Disabling SSL/TLS protocols to safeguard payment data

June 30, 2018 is the deadline for disabling SSL/early TLS and implementing =
a more secure encryption protocol =E2=80=93 TLS 1.1 or higher (TLS v1.2 is =
strongly encouraged) in order to meet the PCI Data Security Standard (PCI D=
SS) for safeguarding payment data.

For Firefox and Seamonkey

In about:config, set security.tls.version.min to 2 to prevent protocols low=
er than TLS 1.1 from being used.

Reference: http://kb.mozillazine.org/Security.tls.version.*
0
Andy
6/8/2018 7:02:58 PM
mozilla.support.seamonkey 13202 articles. 0 followers. Post Follow

11 Replies
114 Views

Similar Articles

[PageSpeed] 49

Andy K wrote:

> June 30, 2018 is the deadline for disabling SSL/early TLS and
> implementing a more secure encryption protocol – TLS 1.1 or higher
> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
> Security Standard (PCI DSS) for safeguarding payment data.
> 
> For Firefox and Seamonkey
> 
> In about:config, set security.tls.version.min to 2 to prevent
> protocols lower than TLS 1.1 from being used.
> 
> Reference: http://kb.mozillazine.org/Security.tls.version.*


You can also do this through the user interface:
Edit | Preferences | Privacy & Security | SSL/TLS
Uncheck the box for TLS 1.0.

The two functions are equivalent; your way doesn't prevent the user from 
enabling TLS 1.0 later.

-- 
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher

0
Paul
6/8/2018 7:44:43 PM
On Friday, June 8, 2018 at 2:44:47 PM UTC-5, Paul B. Gallagher wrote:
> Andy K wrote:
>=20
> > June 30, 2018 is the deadline for disabling SSL/early TLS and
> > implementing a more secure encryption protocol =E2=80=93 TLS 1.1 or hig=
her
> > (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
> > Security Standard (PCI DSS) for safeguarding payment data.
> >=20
> > For Firefox and Seamonkey
> >=20
> > In about:config, set security.tls.version.min to 2 to prevent
> > protocols lower than TLS 1.1 from being used.
> >=20
> > Reference: http://kb.mozillazine.org/Security.tls.version.*
>=20
>=20
> You can also do this through the user interface:
> Edit | Preferences | Privacy & Security | SSL/TLS
> Uncheck the box for TLS 1.0.
>=20
> The two functions are equivalent; your way doesn't prevent the user from=
=20
> enabling TLS 1.0 later.
>=20
> --=20
> War doesn't determine who's right, just who's left.
> --
> Paul B. Gallagher

Interesting.

Looks like either way could be overwritten.

Andy
0
Andy
6/9/2018 12:03:15 AM
On 2018-06-08 15:02, Andy K wrote:
> June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
[...]
> In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used.

	This is fine if you only use the browser to access sites that are 
compliant with payment industry standards.  But most people use browsers 
for more than just online banking etc., and some of those sites may not 
support newer TLS versions.  So just remember that after making this 
change, you will probably break your browser's ability to access some 
sites; you'll either need to keep switching your TLS minimum version 
back and forth, or use one browser for online banking etc. and a 
different browser for other activities.

-Steve
0
Steve
6/9/2018 2:29:43 PM
On 06/09/2018 09:29 AM, Steve Dunn wrote:
> On 2018-06-08 15:02, Andy K wrote:
>> June 30, 2018 is the deadline for disabling SSL/early TLS and=20
>> implementing a more secure encryption protocol =E2=80=93 TLS 1.1 or hi=
gher=20
>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data=20
>> Security Standard (PCI DSS) for safeguarding payment data.
> [...]
>> In about:config, set security.tls.version.min to 2 to prevent=20
>> protocols lower than TLS 1.1 from being used.
>=20
>  =C2=A0=C2=A0=C2=A0=C2=A0This is fine if you only use the browser to ac=
cess sites that are=20
> compliant with payment industry standards.=C2=A0 But most people use br=
owsers=20
> for more than just online banking etc., and some of those sites may not=
=20
> support newer TLS versions.

The vast majority of my transaction will be with my bank.
Is it reasonable to presume they will use the later standard?

>=C2=A0 So just remember that after making this=20
> change, you will probably break your browser's ability to access some=20
> sites;

For the odd site that can use only the older standard, will I get an=20
informative error message?


> you'll either need to keep switching your TLS minimum version=20
> back and forth, or use one browser for online banking etc. and a=20
> different browser for other activities.

Will having distinct profiles address the issue adequately.
I currently use profiles that do/don't enable JavaScript and/or cookies=20
for similar purpose.
[I've a *NEGATIVE* view of both ;]

>=20
> -Steve


0
Richard
6/9/2018 2:57:02 PM
On 6/9/18, Richard Owlett <rowlett@cloud85.net> wrote:
> On 06/09/2018 09:29 AM, Steve Dunn wrote:
>> On 2018-06-08 15:02, Andy K wrote:
>>> June 30, 2018 is the deadline for disabling SSL/early TLS and
>>> implementing a more secure encryption protocol =E2=80=93 TLS 1.1 or hig=
her
>>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
>>> Security Standard (PCI DSS) for safeguarding payment data.
>> [...]
>>> In about:config, set security.tls.version.min to 2 to prevent
>>> protocols lower than TLS 1.1 from being used.
>>
>>      This is fine if you only use the browser to access sites that are
>> compliant with payment industry standards.  But most people use browsers
>> for more than just online banking etc., and some of those sites may not
>> support newer TLS versions.
>
> The vast majority of my transaction will be with my bank.
> Is it reasonable to presume they will use the later standard?

Don't guess, see how well your bank does:
  https://www.ssllabs.com/ssltest/index.html


>>  So just remember that after making this
>> change, you will probably break your browser's ability to access some
>> sites;
>
> For the odd site that can use only the older standard, will I get an
> informative error message?

My recollection is no, you get something not terribly informative.
(I allowed SSLv3 for ages until archive.org finally upgraded)

I've got security.tls.version.min set to 3 and haven't found a site
yet that fails - anyone know of a site that does TLS 1.1 but not TLS
1.2?

>> you'll either need to keep switching your TLS minimum version
>> back and forth, or use one browser for online banking etc. and a
>> different browser for other activities.
>
> Will having distinct profiles address the issue adequately.
> I currently use profiles that do/don't enable JavaScript and/or cookies
> for similar purpose.
> [I've a *NEGATIVE* view of both ;]

Yes, that should work.

Lee
0
Lee
6/9/2018 4:11:26 PM
On 2018-06-09 10:57, Richard Owlett wrote:
> On 06/09/2018 09:29 AM, Steve Dunn wrote:
>> On 2018-06-08 15:02, Andy K wrote:
>>> In about:config, set security.tls.version.min to 2 to prevent 
>>> protocols lower than TLS 1.1 from being used.
>>
>>      This is fine if you only use the browser to access sites that are 
>> compliant with payment industry standards.  But most people use 
>> browsers for more than just online banking etc., and some of those 
>> sites may not support newer TLS versions.
> 
> The vast majority of my transaction will be with my bank.
> Is it reasonable to presume they will use the later standard?

	It should be, assuming that your bank takes PCI compliance seriously 
(and if they don't take industry security standards seriously, that 
should probably raise some other questions in your mind).  And if that's 
true, then you shouldn't need to disable TLS 1.0 on your browser to keep 
your banking data safe.  If the site you're connecting to only supports 
1.1 and 1.2, your browser can't negotiate 1.0 with them, unless there's 
a man-in-the-middle attack.

	For that matter, in the absence of a man-in-the-middle attack, your 
browser and the server should negotiate the highest mutually-supported 
TLS version.  So if your browser supports 1.0-1.2 (which I think is the 
default configuration for Seamonkey) and you're connecting to a site 
that supports 1.0 and at least one of 1.1 and 1.2, you shouldn't get 1.0.

	To be honest, I don't know how many sites still lack support for TLS 
1.1 or higher.  I have no doubt that there are some, either running 
outdated software or configured by administrators who don't know a lot 
about TLS versions, but have no idea if it's 0.001% or 1% or some other 
number.  You can always disable TLS 1.0, do your normal everyday 
activities for a while, and see if any of the sites you use break.

-Steve
0
Steve
6/10/2018 6:35:01 PM
On 08/06/2018 21:02, Andy K wrote:

> June 30, 2018 is the deadline for disabling SSL/early TLS and
> implementing a more secure encryption protocol – TLS 1.1 or higher
> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
> Security Standard (PCI DSS) for safeguarding payment data.
> 
> For Firefox and Seamonkey
> 
> In about:config, set security.tls.version.min to 2 to prevent
> protocols lower than TLS 1.1 from being used.
> 
> Reference: http://kb.mozillazine.org/Security.tls.version.*

FWIW, one of the largest banks in France seems to be stuck
using TLS 1.0

Trying to connect to https://particuliers.secure.lcl.fr/
leads to this error message:

"""
Secure Connection Failed

An error occurred during a connection to particuliers.secure.lcl.fr.

Peer using unsupported version of security protocol.

Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

    Please contact the website owners to inform them of this problem.
"""


https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.   MORE INFO »
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.  MORE INFO »
This server accepts RC4 cipher, but only with older protocols. Grade capped to B.  MORE INFO »
This server does not support Forward Secrecy with the reference browsers. Grade capped to B.  MORE INFO »
This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.  MORE INFO »


When will these people take security seriously?

Regards.
0
Mason83
6/11/2018 9:31:44 AM
Mason83 wrote on 11/06/18 19:31:
> On 08/06/2018 21:02, Andy K wrote:
> 
>> June 30, 2018 is the deadline for disabling SSL/early TLS and
>> implementing a more secure encryption protocol – TLS 1.1 or higher
>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
>> Security Standard (PCI DSS) for safeguarding payment data.
>>
>> For Firefox and Seamonkey
>>
>> In about:config, set security.tls.version.min to 2 to prevent
>> protocols lower than TLS 1.1 from being used.
>>
>> Reference: http://kb.mozillazine.org/Security.tls.version.*
> 
> FWIW, one of the largest banks in France seems to be stuck
> using TLS 1.0
> 
> Trying to connect to https://particuliers.secure.lcl.fr/
> leads to this error message:
> 
> """
> Secure Connection Failed
> 
> An error occurred during a connection to particuliers.secure.lcl.fr.
> 
> Peer using unsupported version of security protocol.
> 
> Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
> 
> The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
> 
>      Please contact the website owners to inform them of this problem.
> """

So that's what it means!! ;-)

Each day, when I download my e-mails, SM usually filters most of them 
into the Trash folder (as I've set things up!). I then go through my 
Trash folder and send copies of those e-mails to Spamcop.net and, often, 
SM gives me a screen the same as yours, Mason. When I then re-send the 
e-mail, things usually work fine!!

Last week, I asked my ISP what was going on, and he said it was an error 
on their server, then I mentioned that it usually worked second time 
around. He replied that, second time around, it was probably getting to 
a different server!

Mason, did you try logging on again, i.e. clicking the "Resend" button 
on that Error screen?? If so, does it work, second time around??

P.S. Until yesterday, I did have TLS 1.0 enabled, along with 1.1 and 
1.2, but de-selected it yesterday, and the spamcop.net site still worked 
and/or failed today!!

-- 
Daniel

User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 
SeaMonkey/2.49.1 Build identifier: 20171016030418

User agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
SeaMonkey/2.49.1 Build identifier: 20171015235623
0
Daniel
6/11/2018 12:32:00 PM
On 11/06/2018 14:32, Daniel wrote:
> Mason83 wrote on 11/06/18 19:31:
>> On 08/06/2018 21:02, Andy K wrote:
>>
>>> June 30, 2018 is the deadline for disabling SSL/early TLS and
>>> implementing a more secure encryption protocol – TLS 1.1 or higher
>>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
>>> Security Standard (PCI DSS) for safeguarding payment data.
>>>
>>> For Firefox and Seamonkey
>>>
>>> In about:config, set security.tls.version.min to 2 to prevent
>>> protocols lower than TLS 1.1 from being used.
>>>
>>> Reference: http://kb.mozillazine.org/Security.tls.version.*
>>
>> FWIW, one of the largest banks in France seems to be stuck
>> using TLS 1.0
>>
>> Trying to connect to https://particuliers.secure.lcl.fr/
>> leads to this error message:
>>
>> """
>> Secure Connection Failed
>>
>> An error occurred during a connection to particuliers.secure.lcl.fr.
>>
>> Peer using unsupported version of security protocol.
>>
>> Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
>>
>> The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
>>
>>      Please contact the website owners to inform them of this problem.
>> """
> 
> So that's what it means!! ;-)
> 
> Each day, when I download my e-mails, SM usually filters most of them 
> into the Trash folder (as I've set things up!). I then go through my 
> Trash folder and send copies of those e-mails to Spamcop.net and, often, 
> SM gives me a screen the same as yours, Mason. When I then re-send the 
> e-mail, things usually work fine!!
> 
> Last week, I asked my ISP what was going on, and he said it was an error 
> on their server, then I mentioned that it usually worked second time 
> around. He replied that, second time around, it was probably getting to 
> a different server!
> 
> Mason, did you try logging on again, i.e. clicking the "Resend" button 
> on that Error screen?? If so, does it work, second time around??

I'm afraid there is nothing to "Resend" as I was just trying to load
a web page, at URL https://particuliers.secure.lcl.fr/

I suppose I can "Reload" but I suspect it will always fail (until
TLS 1.0 is re-enabled).

Regards.
0
Mason83
6/11/2018 12:39:47 PM
Mason83 wrote on 11/06/18 22:39:
> On 11/06/2018 14:32, Daniel wrote:
>> Mason83 wrote on 11/06/18 19:31:
>>> On 08/06/2018 21:02, Andy K wrote:
>>>
>>>> June 30, 2018 is the deadline for disabling SSL/early TLS and
>>>> implementing a more secure encryption protocol – TLS 1.1 or higher
>>>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
>>>> Security Standard (PCI DSS) for safeguarding payment data.
>>>>
>>>> For Firefox and Seamonkey
>>>>
>>>> In about:config, set security.tls.version.min to 2 to prevent
>>>> protocols lower than TLS 1.1 from being used.
>>>>
>>>> Reference: http://kb.mozillazine.org/Security.tls.version.*
>>>
>>> FWIW, one of the largest banks in France seems to be stuck
>>> using TLS 1.0
>>>
>>> Trying to connect to https://particuliers.secure.lcl.fr/
>>> leads to this error message:
>>>
>>> """
>>> Secure Connection Failed
>>>
>>> An error occurred during a connection to particuliers.secure.lcl.fr.
>>>
>>> Peer using unsupported version of security protocol.
>>>
>>> Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
>>>
>>> The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
>>>
>>>       Please contact the website owners to inform them of this problem.
>>> """
>>
>> So that's what it means!! ;-)
>>
>> Each day, when I download my e-mails, SM usually filters most of them
>> into the Trash folder (as I've set things up!). I then go through my
>> Trash folder and send copies of those e-mails to Spamcop.net and, often,
>> SM gives me a screen the same as yours, Mason. When I then re-send the
>> e-mail, things usually work fine!!
>>
>> Last week, I asked my ISP what was going on, and he said it was an error
>> on their server, then I mentioned that it usually worked second time
>> around. He replied that, second time around, it was probably getting to
>> a different server!
>>
>> Mason, did you try logging on again, i.e. clicking the "Resend" button
>> on that Error screen?? If so, does it work, second time around??
> 
> I'm afraid there is nothing to "Resend" as I was just trying to load
> a web page, at URL https://particuliers.secure.lcl.fr/
> 
> I suppose I can "Reload" but I suspect it will always fail (until
> TLS 1.0 is re-enabled).
> 
> Regards.
> 
Ah!! Valid Point! I'm trying to send stuff to a website, you're just 
trying to get to a website!

-- 
Daniel

User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 
SeaMonkey/2.49.1 Build identifier: 20171016030418

User agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
SeaMonkey/2.49.1 Build identifier: 20171015235623
0
Daniel
6/11/2018 12:53:12 PM
On 6/11/18, Mason83 <root@dom.invalid> wrote:
> On 08/06/2018 21:02, Andy K wrote:
>
>> June 30, 2018 is the deadline for disabling SSL/early TLS and
>> implementing a more secure encryption protocol =E2=80=93 TLS 1.1 or high=
er
>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data
>> Security Standard (PCI DSS) for safeguarding payment data.
>>
>> For Firefox and Seamonkey
>>
>> In about:config, set security.tls.version.min to 2 to prevent
>> protocols lower than TLS 1.1 from being used.
>>
>> Reference: http://kb.mozillazine.org/Security.tls.version.*
>
> FWIW, one of the largest banks in France seems to be stuck
> using TLS 1.0
>
> Trying to connect to https://particuliers.secure.lcl.fr/
> leads to this error message:
>
> """
> Secure Connection Failed
>
> An error occurred during a connection to particuliers.secure.lcl.fr.
>
> Peer using unsupported version of security protocol.
>
> Error code: <a id=3D"errorCode"
> title=3D"SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>
>
> The page you are trying to view cannot be shown because the authenticity =
of
> the received data could not be verified.
>
>     Please contact the website owners to inform them of this problem.
> """
>
>
> https://www.ssllabs.com/ssltest/analyze.html?d=3Dparticuliers.secure.lcl.=
fr
>
> This server supports weak Diffie-Hellman (DH) key exchange parameters. Gr=
ade
> capped to B.   MORE INFO =C2=BB
> The server supports only older protocols, but not the current best TLS 1.=
2.
> Grade capped to C.  MORE INFO =C2=BB
> This server accepts RC4 cipher, but only with older protocols. Grade capp=
ed
> to B.  MORE INFO =C2=BB
> This server does not support Forward Secrecy with the reference browsers.
> Grade capped to B.  MORE INFO =C2=BB
> This server does not support Authenticated encryption (AEAD) cipher suite=
s.
> Grade capped to B.  MORE INFO =C2=BB
>
>
> When will these people take security seriously?

When they're forced to?

On a related note, how are the https intercepting anti-virus vendors
doing these days?
I haven't found anything later than Feb 2017:
https://www.zdnet.com/article/google-and-mozillas-message-to-av-and-securit=
y-firms-stop-trashing-https/
   'In an evaluation of antivirus products that feature TLS
interception, only Avast AV 11 and AV 10 score an A grade, while all
others score a C or F. They award a C to products containing a known
TLS vulnerability, such as BEAST, FREAK, and Logjam; or an F for
products with a severely broken connection due to weak ciphers or not
validating certificates."

If you're concerned about online banking, it might be worth to checking
  https://www.ssllabs.com/ssltest/viewMyClient.html

Lee
0
Lee
6/11/2018 4:29:30 PM
Reply: