If you’re running a Firefox version between 19 and 26 (the latest at the time of
this post), you’re probably using insecure SSL/TLS settings despite the fact
that Firefox has support for TLS /1./. Luckily, it’s possible to quickly
fix this without sacrificing backwards compatibility. Simply visit
about:config and tweak the following settings:
security.ssl3.rsa_fips_des_ede3_sha false security.tls.version.max 3
This enables up to date versions of TLS which aren’t vulnerable to the BEAST attack, and disables a known vulnerable SSL cipher that was discontinued with SSL3. If you’re using a FF version between 19 and 23, your max TLS version should be 2 instead since FF did not support TLS 1.2 at that time. This should make your connections more secure for servers that support TLS 1.1 and 1.2.
If backwards compatibility isn’t important to you, you might also set
security.tls.version.min to 2 and disable ciphers that use DES, RC2, RC4, or
MD5 (disabling RC4 will probably be the most drastic change as far as website
compatibility is concerned).
Warning: this is disabled by default because Firefox is vulnerable to downgrade attacks (see issue 861310). This should also work for Thunderbird and other Mozilla-based products. More (up to date) information can be found on Mozilla’s KB. Expect this to be the default setting in Firefox 27/Mozilla 28 (see issue 733647).
Update: TLS 1.1 and 1.2 are now on by default in Firefox 27
Disclaimer: This post is in no way endorsed by Mozilla, or its institutions or partners.