TLS 1.1 and Browser upgrades

I came across this page from Comodo
https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation-browsers.php
discussing the need to upgrade browsers with respect to TLS and SSL.
What I don't understand is that the preferred option is to upgrade to the latest browsers but then I am getting the "scary" message that my browser is using TLS 1.0 despite having the latest browsers. Is this a matter of hype by Comodo or a misunderstanding with respect to what the latest browsers have set as the default setting. Do we really have to dive deep under the hood and manually make these changes?

 

You can test your browser here
https://www.ssllabs.com/projects/index.html
Simply go to the link that says 'SSL Client Test'

 

so doing this test for Chrome and FF I get the result that my browsers (latest versions) do provide for protocols 1.2 and 1.1 but also 1.0. So if this protocol is weak, why is it still on by default in the latest browsers. Is everyone really expected to try to find a way to disable this manually? Or does a yes under TLS 1.0 only mean there is an issue if the higher versions are not available and the browser is clever enough to use the higher versions?

 

I think that it's supported by default for compatibility reasons, I don't know how many servers uses TLS 1.0 today but It has to be a significant ammount.

To disable TLS 1.0 in FF, do the following:

1. Go to "about:config".
2. Search for "security.tls.version.min".
3. Set value of the above property to "2".

For Chrome, create a desktop shortcut and add the following argument "–ssl-version-min=tls1.1"

In the HTTP/HTTPS protocol, server and client (FF, Chrome..) negotiate how they should stablish the comunication. Clients sure will try to use the latest version of the TLS/SSL protocol, but it depends on the version that the server have. So you are right, the browser "is clever enough to use the higher version" of the TLS/SSL protocol.

 

thanks Yeyo - how do you add the argument to the shortcut?

 

You're welcome!

To add the argument to the shortcut, append it at the end of the path. For example if the path to Chrome is C:\Program Files (x86)\GoogleChrome\Application\chrome.exe, "the location of the item" in your shortcut, It would be as follows (quotes included):
“C:\Program Files (x86)\GoogleChrome\Application\chrome.exe” –ssl-version-min=tls1.1

Here is a pic for a better ilustration:
https://i.imgur.com/5U4TDJ1.png

 

It doesn't effect Firefox or Chrome, but it's worth noting that TLS 1.0 can be disabled in Internet Options for Internet Explorer.

 

The problem isn't the browsers, it is the web sites. My bank web site for example, still uses TLS 1.0.

 

Get a better bank. I mean seriously, if they neglect basics like that, who knows, what else they do not do behind the closed door. My online bank uses DigiCert SHA2 via TLS 1.2.

 

One thing you could do is use a dedicated browser with TLS 1.0 support for the bank so you can disable TLS 1.0 in your other browser(s).

 

Very strange from Comodo. They say there are 2 ways to fix it. Upgrade your browser or disable TLS 1.0 manually. Do they expect the browser makers to disable TLS 1.0 by default in upcoming versions? Otherwise, upgrading your browser does not make a difference.

 

I decided to "take the bull by the horns" on this.

Turns out only one section on the bank site requires TLS 1.0 - Online Bill Pay. This is so because the bank "turkeys" farm out its processing to another vendor. As it so happens when I was fooling around determining this, it must have raised a flag on their server since they hit me with a survey on site use when I tried to log off. So I posted in that "Listen Turkey Lurky, upgrade to TLS 1.1 in that web site section."

Anyway, switching to TLS 1.0 in that section is easy in IE11. The diagnostic web page posted has a "Change" button that will take you to Advanced settings where TLS 1.0 can be enabled. You just have to remember to disable it when exiting from that web site section.

 

With Windows XP and I.E.8, the following test must be performed:

https://www.howsmyssl.com/

Here is my test:



Is it possible to insert your test with I.E.8?
TH.

 

Here's my test using IE11. All this tests does TLS-wise is verify the maximum TLS level enabled within the browser. As far as IE8 goes, I believe it is TLS 1.1:

 

https://support.microsoft.com/en-us/help/4316682/cumulative-security-update-for-internet-explorer-kb4316682

 

This certainly doesn't sound like Win XP to me. Also why did you fail the howsmyssl.com test?

 

QUALS also has a SSL/TLS browser test here: https://www.ssllabs.com/ssltest/viewMyClient.htmlhttps://www.ssllabs.com/ssltest/viewMyClient.html which will let you know if your browser supports TLS 1.3 for example.

 

With I.E.8 ssllabs web page not work.

 

OK. You can use the POSReady 2009 update to enable TLS 1.2 on WIN XP:

https://sockettools.com/kb/support-for-tls-1-2-on-windows-xp/

Registry mod. details are given in the article.

However, note this extract from the article:

Why any one in their "right mind" would be using IE8 and Win XP to surf the web is beyond my comprehension.

 

You are right.
However, it is good to mention this possibility.

 

The article is not correct.
To add TLS 1.2 support to I.E.8 you need:

KB4019276
KB4316682

The registry modify below:

https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/?page=2

 

Per this thread:

In other words, KB4019276 adds TLS 1.2 support to XP embedded and KB4316682 add TLS 1.2 support to IE8 running on XP Embedded. So unless you are using one of the XP Embedded vers., IE8 doesn't support TLS 1.2.

 

Et voilà.
I deleted the 3 insecure ciphers.
The test is now OK: