Although a common to consider of a secure website as a conflicting of an uncertain one, a choice is not, in fact, binary. For a website to be truly secure, there are about a dozen or so ducks that all need to be lined adult in a row.
Seeing HTTPS does not meant that a confidence is good done, secure websites exist in many shades of gray. Since web browsers don’t offer a dozen visible indicators, many sites that are not quite secure appear, to all though a many techie nerds, to be secure nonetheless. Browser vendors have dumbed things down for non-techies.
Last September, we took Apple to charge for not carrying all their ducks in a row, essay that some of their confidence oversights allowed Apple websites to trickle passwords.
The minute technical information in that essay came from a glorious SSL Server Test from SSL Labs, a multiplication of Qualys. The exam analyzes secure websites, reports on a full bloody technical sum and assigns a minute grade. Many do not get an A rating. Lots of ducks are not being lined adult rightly around a web.
Here, we am going to concentration on a really initial duck, a HTTPS protocol itself.
In a aged days a custom was called SSL, Secure Security Layer. There were dual versions of SSL, numbered 2 (released in 1995) and 3 (released in 1996). More new versions of a custom are called TLS (Transport Layer Security) and there are 4 versions of it, with any iteration being some-more secure. TLS chronicle 1.0 dates to 1999 while chronicle 1.1, a initial one from this century, was tangible in 2006. The many renouned chronicle of TLS is 1.2 that was tangible in 2008. Version 1.3 is now in a breeze status.
From what we have seen with a SSL Server Test, a immeasurable infancy of secure websites support TLS versions 1.0, 1.1 and 1.2. Almost none, still support a comparison SSL versions, that is a good thing.
Sites that support all 3 versions of TLS can get an A rating from Qualys, a preference that we find questionable.
For one thing, TLS 1.0 and 1.1 are not as secure as TLS 1.2. Plus, TLS 1.2 is sincerely old. What does it contend about a secure website that does not yet support a confidence custom that was expelled 9 years ago? Nothing good.
As a Defensive Computing guy, we would not trust a website that does not support TLS chronicle 1.2. Fortunately, we don’t have to.
Firefox lets we collect and chose a versions of a HTTPS custom that we wish it to support.
The stairs next let we invalidate TLS 1.0 and TLS 1.1 along with a ancient SSL chronicle 3. After doing so, Firefox will usually arrangement secure websites that support TLS 1.2. Insecure HTTP websites are not affected. We are, in effect, backing adult a initial duck.
This tweak of Firefox was recently tested regulating chronicle 54 on Windows and Android, and chronicle 50 on OS X. It is not upheld by Firefox 7.5 on iOS 10. It’s also zero new, it was initial introduced in Apr 2013.
about:config in a residence bar
2. Click by a warning about voiding your warranty
3. In a Search bar, hunt for “
4. This should finish adult displaying about 10 pattern options. The entrance for “
security.tls.version.min” should be during a default value of 1.
5. Double-click on “
5. Set it to 3 and click a OK button.
The outcome should demeanour like a picture next (from Firefox 54 on Windows).
Now, we will be browsing a web a bit some-more securely.
I altered this a while ago in my duplicate of Firefox and for a many part, it has been fine. That is, roughly each website that supports TLS during all, supports chronicle 1.2. Still, we are safer by avoiding TLS 1.0 and 1.1.
Update: Jul 14, 2017: Further review showed that this tweak is also upheld with Firefox chronicle 49 using on Lubuntu chronicle 16.10.
Get in hold with me secretly by email during my full name during Gmail or publicly on chatter during @defensivecomput.