http://www.networkworld.com/article/3202319/internet/its-time-to-upgrade-to-tls-13-already-says-cdn-engineer.html

Currently, KM76 config only goes to

security.tls.version.max;3

which is

TLS 1.2 is the minimum required / maximum supported encryption protocol.

according to http://kb.mozillazine.org/Security.tls.version.%2A

It seems Cloudflare has already deployed TLS1.3 to its customers.

How are we going for upgrades?

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

Mozilla added support for TLS 1.3 in Firefox 49. It is enabled by default since v52.
In latest FirefoxESR 52.2.0, TLS 1.3 is still not enabled by default.

I'm afraid that a K-Meleon based on a newer Gecko engine would be the only solution.

Um. This is awkward. KM is the only browser that meets my (admittedly peculiar) security requirements, and it is a pleasure to use.

FF itself is a walking disaster zone, Pale Moon is marginally better than Chrome, and IE is, well, IE.

No news on Dorian's status?

____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007 http://freefall.purrsia.com/ff1400/fv01372.htm]

Quote
gordon451

No news on Dorian's status?

read guenter's latest post here.

Quote
gordon451
FF itself is a walking disaster zone, Pale Moon is marginally better than Chrome, and IE is, well, IE?

That got a chuckle. So true.

Am }I the only one who thinks all these endless protocol updates is taking things a bit too far?
Wheres the need? As if 256bit encryption isn't enough?

getting tired of all this unsubstantiated paranoia in tech circles. The people who push it need a great big SLAP or a bucket of ice.



Edited 1 time(s). Last edit at 06/17/2019 03:57PM by giro1991.

I told the other day and I had say in other words earlier, that is so sad that early adoption, because there isn't any real need, any real chance of real scenario attack, less directly to normal users, from low budget crackers/organizations, to really, really, be continuously adopting the latest, and it is sad how Internet is forcing quick browsers obsolescences.

The fact is that we are now a connected society, the "keep up to date" or "always updated" is a quite deep seed in the average people and with the always online there is no chance to wait, breath, and stay back with "old software".

Is paranoid, but we can't do anything.

True, bugfixes, beyond security, is important, but this is too much quick development. In some way, is one of the reasons we don't have official K-meleon versions with Dorian. It is just impossible to follow the quick changes/adoption of the engines. I applaud roytam with the Goanna engine, but this is crazy. And I bet it stills lags a lot behind the latests version.

As is being said in spanish, "too much for my body" (as can't follow meaning).



Edited 1 time(s). Last edit at 06/17/2019 05:36PM by JohnHell.

Quote

Currently, KM76 config only goes to
security.tls.version.max;3
which is TLS1.2

Only know that roytam1's KM-Goanna builds (KG74+KG76) have much better TLS as older KM-Gecko.
Please clarify a bit. Is it max=4 now?

@siria
Look at the library version numbers in about:support.

@siria
Use max=4 with NSS 3.3 or newer.

And the senseless destruction of harmless public websites continues:

All Major Web Browsers Will Remove TLS 1.0 and TLS 1.1 Support in 2020
https://thehackernews.com/2018/10/web-browser-tls-support.html

Quote

Since TLS implementation in all major web browsers and applications supports downgrade negotiation process, it leaves an opportunity for attackers to exploit weaker protocols even if a server supports the latest version.
According to the press releases published by four major companies, Google, Microsoft, Apple and Mozilla, their web browsers will completely drop TLS 1.0 and 1.1support by default in the first half of 2020.

All the tech companies recommended websites that do not support TLS 1.2 or newer to move off of the old versions of the protocol as soon as possible and is practical.

Furthermore, the PCI Data Security Standard (PCI DSS) compliance also requires websites to disable SSL/TLS 1.0 implementation by June 30, 2018.

Those modern browsers have no prob to handle modern TLS of course, but ALL https-WEBSITES are forced to offer that too, no matter how harmless their content.
How many non-corporate owners of very old but still very useful websites will have huge problems to update their sites to that most modern standards? That is, if they even are still around, considering the mass of abandoned sites??
And also wondering - are those offering automatic TLS downgrade for old browsers on their public sites now even FORCED to completely kick out old browsers too??

IMO that whole stuff is just to enforce yet more exclusive web monopolies for big corporations.
While authors of old useful, public websites and users of old systems and (less spyware infested) old browsers get completely kicked out for good



Edited 1 time(s). Last edit at 07/20/2019 04:43PM by siria.