Quote
JamesD
I have started getting messages that I cannot use some sites in HTTPS mode because the security is not good enough. What is the highest level KM can handle? Are there any options a user can do to increase the security?
I have tried in 75.1, 76RC and 76RC2.
I don't think this user agent related. One site mentioned TLS, but I don't remember the specific message.
Hi JamesD - The highest level encryption (https) for KM76RC is TLS 1.2. TLS 1.3 has not been activated yet AFAIK. And yes, you're quite correct it is not UA-related.
Now I have to ask, because too many people can't quite see the difference, do you understand what TLS and SSL are? Importantly, are you aware that SSL is fatally broken and has been for as much as 10 years?
Transport
Layer
Security replaces
Secure
Sockets
Layer, and SSL
must be disabled.
To make your KM secure, do these:
* security.ssl.enable_false_start;false
* security.ssl.require_safe_negotiation;true
* security.ssl.treat_unsafe_negotiation_as_broken;true
* security.tls.unrestricted_rc4_fallback;false
* security.tls.version.fallback-limit;1
* security.xpconnect.plugin.unrestricted;false
network.disable.ipc.security;false
security.cert_pinning.process_headers_from_non_builtin_roots;false
security.ssl.errorReporting.enabled;true
security.tls.version.max;3 /this makes KM ready for TLS 1.3 when that is activated
security.tls.version.min;1
* security.ssl3.ecdhe_ecdsa_rc4_128_sha;false
* security.ssl3.ecdhe_rsa_rc4_128_sha;false
* security.ssl3.rsa_des_ede3_sha;false
* security.ssl3.rsa_rc4_128_md5;false
* security.ssl3.rsa_rc4_128_sha;false
Anything with an asterix is a UserSet, no asterisk means default setting.
Removing the 5 ciphers will force KM to look higher on the shelves, and will prevent insecure sites from loading. Thes ciphers are all broken: you may as well use plain-text
Doing this will get get some sites unloadable, sadly. It was heart-breaking to see so many Microsoft technical sites refused by KM. But eventually M$ grew a brain.
Alas, many Apple support sites are still using broken old (non)security...
There is no point encouraging sloppy server management, so you'll need to grit your teeth, and fire off an emnail to their site management if you have a pressing need to access those pages... They probably won't care
IMHO, KM should be shipped with these settings pre-installed.
____________________
Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall" 01372 January 22, 2007
http://freefall.purrsia.com/ff1400/fv01372.htm]
Edited 2 time(s). Last edit at 12/23/2016 02:38PM by gordon451.