Some notes on Firefox's interstitial warning for old TLS versions
Firefox, along with all other browsers, are trying to move away
from supporting older TLS versions, which means means anything
before TLS 1.2. In Firefox, the minimum acceptable TLS version is
controlled about the about:config preference security.tls.version.min
;
in released versions of Firefox this is still '1' (for TLS 1.0),
while in non-release versions it's '3' (for TLS 1.2). If you're
using a non-release version and you visit some websites, you'll get
a 'Secure Connection Failed' interstitial warning that's clear
enough if you're a technical person.
The bottom of the warning text says:
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.
TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.
It then offers you a big blue 'Enable TLS 1.0 and 1.1' button. If
you pick this, you're not enabling TLS 1.0 and 1.1 on a one-time
basis or just for the specific website (the way you are with 'accept
this certificate' overrides); you're permanently enabling it in
Firefox preferences. Specifically, you're setting the
security.tls.version.enable-deprecated
preference to 'true' (from
the default 'false').
As far as I've been able to see, the state of this '(permanently) enable deprecated TLS versions' setting is not exposed in the Preferences GUI, making its state invisible unless you know the trick (and even know to look). Perhaps when Mozilla raises the normal minimum TLS version in a Firefox release, they will expose something in Preferences (or perhaps they'll change to do something with per-site overrides, as they do for TLS certificates). In the mean time, if you want to find out about websites using older TLS versions through your normal browsing, you'll need to remember to reset this preference every time you need to use that big blue button to get a site to work.
(You might be doing this in Nightly or Beta, although probably
you should avoid Nightly, or you might be doing
this in a released version where you've changed security.tls.version.min
yourself.)
Comments on this page:
|
|