[FOSDEM] fosdem.org does not support TLS 1.[12]

Kurt Roeckx kurt at roeckx.be
Thu Jan 16 19:05:50 CET 2014


On Wed, Jan 15, 2014 at 10:06:19AM -0600, Tom Marble wrote:
> All:
> 
> As everyone in our community can benefit from improving security
> I thought I would share this observation with everyone.
> 
> I recently realized that Iceweasel, by default, is not configured
> to not support the recent versions of TLS yet it accepts weak ciphers.
> 
> You can check your browser here (notably TLS version)
> https://www.howsmyssl.com/
> 
> Here's how to fix this in Firefox
> http://kb.mozillazine.org/Security.tls.version.*
> I set security.tls.version.min = 2 (require at least TLS 1.1)
> I set security.tls.version.max = 3 (support TLS 1.2)

Only TLS 1.1 and 1.2 support is probably going to cause you
problems since only about 25% of the sites support it.  (Which is
also about the same size as sites still supporting SSL2.)

I personally run with security.tls.version.min set to 1
and RC4 and 3DES disabled.  As far as I know this should
support > 95% of the sites.  Please note that there is
nothing wrong with TLS 1.0 in case your browser is patched
for BEAST.

This also results in a "Probably okay" messages in the howsmyssll
site above.

But this list is probably not the best place to discuss such
things and the bettercrypto.org mailling list might be better for
that.


Kurt



More information about the FOSDEM mailing list