CloudInsidr

Cyber security, infotech

Join us on Twitter: @CloudInsidr

Follow us on Twitter: @cloudinsidr
Home cybersecurity and cyber warfare TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks
TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks

Leave a Comment

TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks

Only two versions of the TLS (Transport Layer Security) protocol can be considered safe under certain circumstances: TLS 1.3 and TLS 1.2. Trying to get your bank alongside everyone else to fix their websites and web applications is a Herculean task; good luck trying. Even so, you can protect TLS connections by modifying the browser configuration.

It is good to know that there is something you can do to protect at least yourself and the other end users on the networks that you oversee from nasty attacks against their TLS connections. In Firefox, you can restrict the browser to “speak” only TLS 1.3 and TLS 1.2 to limit the attack surface and restrict phishing. Here is how to do it.

Here is a short how-to on restricting Firefox to the two most secure versions of the TLS protocol:

Step 1. Open the advanced settings page of Firefox.

In the address bar, enter

about:config

and hit Return.

Step 2. Agree to “void your warranty”.

Ignore the warning about voiding your warranty and proceed.

Step 3. Find the security settings for TLS

In the Search bar, type in “security.tls”.

Step 4. Adjust the lowest version of the TLS protocol you want to allow

Double click the entry “security.tls.version.min”. The default value is 1. Change it from “1” to “3”. This will activate TLS 1.2 and disallow any version below. This change is important as it prevents protocol downgrade attacks irrespective of the actual server settings. Eliminating the possibility of a protocol downgrade allows you to protect TLS connections from some attempts at eavesdropping.

Step 5. Adjust the highest version of the TLS protocol you want to allow

Verify that “security.tls.version.max” is set to to “4”. This ensures that Firefox may use TLS 1.3, (but not above; should TLS reach a higher version number, you will need to revisit this setting).

Restricting Firefox to TLS version 1.3 and TLS 1.2
Restricting Firefox to TLS version 1.3 and TLS 1.2

Now, your Firefox web browser speaks only TLS 1.3 and TLS 1.2; you will not be able to connect to websites that do not support these two protocols, but then again—perhaps you shouldn’t. Either way, there aren’t that many of them left.

Step 6. Test your configuration

Head over to Qualys SSL Labs’ browser test:

https://www.ssllabs.com/ssltest/viewMyClient.html

Step 7. Verify the test results

Allow the test to run its course. In the overview of details, look for the section “Protocol Features”. In the list of supported protocols, verify that only TLS 1.3 and TLS 1.2 are allowed.

Restricting Firefox to TLS version 1.3 and TLS 1.2 makes browsing safer
Browser test by Qualys SSL Labs reveals that the attempt at restricting Firefox to TLS 1.3 and 1.2 was successful

These changes do not offer absolute security as such a thing doesn’t even exist. They offer protection in so far as they limit the attack surface without compromising compatibility.

It goes without saying that if you happen to oversee the configuration of a web host, you need to take some steps to ensure that it measures up to the demands you put on your own Firefox for the sake of your visitor’s safety (see “How to Activate HTTP/2 with TLS 1.3 Encryption in NGINX for Secure Connections without a Performance Penalty” and “TLS 1.3 (with AEAD) and TLS 1.2 cipher suites demystified: how to pick your ciphers wisely” for more).

 

Leave a Reply

Your email address will not be published. Required fields are marked *

©2022 CybrAnalytiqa OÜ