TLS 1.1 and Browser upgrades

Discussion in 'other security issues & news' started by beethoven, Jun 7, 2018.

  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,149
    I came across this page from Comodo
    https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation-browsers.php
    discussing the need to upgrade browsers with respect to TLS and SSL.
    What I don't understand is that the preferred option is to upgrade to the latest browsers but then I am getting the "scary" message that my browser is using TLS 1.0 despite having the latest browsers. Is this a matter of hype by Comodo or a misunderstanding with respect to what the latest browsers have set as the default setting. Do we really have to dive deep under the hood and manually make these changes?
     
  2. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    648
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    10,155
    Location:
    UK
  4. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,149
    so doing this test for Chrome and FF I get the result that my browsers (latest versions) do provide for protocols 1.2 and 1.1 but also 1.0. So if this protocol is weak, why is it still on by default in the latest browsers. Is everyone really expected to try to find a way to disable this manually? Or does a yes under TLS 1.0 only mean there is an issue if the higher versions are not available and the browser is clever enough to use the higher versions?
     
  5. yeyo

    yeyo Registered Member

    Joined:
    May 25, 2018
    Posts:
    6
    Location:
    Greenwich Meridian
    I think that it's supported by default for compatibility reasons, I don't know how many servers uses TLS 1.0 today but It has to be a significant ammount.

    To disable TLS 1.0 in FF, do the following:
    1. Go to "about:config".
    2. Search for "security.tls.version.min".
    3. Set value of the above property to "2".
    For Chrome, create a desktop shortcut and add the following argument "–ssl-version-min=tls1.1"

    In the HTTP/HTTPS protocol, server and client (FF, Chrome..) negotiate how they should stablish the comunication. Clients sure will try to use the latest version of the TLS/SSL protocol, but it depends on the version that the server have. So you are right, the browser "is clever enough to use the higher version" of the TLS/SSL protocol.
     
    Last edited: Jun 8, 2018
  6. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,149
    thanks Yeyo - how do you add the argument to the shortcut?
     
  7. yeyo

    yeyo Registered Member

    Joined:
    May 25, 2018
    Posts:
    6
    Location:
    Greenwich Meridian
    You're welcome!

    To add the argument to the shortcut, append it at the end of the path. For example if the path to Chrome is C:\Program Files (x86)\GoogleChrome\Application\chrome.exe, "the location of the item" in your shortcut, It would be as follows (quotes included):
    “C:\Program Files (x86)\GoogleChrome\Application\chrome.exe” –ssl-version-min=tls1.1

    Here is a pic for a better ilustration:
    https://i.imgur.com/5U4TDJ1.png
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,710
    Location:
    USA
    It doesn't effect Firefox or Chrome, but it's worth noting that TLS 1.0 can be disabled in Internet Options for Internet Explorer.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    The problem isn't the browsers, it is the web sites. My bank web site for example, still uses TLS 1.0.:rolleyes:
     
  10. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,991
    Location:
    Slovakia
    Get a better bank. I mean seriously, if they neglect basics like that, who knows, what else they do not do behind the closed door. My online bank uses DigiCert SHA2 via TLS 1.2. :p
     

    Attached Files:

  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,710
    Location:
    USA
    One thing you could do is use a dedicated browser with TLS 1.0 support for the bank so you can disable TLS 1.0 in your other browser(s).
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,042
    Location:
    Outer space
    Very strange from Comodo. They say there are 2 ways to fix it. Upgrade your browser or disable TLS 1.0 manually. Do they expect the browser makers to disable TLS 1.0 by default in upcoming versions? Otherwise, upgrading your browser does not make a difference.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    I decided to "take the bull by the horns" on this.

    Turns out only one section on the bank site requires TLS 1.0 - Online Bill Pay. This is so because the bank "turkeys" farm out its processing to another vendor. As it so happens when I was fooling around determining this, it must have raised a flag on their server since they hit me with a survey on site use when I tried to log off. So I posted in that "Listen Turkey Lurky, upgrade to TLS 1.1 in that web site section."

    Anyway, switching to TLS 1.0 in that section is easy in IE11. The diagnostic web page posted has a "Change" button that will take you to Advanced settings where TLS 1.0 can be enabled. You just have to remember to disable it when exiting from that web site section.
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
    With Windows XP and I.E.8, the following test must be performed:

    https://www.howsmyssl.com/

    Here is my test:

    12.JPG

    Is it possible to insert your test with I.E.8?
    TH.:thumb:
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    Here's my test using IE11. All this tests does TLS-wise is verify the maximum TLS level enabled within the browser. As far as IE8 goes, I believe it is TLS 1.1:

    SSL_Test.png
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
    https://support.microsoft.com/en-us/help/4316682/cumulative-security-update-for-internet-explorer-kb4316682



    :thumb:;)
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    This certainly doesn't sound like Win XP to me. Also why did you fail the howsmyssl.com test?
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
  20. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
    With I.E.8 ssllabs web page not work.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    OK. You can use the POSReady 2009 update to enable TLS 1.2 on WIN XP:
    https://sockettools.com/kb/support-for-tls-1-2-on-windows-xp/

    Registry mod. details are given in the article.

    However, note this extract from the article:
    Why any one in their "right mind" would be using IE8 and Win XP to surf the web is beyond my comprehension.
     
    Last edited: Jun 11, 2018
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
    You are right.:thumb:
    However, it is good to mention this possibility.
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy

    The article is not correct.
    To add TLS 1.2 support to I.E.8 you need:

    KB4019276
    KB4316682


    The registry modify below:

    https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/?page=2
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,329
    Location:
    U.S.A.
    Per this thread:
    In other words, KB4019276 adds TLS 1.2 support to XP embedded and KB4316682 add TLS 1.2 support to IE8 running on XP Embedded. So unless you are using one of the XP Embedded vers., IE8 doesn't support TLS 1.2.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,263
    Location:
    Italy
    Et voilà.
    I deleted the 3 insecure ciphers.
    The test is now OK:


    300.JPG
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.