TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.
But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.
For the benefit of search engines, the error reads
Secure Connection Failed.
An error occurred during a connection to [website name]. Peer using unsupported version of security protocol. Error code: SSL_ERROR_UNSUPPORTED_VERSION
The security protocol it refers to is TLS. There are three problems, however, with this Firefox error message.
For one thing, TLS 1.0 and 1.1, which the website is using, is indeed supported by Firefox – its just that a particular instance of the browser was configured not to use them. And, annoyingly, the message does not say what unsupported version it encountered.
Finally, the bottom of the message is a trap. Specifically, the note that “It looks like your network security settings might be causing this. Do you want the default settings to be restored?” along with the blue “Restore default settings” button.
I consider this a trap because it resets Firefox to again accept the older, less secure TLS versions (1.0 and 1.1).
The screen shot is from Firefox version 54 Windows, the error message on OS X is the same. On Android, however, Firefox 54 does not say that your network security settings are the issue and there is no button to restore the default settings.
VERIFYING THE TWEAK
You may go months before encountering a website that does not support TLS 1.2. In that case, how do you know the tweaking of Firefox really worked?
Visit the SSL Client Test site and the test runs automatically. Scroll down to the Protocols section. If the tweaking worked as expected, you should see a “Yes” for TLS 1.2 and a “No” for TLS 1.1, TLS 1.0, SSL 3 and SSL 2. That’s good Defensive Computing. It also reports on TLS 1.3, but as this version is still in draft mode, it can be ignored.
There are two test websites, one that only supports TLS version 1.1 and another that only supports version 1.0. They are
If you try to load these pages in a normal web browser, all is well. But try to load them in a copy of Firefox that has been restricted to TLS 1.2 and they fail.
Finally, is limiting Firefox to TLS 1.2 really worth the trouble?
Still to come: limiting Chrome and Internet Explorer to TLS 1.2, and doing the same with the Endless browser on iOS.
Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.