Firefox and TLS Security

Firefox allows you to set what versions of TLS you'll accept. Security and TLS are areas of interest for me that I've covered before:

These are all about creating TLS certificates and handling them on the web server. I did write one about visiting poorly secured sites as a client: The Ontario Science Centre - Fails Computer Science, then fixes itself. This note is about how to tell your browser what versions are acceptable to you.

Start a new tab in Firefox. Type about:config in the URL bar (you may get a security warning: it's fine, proceed). In the "Search" bar at the top, enter security.tls.version. The two values you're looking for are security.tls.version.min and security.tls.version.max. The current default values are, respectively, "1" and "4". The authority on the subject is mozillaZine's Security.tls.version.* page - although as I write the highest value they show is "3" (despite my browser defaulting to "4").

valuemeaning
0SSL 3.0
1TLS 1.0
2TLS 1.1
3TLS 1.2
4TLS 1.3(?)

TLS 1.3 is still in its infancy, and not currently supported by OpenSSL - which means it's almost non-existent in the wild. But it looks like Firefox is ready for it with the new value of "4".

In my installations of Firefox, I always set security.tls.version.min to "2" - note that this is higher than Firefox's default value. This is a good idea, as TLS 1.0 is considered at best weak. But FF is still supporting it because there are still a few sites that use it and don't support a higher value. This has led to me learning what happens when you refuse TLS 1.0 connections: when it comes upon a TLS 1.0 website Firefox says (I'm paraphrasing: I don't have the exact words in hand at the moment): "Your security settings are non-standard. You should reset them." It's very strange it gives you the tool to demand a higher quality of encryption, and then tells you you're foolish for doing it. I continue to recommend this: do you want to put your credit card number into a poorly secured website? Firefox hasn't complained in months.

If you're not aware, SSL3 is entirely broken and should never be used (see POODLE).