Firefox 23 final will be released on August 6

Discussion in 'other software & services' started by siljaline, Aug 2, 2013.

Thread Status:
Not open for further replies.
  1. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Firefox 23 finally adds TLS 1.1 support, 1.2 added in FF 24. However they are disabled by default because of backward compatibility problems and other bugs. Plus, they still need to implement the new AES GCM cipher suites since it's mandatory in 1.2 AFAIK.
    If you want to enable the new TLS versions you'll have to use about:config since they removed it from the GUI since v23...
    http://kb.mozillazine.org/Security.tls.version.*
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    security.tls.version.max defaults to 1 on version 23.
    If you are feeling adventurous you can get it from their FTP now.There may or may not be another build before it is released. There were 10 betas...
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I see that in FF22 the "use TLS 1.0" option is available in advanced security settings. Is the TLS setting removed from the settings UI in FF23, and when you say the setting default is "1" does that mean FF23 uses TLS 1.1 by default?
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Yes, the TLS setting is removed from the settings UI in v23.
    You have 2 entries, one for the minimum required protocol and one for the maximum enabled protocol, 0 = SSL 3.0, 1 = TLS 1.0, 2 = TLS 1.1 and 3 = TLS 1.2(not yet supported in FF23, 1.2 is available from v24)
    So for example if you set minimum value to 1 and maximum value to 2, then TLS 1.0 and 1.1 will be enabled and SSL 3 and TSL 1.2 will be disabled.
    See here for more details:
    http://kb.mozillazine.org/Security.tls.version.*
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I wish they would stop removing all of the settings from software. At least I can work a config file. If they take that away I am switching browsers.
     
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    So, if I set min to "1" and max to "2" does Firefox automatically attempt to use TLS 1.1 and, if it can't negotiate a connection, fallback to TLS 1.0? Is it desirable to intentionally exclude SSL 3 by not setting min to "0"?
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Yes, it tries the newest protocol and if the server doesn't support that it goes down the list until it finds one that works(though it doesn't try protocols you excluded of course)
    I think TLS 1.0 is slightly more secure than SSL 3.0 so that would improve security a very little bit, and since TLS 1.0 has been around for a long time I don't think it should cause compatibility problems. Though TLS 1.0 is old and has vulnerabilities, so improvement on security is minimal. Perhaps it can be compared a bit by running an outdated, vulnerable version of Firefox; your boss doesn't allow updates to latest version because they must be tested first, so you're still running Firefox 17.0, then 18.0 is approved by your boss and you can upgrade to v18 and have some vulnerabilities fixed, but you are still way behind and there are still lots of unfixed vulnerabilities, though it's still a little better than staying on v17. Not a great comparison but you get the general idea.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    There is a request on Bugzilla to add SSL/TLS version information to the pop-up that appears when you click the lock icon. I've also added a comment to suggest more information, such as Perfect Forward Secrecy, (In)secure renegotiation, more details etc. It would be nice if people from here would add their vote to the request to get attention from the devs and speed up implementation.
    https://bugzilla.mozilla.org/show_bug.cgi?id=834052
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Same here, very annoying trend :(
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Are you sure TLS 1.1 isn't enabled by default? I really hope you're wrong, or that they enable it by default in v24.

    IE11 will enable it by default for 1.1 and 1.2
    Chrome has it enabled for 1.1 and will add support for 1.2 in the next? version.
    Safari has 1.1 & 1.2 implemented and on by default in the latest version.

    Firefox is all that's left.
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    Yes, I just installed the 23 update and checked it, it's disabled.
    I set security.tls.version.max to 2 and checked some sites that don't support 1.1 and 1.2 but it works fine so far o_O
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    That's good news as it implies that the next version will have both on by default.

    Odd that it works when setting a higher level and no fallback is implemented, maybe the option isn't functional?
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA


    Default fallback is SSL 3 ( security.tls.version.min = 0 )

    I'm not seeing that BoerenkoolMetWorst changed it....?
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,765
    Location:
    Outer space
    No I didn't, now I'm a bit confused :D I thought that if you enabled TLS 1.1, fallback doesn't work so that's why it's disabled by default until Mozilla fixes this. But with TLS 1.1 enabled, sites that do and don't support TLS 1.1 both work properly, so it seems to me that fallback works properly.
    So you're saying I should disable SSL 3 and TLS 1.0 so there is no fallback, and then in a later version Mozilla will fix TLS 1.2 and 1.1 and implement fallback to 1.0 and SSL 3 even if I disabled those?
     
  16. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    761
    Location:
    UK
    according to this page it doesnt, under caveats.

    Overall I think the implementation is a mess, there is a few valid reasons why someone eg. may want tls 1.1 but not tls 1.0 enabled. The lack of auto rollback is pretty bad but at least they plan to add it, thats the reason the default is disabled higher tls at the moment. Also with earlier posters I agree firefox seems to be at the moment continiosly been dumbed down with almost every new version removing configurable options.
     
  17. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    for the past couple of months or so Firefox feels faster than Chrome.

    i don't know if it's Chrome getting more bloated or Firefox getting slimmer...
     
  18. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    hmmm, Click to Play does not work anymore.

    guess it's time to re-install NoScript. lol
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    To get click to play working, you need to change "plugins.click_to_play" to true in about:config. Personally, I don't use Click to play and prefer to use NoScript to handle the one and only plugin that I use (Flash).

    Bo
     
  20. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that alone does not work anymore.
    you also have to change the plugin.default.state from to 2 to 1

    from what i've gathered this should be fixed in v.24
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I have seen some test scores showing Fx faster than Chrome. In my experience on multiple computers Firefox & Maxthon both seem faster than Chrome. SeaMonkey doesn't seem much different either.
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    As far as I can tell, there's nothing to fix. If you change " plugins.click_to_play" to true, the option "Ask to activate" becomes available in the Firefox plugins drop down menus. I just tried it and it works, no need to change plugin.default.state from to 2 to 1.

    Bo
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
  24. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx!

    i'll go have a look. :)
     
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
Loading...
Thread Status:
Not open for further replies.