Re: Disabling SSL/TLS protocols to safeguard payment data
On 6/11/18, Mason83 wrote: > On 08/06/2018 21:02, Andy K wrote: > >> June 30, 2018 is the deadline for disabling SSL/early TLS and >> implementing a more secure encryption protocol – TLS 1.1 or higher >> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data >> Security Standard (PCI DSS) for safeguarding payment data. >> >> For Firefox and Seamonkey >> >> In about:config, set security.tls.version.min to 2 to prevent >> protocols lower than TLS 1.1 from being used. >> >> Reference: http://kb.mozillazine.org/Security.tls.version.* > > FWIW, one of the largest banks in France seems to be stuck > using TLS 1.0 > > Trying to connect to https://particuliers.secure.lcl.fr/ > leads to this error message: > > """ > Secure Connection Failed > > An error occurred during a connection to particuliers.secure.lcl.fr. > > Peer using unsupported version of security protocol. > > Error code: title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION > > The page you are trying to view cannot be shown because the authenticity of > the received data could not be verified. > > Please contact the website owners to inform them of this problem. > """ > > > https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr > > This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade > capped to B. MORE INFO » > The server supports only older protocols, but not the current best TLS 1.2. > Grade capped to C. MORE INFO » > This server accepts RC4 cipher, but only with older protocols. Grade capped > to B. MORE INFO » > This server does not support Forward Secrecy with the reference browsers. > Grade capped to B. MORE INFO » > This server does not support Authenticated encryption (AEAD) cipher suites. > Grade capped to B. MORE INFO » > > > When will these people take security seriously? When they're forced to? On a related note, how are the https intercepting anti-virus vendors doing these days? I haven't found anything later than Feb 2017: https://www.zdnet.com/article/google-and-mozillas-message-to-av-and-security-firms-stop-trashing-https/ 'In an evaluation of antivirus products that feature TLS interception, only Avast AV 11 and AV 10 score an A grade, while all others score a C or F. They award a C to products containing a known TLS vulnerability, such as BEAST, FREAK, and Logjam; or an F for products with a severely broken connection due to weak ciphers or not validating certificates." If you're concerned about online banking, it might be worth to checking https://www.ssllabs.com/ssltest/viewMyClient.html Lee ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
Mason83 wrote on 11/06/18 22:39: On 11/06/2018 14:32, Daniel wrote: Mason83 wrote on 11/06/18 19:31: On 08/06/2018 21:02, Andy K wrote: June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. For Firefox and Seamonkey In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. Reference: http://kb.mozillazine.org/Security.tls.version.* FWIW, one of the largest banks in France seems to be stuck using TLS 1.0 Trying to connect to https://particuliers.secure.lcl.fr/ leads to this error message: """ Secure Connection Failed An error occurred during a connection to particuliers.secure.lcl.fr. Peer using unsupported version of security protocol. Error code: SSL_ERROR_UNSUPPORTED_VERSION The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. """ So that's what it means!! ;-) Each day, when I download my e-mails, SM usually filters most of them into the Trash folder (as I've set things up!). I then go through my Trash folder and send copies of those e-mails to Spamcop.net and, often, SM gives me a screen the same as yours, Mason. When I then re-send the e-mail, things usually work fine!! Last week, I asked my ISP what was going on, and he said it was an error on their server, then I mentioned that it usually worked second time around. He replied that, second time around, it was probably getting to a different server! Mason, did you try logging on again, i.e. clicking the "Resend" button on that Error screen?? If so, does it work, second time around?? I'm afraid there is nothing to "Resend" as I was just trying to load a web page, at URL https://particuliers.secure.lcl.fr/ I suppose I can "Reload" but I suspect it will always fail (until TLS 1.0 is re-enabled). Regards. Ah!! Valid Point! I'm trying to send stuff to a website, you're just trying to get to a website! -- Daniel User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Build identifier: 20171016030418 User agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Build identifier: 20171015235623 ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 11/06/2018 14:32, Daniel wrote: > Mason83 wrote on 11/06/18 19:31: >> On 08/06/2018 21:02, Andy K wrote: >> >>> June 30, 2018 is the deadline for disabling SSL/early TLS and >>> implementing a more secure encryption protocol – TLS 1.1 or higher >>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data >>> Security Standard (PCI DSS) for safeguarding payment data. >>> >>> For Firefox and Seamonkey >>> >>> In about:config, set security.tls.version.min to 2 to prevent >>> protocols lower than TLS 1.1 from being used. >>> >>> Reference: http://kb.mozillazine.org/Security.tls.version.* >> >> FWIW, one of the largest banks in France seems to be stuck >> using TLS 1.0 >> >> Trying to connect to https://particuliers.secure.lcl.fr/ >> leads to this error message: >> >> """ >> Secure Connection Failed >> >> An error occurred during a connection to particuliers.secure.lcl.fr. >> >> Peer using unsupported version of security protocol. >> >> Error code: > title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION >> >> The page you are trying to view cannot be shown because the authenticity of >> the received data could not be verified. >> >> Please contact the website owners to inform them of this problem. >> """ > > So that's what it means!! ;-) > > Each day, when I download my e-mails, SM usually filters most of them > into the Trash folder (as I've set things up!). I then go through my > Trash folder and send copies of those e-mails to Spamcop.net and, often, > SM gives me a screen the same as yours, Mason. When I then re-send the > e-mail, things usually work fine!! > > Last week, I asked my ISP what was going on, and he said it was an error > on their server, then I mentioned that it usually worked second time > around. He replied that, second time around, it was probably getting to > a different server! > > Mason, did you try logging on again, i.e. clicking the "Resend" button > on that Error screen?? If so, does it work, second time around?? I'm afraid there is nothing to "Resend" as I was just trying to load a web page, at URL https://particuliers.secure.lcl.fr/ I suppose I can "Reload" but I suspect it will always fail (until TLS 1.0 is re-enabled). Regards. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
Mason83 wrote on 11/06/18 19:31: On 08/06/2018 21:02, Andy K wrote: June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. For Firefox and Seamonkey In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. Reference: http://kb.mozillazine.org/Security.tls.version.* FWIW, one of the largest banks in France seems to be stuck using TLS 1.0 Trying to connect to https://particuliers.secure.lcl.fr/ leads to this error message: """ Secure Connection Failed An error occurred during a connection to particuliers.secure.lcl.fr. Peer using unsupported version of security protocol. Error code: SSL_ERROR_UNSUPPORTED_VERSION The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. """ So that's what it means!! ;-) Each day, when I download my e-mails, SM usually filters most of them into the Trash folder (as I've set things up!). I then go through my Trash folder and send copies of those e-mails to Spamcop.net and, often, SM gives me a screen the same as yours, Mason. When I then re-send the e-mail, things usually work fine!! Last week, I asked my ISP what was going on, and he said it was an error on their server, then I mentioned that it usually worked second time around. He replied that, second time around, it was probably getting to a different server! Mason, did you try logging on again, i.e. clicking the "Resend" button on that Error screen?? If so, does it work, second time around?? P.S. Until yesterday, I did have TLS 1.0 enabled, along with 1.1 and 1.2, but de-selected it yesterday, and the spamcop.net site still worked and/or failed today!! -- Daniel User agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Build identifier: 20171016030418 User agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Build identifier: 20171015235623 ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 08/06/2018 21:02, Andy K wrote: > June 30, 2018 is the deadline for disabling SSL/early TLS and > implementing a more secure encryption protocol – TLS 1.1 or higher > (TLS v1.2 is strongly encouraged) in order to meet the PCI Data > Security Standard (PCI DSS) for safeguarding payment data. > > For Firefox and Seamonkey > > In about:config, set security.tls.version.min to 2 to prevent > protocols lower than TLS 1.1 from being used. > > Reference: http://kb.mozillazine.org/Security.tls.version.* FWIW, one of the largest banks in France seems to be stuck using TLS 1.0 Trying to connect to https://particuliers.secure.lcl.fr/ leads to this error message: """ Secure Connection Failed An error occurred during a connection to particuliers.secure.lcl.fr. Peer using unsupported version of security protocol. Error code: SSL_ERROR_UNSUPPORTED_VERSION The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. """ https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO » The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO » This server accepts RC4 cipher, but only with older protocols. Grade capped to B. MORE INFO » This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO » This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B. MORE INFO » When will these people take security seriously? Regards. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 2018-06-09 10:57, Richard Owlett wrote: On 06/09/2018 09:29 AM, Steve Dunn wrote: On 2018-06-08 15:02, Andy K wrote: In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. This is fine if you only use the browser to access sites that are compliant with payment industry standards. But most people use browsers for more than just online banking etc., and some of those sites may not support newer TLS versions. The vast majority of my transaction will be with my bank. Is it reasonable to presume they will use the later standard? It should be, assuming that your bank takes PCI compliance seriously (and if they don't take industry security standards seriously, that should probably raise some other questions in your mind). And if that's true, then you shouldn't need to disable TLS 1.0 on your browser to keep your banking data safe. If the site you're connecting to only supports 1.1 and 1.2, your browser can't negotiate 1.0 with them, unless there's a man-in-the-middle attack. For that matter, in the absence of a man-in-the-middle attack, your browser and the server should negotiate the highest mutually-supported TLS version. So if your browser supports 1.0-1.2 (which I think is the default configuration for Seamonkey) and you're connecting to a site that supports 1.0 and at least one of 1.1 and 1.2, you shouldn't get 1.0. To be honest, I don't know how many sites still lack support for TLS 1.1 or higher. I have no doubt that there are some, either running outdated software or configured by administrators who don't know a lot about TLS versions, but have no idea if it's 0.001% or 1% or some other number. You can always disable TLS 1.0, do your normal everyday activities for a while, and see if any of the sites you use break. -Steve ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 6/9/18, Richard Owlett wrote: > On 06/09/2018 09:29 AM, Steve Dunn wrote: >> On 2018-06-08 15:02, Andy K wrote: >>> June 30, 2018 is the deadline for disabling SSL/early TLS and >>> implementing a more secure encryption protocol – TLS 1.1 or higher >>> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data >>> Security Standard (PCI DSS) for safeguarding payment data. >> [...] >>> In about:config, set security.tls.version.min to 2 to prevent >>> protocols lower than TLS 1.1 from being used. >> >> This is fine if you only use the browser to access sites that are >> compliant with payment industry standards. But most people use browsers >> for more than just online banking etc., and some of those sites may not >> support newer TLS versions. > > The vast majority of my transaction will be with my bank. > Is it reasonable to presume they will use the later standard? Don't guess, see how well your bank does: https://www.ssllabs.com/ssltest/index.html >> So just remember that after making this >> change, you will probably break your browser's ability to access some >> sites; > > For the odd site that can use only the older standard, will I get an > informative error message? My recollection is no, you get something not terribly informative. (I allowed SSLv3 for ages until archive.org finally upgraded) I've got security.tls.version.min set to 3 and haven't found a site yet that fails - anyone know of a site that does TLS 1.1 but not TLS 1.2? >> you'll either need to keep switching your TLS minimum version >> back and forth, or use one browser for online banking etc. and a >> different browser for other activities. > > Will having distinct profiles address the issue adequately. > I currently use profiles that do/don't enable JavaScript and/or cookies > for similar purpose. > [I've a *NEGATIVE* view of both ;] Yes, that should work. Lee ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 06/09/2018 09:29 AM, Steve Dunn wrote: On 2018-06-08 15:02, Andy K wrote: June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. [...] In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. This is fine if you only use the browser to access sites that are compliant with payment industry standards. But most people use browsers for more than just online banking etc., and some of those sites may not support newer TLS versions. The vast majority of my transaction will be with my bank. Is it reasonable to presume they will use the later standard? So just remember that after making this change, you will probably break your browser's ability to access some sites; For the odd site that can use only the older standard, will I get an informative error message? you'll either need to keep switching your TLS minimum version back and forth, or use one browser for online banking etc. and a different browser for other activities. Will having distinct profiles address the issue adequately. I currently use profiles that do/don't enable JavaScript and/or cookies for similar purpose. [I've a *NEGATIVE* view of both ;] -Steve ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On 2018-06-08 15:02, Andy K wrote: June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. [...] In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. This is fine if you only use the browser to access sites that are compliant with payment industry standards. But most people use browsers for more than just online banking etc., and some of those sites may not support newer TLS versions. So just remember that after making this change, you will probably break your browser's ability to access some sites; you'll either need to keep switching your TLS minimum version back and forth, or use one browser for online banking etc. and a different browser for other activities. -Steve ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
On Friday, June 8, 2018 at 2:44:47 PM UTC-5, Paul B. Gallagher wrote: > Andy K wrote: > > > June 30, 2018 is the deadline for disabling SSL/early TLS and > > implementing a more secure encryption protocol – TLS 1.1 or higher > > (TLS v1.2 is strongly encouraged) in order to meet the PCI Data > > Security Standard (PCI DSS) for safeguarding payment data. > > > > For Firefox and Seamonkey > > > > In about:config, set security.tls.version.min to 2 to prevent > > protocols lower than TLS 1.1 from being used. > > > > Reference: http://kb.mozillazine.org/Security.tls.version.* > > > You can also do this through the user interface: > Edit | Preferences | Privacy & Security | SSL/TLS > Uncheck the box for TLS 1.0. > > The two functions are equivalent; your way doesn't prevent the user from > enabling TLS 1.0 later. > > -- > War doesn't determine who's right, just who's left. > -- > Paul B. Gallagher Interesting. Looks like either way could be overwritten. Andy ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Disabling SSL/TLS protocols to safeguard payment data
Andy K wrote: June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. For Firefox and Seamonkey In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. Reference: http://kb.mozillazine.org/Security.tls.version.* You can also do this through the user interface: Edit | Preferences | Privacy & Security | SSL/TLS Uncheck the box for TLS 1.0. The two functions are equivalent; your way doesn't prevent the user from enabling TLS 1.0 later. -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Disabling SSL/TLS protocols to safeguard payment data
June 30, 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. For Firefox and Seamonkey In about:config, set security.tls.version.min to 2 to prevent protocols lower than TLS 1.1 from being used. Reference: http://kb.mozillazine.org/Security.tls.version.* ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey