{"id":2111,"date":"2018-06-02T22:10:48","date_gmt":"2018-06-03T06:10:48","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=2111"},"modified":"2018-06-02T23:17:25","modified_gmt":"2018-06-03T07:17:25","slug":"restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/","title":{"rendered":"TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks"},"content":{"rendered":"

Only two versions of the TLS (Transport\u00a0Layer Security) protocol can be considered safe under certain circumstances: TLS 1.3 and TLS 1.2. Trying to get your bank alongside everyone else to fix their websites and web applications is a Herculean task; good luck trying. Even so, you can protect TLS connections by modifying the browser configuration.<\/p>\n

It is good to know that there is something you can do to protect at least yourself and the other end users on the networks that you oversee from nasty attacks against their TLS connections. In Firefox, you can restrict the browser to “speak” only TLS 1.3 and TLS 1.2 to\u00a0limit the attack surface and restrict phishing. Here is how to do it.<\/p>\n

<\/p>\n

Here is a short how-to on restricting Firefox to the two most secure versions of the TLS protocol:<\/p>\n

Step 1. Open the advanced settings page of Firefox.<\/h4>\n

In the address bar, enter<\/p>\n

about:config<\/pre>\n
and hit Return.<\/p>\n
Step 2. Agree to “void your warranty”.<\/h4>\n
Ignore the warning about voiding your warranty and proceed.<\/p>\n
Step 3. Find the security settings for TLS<\/h4>\n
In the Search bar, type in “security.tls”.<\/p>\n
Step 4. Adjust the lowest version of the TLS protocol\u00a0you want to allow<\/h4>\n
Double click the entry “security.tls.version.min”. The default value is 1. Change it from “1” to “3”. This will activate TLS 1.2 and disallow any version below. This change is important as it prevents protocol downgrade attacks irrespective of the actual server settings. Eliminating the possibility of a protocol downgrade allows you to protect TLS connections from some attempts at eavesdropping<\/a>.<\/p>\n
Step 5.\u00a0Adjust the highest version of the TLS protocol you want to allow<\/h4>\n
Verify that “security.tls.version.max” is set to to “4”. This ensures that Firefox may use TLS 1.3, (but not above; should TLS reach a higher version number, you will need to revisit this setting).<\/p>\n
\"Restricting<\/a>
Restricting Firefox to TLS version 1.3 and TLS 1.2<\/figcaption><\/figure>\n
Now, your Firefox web browser speaks only TLS 1.3 and TLS 1.2; you will not be able to connect to websites that do not support these two protocols, but then again\u2014perhaps you shouldn’t. Either way, there aren’t that many of them left.<\/p>\n
Step 6. Test your configuration<\/h4>\n
Head over to Qualys SSL Labs’ browser test:<\/p>\n
https:\/\/www.ssllabs.com\/ssltest\/viewMyClient.html<\/a><\/p>\n
Step 7. Verify the test results<\/h4>\n
Allow the test to run its course. In the overview of details, look for the section “Protocol Features”. In the list of supported protocols, verify that only TLS 1.3 and TLS 1.2 are allowed.<\/p>\n
\"Restricting<\/a>
Browser test by Qualys SSL Labs reveals that the attempt at restricting Firefox to TLS 1.3 and 1.2 was successful<\/figcaption><\/figure>\n
These changes do not offer absolute security as such a thing doesn’t even exist. They offer protection in so far as they limit the attack surface without compromising compatibility.<\/p>\n
It goes without saying that if you happen to oversee the configuration of a web host, you need to take some steps to ensure that it measures up to the demands you put on your own Firefox for the sake of your visitor’s safety (see “How to Activate HTTP\/2 with TLS 1.3 Encryption in NGINX for Secure Connections without a Performance Penalty<\/a>” and\u00a0“TLS 1.3 (with AEAD) and TLS 1.2 cipher suites demystified: how to pick your ciphers wisely<\/a>”\u00a0for more).<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Only two versions of the TLS (Transport\u00a0Layer Security) protocol can be considered safe under certain circumstances: TLS 1.3 and TLS 1.2. Trying to get your bank alongside everyone else to fix their websites and web applications is a Herculean task; good luck trying. Even so, you can protect TLS connections by modifying the browser configuration. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[33,111],"tags":[37,219,218,225],"yoast_head":"\nTLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks - CloudInsidr<\/title>\n<meta name=\"description\" content=\"Protect yourself from nasty attacks against TLS connections by restricting the browser to TLS 1.3 and TLS 1.2, the most secure versions of the protocol that encrypts your communications. This easy step limits the attack surface. Here is how to do it.\" \/>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"Protect yourself from nasty attacks against TLS connections by restricting the browser to TLS 1.3 and TLS 1.2, the most secure versions of the protocol that encrypts your communications. This easy step limits the attack surface. Here is how to do it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-03T06:10:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-06-03T07:17:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2018\/06\/Firefox_TLS_1_3_and_TLS_1_2_config-1024x364.png\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2018\/06\/Firefox_TLS_1_3_and_TLS_1_2_config.png\",\"width\":1183,\"height\":420,\"caption\":\"Restricting Firefox to TLS version 1.3 and TLS 1.2\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/\",\"name\":\"TLS tune-up: how to restrict Firefox to TLS v1.3 and v1.2 to protect from phishing attacks - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/#primaryimage\"},\"datePublished\":\"2018-06-03T06:10:48+00:00\",\"dateModified\":\"2018-06-03T07:17:25+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"description\":\"Protect yourself from nasty attacks against TLS connections by restricting the browser to TLS 1.3 and TLS 1.2, the most secure versions of the protocol that encrypts your communications. This easy step limits the attack surface. Here is how to do it.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/restricting-firefox-to-tls-version-1-3-and-tls-1-2-makes-browsing-safer\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2111"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=2111"}],"version-history":[{"count":13,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2111\/revisions"}],"predecessor-version":[{"id":2127,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/2111\/revisions\/2127"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=2111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=2111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=2111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}