This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TLS Security improvement - Strict TLS Mode

Bernd_P
New member
‎04-15-2022 03:54 AM
Status: New idea

So as I am using Firefox for years now, with a brightened attention to security issues I want to share some urgent necessities to the Mozilla Foundation.

1) An "Enhanced Strict TLS mode" in the browser. Which no longer allows to call up any plain http (unencrypted) content. Including any unencrypted cookies e.g. , Should also issue a warning on HSTS not being implemented on a website (as this may affect session integrity). Avoidance of websites having anything enabled which falls under weak security. (Requirement limits : RFC 8446)

2) TLS implementation should soon make a further shift towards tightened security in general. Which means: Avoidance/removal of plain RSA Handshakes and as well avoidance/removal of CBC mode ciphers from the browser itself. "ASAP".  Alongside with it, TLS 1.2 and TLS 1.3 only being supported with respect to RFC 8446. Websites not providing it, or if not compliant (older TLS 1.2 standard) should be marked as "potentially insecure" (weak security). Warning on  EC/DH/RS handshakes not having at least 2048 bits strength.

3) Known commercial websites with money transactions should actively and only be browsed using the strongest-available ciphermodes and use TLS 1.3 everywhere if and whenever possible. Which is merely a default on Server TLS 1.3.   In TLS 1.2 however, the browser should actively take care of it especially. Active Lockout (supression) of insecure/weak secure content in such sites. RFC 8446.

Comment
2 Comments
2Big4YourBoots
Making moves
‎05-20-2022 05:27 PM
‎05-20-2022 05:27 PM

Bernd_P, I understand that you are simply an end user like I am and that your comments on TLS might be valid, especially for traffic over the internet, but the recent changes to TLS now mean that ***I AM NOW UNABLE TO ACCESS MY HOME ROUTER***

After so far putting up with FireFox's arrogant decision to enforce mobile browsing on my 4K mobile device and also the incessant 'mine is bigger than yours' update feud with other browser makers, I'm finally at the point where, if I do not find an easy fix for resolving this access issue for my router, I will uninstall FireFox not only from our four home computers and mobile devices, but I will uninstall it from the fleet of laptops and desktops I manage at work.

I'm used to the heavy handed attitude from Microsoft and Google -- I do not expect it from FireFox, who is meant to be on the 'side' of the users...

spudatoe
Strollin' around
‎05-21-2022 11:25 AM
‎05-21-2022 11:25 AM

@Bernd_P 
I'm Sorry, but whilst your idea seems like it has good intentions, particularly blocking financial transactions not using the safer tls version,  BUT..  Many of us are having issues /hardware with devices we can no longer access from the browser.

.For me, i have old, but extremely expensive server hardware that is unable to be replaced for finanical reasons (i dont have work due to disability). 

. Also a printer Management module can no longer be accessed.

.I don't run any kind of business with my two servers, purely storage and hobby, and rarely used on internet except for windows updates.

.But accessing them via ILO3 (which only supports tls1.0 and tls 1.1) and  no longer possible via browser. 

.This makes powering them up, shutting them down and monitoring hardware/health remotely impossible for me, and physically painful.

.HP will not update ILO3 to support tls1.2. ILO3 cannot be upgraded or updated to iLO4.

.i suggest the Moz implement a "DMZ" for local network (and same subnet hardware), where FORCED, (for the so called "benefit of users") rules are able to turned off. 

.Maybe firefox could generate it's own safety cert/exclusion key - which is emailed to the users verified email address for specific trusted hardware on a local network, as in my example.

@2Big4YourBoots  - I heartily agree with you!! I can't see a way to add kudos to your comment tho. 

Anyway I'll create a "new idea" on these forums with my idea and post it.       

Copyright © 2024 Khoros, LLC