[Update: 4th Feb 2014 - Firefox 27 enables TLS 1.1 and 1.2 by default now]
If you think your web browser is secure, think again. If you run over to How's My SSL?, you will get a quick summary of what your browser looks like to the outside world.
Even if you keep up with the current release version, you'll be surprised to find your browser will probably get the following report:
Your SSL client is Bad.
Why? Because the latest security features that your browser includes may be installed disabled.
This article from here on is Firefox specific... [Explorer 11 is supposedly fixed]
I was surprised to find that the latest version of Firefox (v26 at the time of writing this) is installed with modern crypto features turned off. What I'm talking about is called the Transport Layer Security (TLS), and this is the modern replacement to Secure Sockets Layer (SSL).
The problem is that Firefox (up to v26 at the time of writing this) still defaults to SSL 3.0 for the lowest type of encryption and TLS 1.0 as the highest type of encryption. SSL 3.0 is considered insecure, and TLS 1.0 is unable to use modern cipher suites that offer greater security and efficiency (which means it only uses older, less secure encryption and is vulnerable to the BEAST attack).
What we should be seeing is TLS 1.2 enabled. The good news is that this can easily be fixed. Type the following in the URL bar:
about:config
You should see a message about voiding your warranty. Read it carefully and click on "I'll be careful, I promise!"
In the search box at the top of the page (not the Search Engine search box!), type in:
security.tls.version.max
Right click and select modify, then replace the ’1′ with ’3′ to enable TLS 1.2.
You may also set the lowest allowed encryption by typing in:
security.tls.version.min
Replace the ’0′ with ’1′ to switch from SSL 3.0 to TLS 1.0.
Why these aren't standard in the current version is a mystery (something to do with backwards compatibility and not breaking things - but I'm not convinced). However, if you're still curious, Mozilla have full documentation of these features here:
http://kb.mozillazine.org/Security.tls.version.*
Wait, there's more...
Checking with How's My SSL? will still return the "bad" error message. The other problem is that Firefox still enables support for the SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA cipher, which is known to be insecure. This is easily fixed, and again, this can be disabled via the about:config page.
This time, type in:
security.ssl3.rsa_fips_des_ede3_sha
Double click on it to disable it. Done.
Now run back to How's My SSL? and check to see how your browser does. You should get the following message:
Your SSL client is Probably Okay.
And that's as good as it gets right now.