some better power/fan control on the driver side and then that’s getting Linux Mint installed along Windows 10 and 10 kept offline as well until I see fit to allow 10 back online after all that is currently broken is fixed. So maybe I’ll just keep 10 offline and only Boot into Mint 19.3 for the next 6 months/longer after Kernel 5.6 arrives and I have other events to worry about rather than Windows 10 and that rolling train wreck. But I’m really looking for more stability and having more control over my own computer hardware and I’m really not liking that FF experimental updating my Browser without my permission as that’s just too Redmond/10 like for me.
@NoNannyNo
Seems like Firefox ESR is right up your alley. The ESR version of Firefox only gets a major update once per year and between the major releases only security fixes will be applied to it (no new features and no messing with about:config for one year). The current Firefox ESR version is Firefox 68.x ESR, the next major one will be Firefox 78.x ESR.
More info here:
https://www.mozilla.org/en-US/firefox/enterprise/
You can stop remote Mozilla interference in your browser (also on ESR) with these about:config settings being set to “false”:
app.shield.optoutstudies.enabled
app.normandy.enabled
I’m on Mint 19.3 and that comes with the FF edition that Mint ships with and only via Mint’s software manager for those non Linux Mint power users and no offers of any other options. So FF ESR will have to be plumbed in by hand and I’ve got Blender 3D 2.82a downloaded and extracted but not plumbed in for evaluation purposes under Mint 19.3. So Mint’s software manager only offers FF 73.0.1 but Mint’s update manager has been offering me FF 74 for a while.
And I’m not comfortable with running FF ESR without having it properly installed on Mint so I’ll need some learning curve time in order to manually install FF ESR as Mint is only offering the non ESR FF variants via the software manager installer method for that Mint repo.
I see that FF really needs some about:config change log and information third party website where all the changes that the Mozilla Foundation likes to be obfuscated from the public is discussed. So more about:config mucking about to really reign in the telemetry and other such settings.
I just learned in school. That I should have the latest versions of chrome, Firefox, ie (Safari doesn’t support this protocol yet). What gives? So roll em all back one?
Normandy pref rollout “boolean number string”
which one?
Is there any way to revert this in about:config?
@JoJo
You can revert this change by altering the value of security.tls.version.min to 3, this means at least TLS 1.2 will be required.
See here: http://kb.mozillazine.org/Security.tls.version.*
In order to stop Mozilla from interfering further with your settings behind your back, also change both…
app.shield.optoutstudies.enabled
app.normandy.enabled
…to false.
See? Treating users as children does not work (also e.g. extension signing walled garden).
Security is not an excuse to take away user choice.
Yeah let’s lower the security for a billion users so that one guy in a forest in Burkina Faso can read about the virus. Yeah let’s not even consider for a second that guy already uses Google Chrome. This is the equivalent to letting a coronavirus-infected person board a cruise ship, because he really wants to go on a cruise. People – What a bunch of bastards.
@Yeah, LOL @ Burkina Faso reference.
I don’t agree with Mozilla’s decision either.
It’s not lowering the security to anybody.
Right now: If the site that you are visiting is using tls 1.2 or 1.3, then it will use it. If the site that you are visiting only uses tls 1.0 or tls 1.1, then you will not be able to visit it.
Hmmm…I’ve had “security.tls.version.min” set at “3” for a long time in ALL my gecko based browsers. I haven’t encountered any government websites that have a problem with it but perhaps I just haven’t visited the ones that do.
I find it shocking how backward many hospitals, doctor offices, medical plans, especially billing, are in regards to ways in which the spread of corona virus could be mitigated.
TLS is not SSL. The order is SSLv3, TLS v1.0, TLS v1.1, TLS v1.2, TLS v1.3. SSLv3 is universally not supported on browsers, but TLS v1.0 and v1.1 are enabled by default, despite having known security issues. This effort was to disable those, not SSL v3.
@Matthew Menke, SSL 3 was deprecated years ago.
Why are you bringing up nonsense???
“government sites”
Just as i said.
They could enable TLS1.2+ with 1 word change to the settings. They do it for a reason so browsers should ignore them.
#FCK ‘EM!
rolls eyes smh again at stupid thinking again.
I don’t care particularly about this feature but “waiting for Google” just shows how ridiculous Mozilla has become. I don’t expect them to get their sh*t together until the whole management has been changed.
“remotely applied”!!! How is that possible? I was not aware that Firefox can behave like Chrome!
@Antony
You should research what the following about:config settings do:
app.shield.optoutstudies.enabled
app.normandy.enabled
That will be the answer to your question. Yes, it’s scary.
The ghack user.js has both app.normandy.enabled & app.shield.optoutstudies.enabled are set to “false†(which disables both prefs, along with Mozilla’s ability to change any prefs remotely).
Thanks for the tip.
This is disgusting!
@Antony: Mozilla can change preferences in about:config remotely; search for ‘Normandy pref rollout’.
@ShintoPlasm
That’s why people should use Ungoogled Chromium, they don’t do shady shit like this behind the back of their users.
> We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.
Without COVID19, they would not have cared about cutting access to important government sites. Interesting how much power they have and how they are not afraid to abuse it.
TLS versions are also a major planned obsolescence problem, cutting access to the internet for older devices, now that everything is behind enforced https. The bug discusses that not so old devices are affected and that the security problem of the disabled versions are not that significant.
TLS was made a tracking vector with TLS session identifiers, it’s now a planned obsolescence device, and discussions are appearing that point to a future use of TLS certificates for censorship. Do we even have security in exchange of all that ? Not even, corporate MITM at work and centralized CDN see everything, the NSA and buddies have other less official toys, and because that’s not yet enough laws are being passed or suggested now to force decryption backdoors everywhere.
At the end it may be funny if the only ones who won’t be able to decrypt our own traffic may be ourselves. We already have Mozilla thinking that according to them it’s bad to do ourselves a local MITM on our own device to inspect and filter, say, Firefox traffic with Adguard.
> A new bug on Mozilla’s bug tracking site provides additional information and another reason entirely. Mozilla highlights that Google postponed Chrome releases and that it is unlikely that Google will disable TLS 1.0 and 1.1 in the Chrome browser for the time being and that this would leave Firefox as the sole browser with the protocols disabled in the Stable version.
Oh, so that’s once again just because their unofficial parent company Google told them to do that.
Why not those government sites update their TLS to 1.2 instead? 🙄
@JohnG, I agree, governments should deprecate insecure protocols.
Upgrading is not as easy as “#upgrade mypackge” command . It is not as simple as 123.
Try glassfish 3 server for example where it uses TLS 1.0
Will you upgrade it to Glassfish 4/5 in order to use TLS 1.1/1.2? Not really. It will take time.
@John G.: Because as Teen Talk Barbie said, “Math class is tough!” ;-)
>The preference change will be remotely applied to Firefox 74, which has already been shipped.
Mozilla can remotely change preferences of your browser? lmao. This is the definition of a botnet.
I’ve never seen a useful comment from the user Yuliya. Go away.
@overpaid intern: It’s Yuliya needing to be an ass as usual. Honestly, anything Mozilla-related is going to be used by Yuliya and Iron Heart to construct any attack possible against it, even if their revered Chrome/Chromium is doing the same.
@Dude without a suit
Except that Chrome has no means to inject new code without using the standard update functionality of the browser, whereas Mozilla has such means via Firefox Experiments.
Username checks out, the emperor really has no cloths in this case.
@Yuliya
In short: Yes, via Firefox Experiments.
app.shield.optoutstudies.enabled
app.normandy.enabled
Mozilla circumvents the standard update functionality with these, without user knowledge or approval.
The ghack user.js has both app.normandy.enabled & app.shield.optoutstudies.enabled are set to “false” (which disables both prefs, along with Mozilla’s ability to change any prefs remotely).
I would encourage all Firefox users to at least review the ghack user.js, even if they chose not to use it.
So, app.shield.optoutstudies.enabled and app.normandy.enabled are the Mozilla agents which allow the company to interfere behind the stage on my Firefox settings. Good to know. Both are set to false here, but I ignored it was those very two settings that allowed the ghost interference.
Concerning this TLS 1.0/1.1 u-turn why not simply communicate on these two settings for those who would encounter an issue?
This damn Corona virus, because of its implications in terms of fear (legitimate when not mistaken with panic) and in terms of a broader relax behavior on the Web because of work requirements, is already and will continue to damage security as if health was not enough.
“some government sites still rely on the old protocols”
That figures. Probably still using win 2000 server or debian potato.
The US government is opposed to improved security because they can’t intercept it. If they had a choice they’d force everyone to use faulty encryption.
https://www.nextgov.com/cybersecurity/2019/10/doj-makes-another-plea-encryption-backdoors/160389/
https://www.washingtonexaminer.com/opinion/op-eds/government-attacks-on-encryption-havent-changed-in-25-years
@No Thanks, CIA, LOL @ your username!