Although its common to think of a secure website as the opposite of an insecure one, the choice is not, in fact, binary. For a website to be truly secure, there are about a dozen or so ducks that all need to be lined up in a row.
Seeing HTTPS does not mean that the security is well done, secure websites exist in many shades of gray. Since web browsers don’t offer a dozen visual indicators, many sites that are not particularly secure appear, to all but the most techie nerds, to be secure nonetheless. Browser vendors have dumbed things down for non-techies.
Last September, I took Apple to task for not having all their ducks in a row, writing that some of their security oversights allowed Apple websites to leak passwords.
The detailed technical information in that article came from the excellent SSL Server Test from SSL Labs, a division of Qualys. The test analyzes secure websites, reports on the full gory technical details and assigns a letter grade. Many do not get an A rating. Lots of ducks are not being lined up correctly around the web.
Here, I am going to focus on the very first duck, the HTTPS protocol itself.
In the old days the protocol was called SSL, Secure Security Layer. There were two versions of SSL, numbered 2 (released in 1995) and 3 (released in 1996). More recent versions of the protocol are called TLS (Transport Layer Security) and there are four versions of it, with each iteration being more secure. TLS version 1.0 dates to 1999 while version 1.1, the first one from this century, was defined in 2006. The most popular version of TLS is 1.2 which was defined in 2008. Version 1.3 is currently in a draft status.
From what I have seen with the SSL Server Test, the vast majority of secure websites support TLS versions 1.0, 1.1 and 1.2. Almost none, still support the older SSL versions, which is a good thing.
Sites that support all three versions of TLS can get an A rating from Qualys, a decision that I find questionable.
For one thing, TLS 1.0 and 1.1 are not as secure as TLS 1.2. Plus, TLS 1.2 is fairly old. What does it say about a secure website that does not yet support a security protocol that was released nine years ago? Nothing good.
As a Defensive Computing guy, I would not trust a website that does not support TLS version 1.2. Fortunately, I don’t have to.
Firefox lets you pick and chose the versions of the HTTPS protocol that you want it to support.
The steps below let you disable TLS 1.0 and TLS 1.1 along with the ancient SSL version 3. After doing so, Firefox will only display secure websites that support TLS 1.2. Insecure HTTP websites are not affected. We are, in effect, lining up the first duck.
This tweak of Firefox was recently tested using version 54 on Windows and Android, and version 50 on OS X. It is not supported by Firefox 7.5 on iOS 10. It’s also nothing new, it was first introduced in April 2013.
about:config in the address bar
2. Click through the warning about voiding your warranty
3. In the Search bar, search for “
4. This should end up displaying about 10 configuration options. The entry for “
security.tls.version.min” should be at its default value of 1.
5. Double-click on “
5. Set it to 3 and click the OK button.
The result should look like the image below (from Firefox 54 on Windows).
Now, you will be browsing the web a bit more securely.
I changed this a while ago in my copy of Firefox and for the most part, it has been fine. That is, almost every website that supports TLS at all, supports version 1.2. Still, we are safer by avoiding TLS 1.0 and 1.1.
Update: July 14, 2017: Further investigation showed that this tweak is also supported with Firefox version 49 running on Lubuntu version 16.10.
Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.