[HTTPS-Everywhere] security.tls.version level settings in firefox
David W. Armstrong
dwarmstrong at optonline.net
Sat Jan 17 08:52:15 PST 2015
This email may be related to the following item:
https://trac.torproject.org/projects/tor/ticket/11154
I should preface this by thanking you for the https-everywhere
software. It's a useful thing to have. And free!
I also apologize in advance for my low level of technical
sophistication. Please try not to laugh too hard.
Since recent news about concerns on SSL 3.0 vulnerabilities, in Firefox
(ESR channel) I have been manually setting (using about:config) the
value of security.tls.version.min to 2. This was because I had seen
some comments (perhaps somewhat old, but I wanted to be on the safe
side) that TLS 1.0 might also have some vulnerabilities.
Recently I have noticed that when I exit firefox and then start it
again, the setting for security.tls.version.min changes/reverts to 1.
So I have had to manually reset it to 2, each time I start firefox.
This happens in my linux environment (Scientific Linux 6.6), as well as
MS-Windows 8.1 -- I have same version of firefox in both, and
https-everywhere plugin and noscript in both, too.
In researching what might be causing this (and I don't claim to have
great javascript skills), I noted the code at about line 200 in
https-everywhere.js in my linux environment (I haven't checked in the
ms-win environment yet):
// Disable SSLv3 to prevent POODLE attack.
// https://www.imperialviolet.org/2014/10/14/poodle.html
var root_prefs = this.get_prefs(PREFBRANCH_NONE);
root_prefs.setIntPref("security.tls.version.min", 1);
Not having read all the code carefully, and not being all that facile
with javascript, I'm guessing that this may be forcing
security.tls.version.min to 1 and not allowing me to override that in
user.js or other user scripts.
Since from the comments, the intent of the code is to disable a setting
of 0 for security.tls.version.min, it would seem good to check for the
current setting and only change it to 1 if it is less than 1. That way
the user can more easily choose to maintain a higher security setting.
In doing some further research for this e-mail, I ran across this recent
item:
https://www.imperialviolet.org/2014/12/08/poodleagain.html
Based on that, I'm inclined to set security.tls.version.min to 3 for my
own settings.
It may block half the web, but presumably it would be the safer half.
Peace, to all who seek peace,
David A.
More information about the HTTPS-Everywhere
mailing list