On 2018-06-09 10:57, Richard Owlett wrote:
On 06/09/2018 09:29 AM, Steve Dunn wrote:
On 2018-06-08 15:02, Andy K wrote:
In about:config, set security.tls.version.min to 2 to prevent
protocols lower than TLS 1.1 from being used.
This is fine if you only use the browser to access sites that are
compliant with payment industry standards. But most people use
browsers for more than just online banking etc., and some of those
sites may not support newer TLS versions.
The vast majority of my transaction will be with my bank.
Is it reasonable to presume they will use the later standard?
It should be, assuming that your bank takes PCI compliance seriously
(and if they don't take industry security standards seriously, that
should probably raise some other questions in your mind). And if that's
true, then you shouldn't need to disable TLS 1.0 on your browser to keep
your banking data safe. If the site you're connecting to only supports
1.1 and 1.2, your browser can't negotiate 1.0 with them, unless there's
a man-in-the-middle attack.
For that matter, in the absence of a man-in-the-middle attack, your
browser and the server should negotiate the highest mutually-supported
TLS version. So if your browser supports 1.0-1.2 (which I think is the
default configuration for Seamonkey) and you're connecting to a site
that supports 1.0 and at least one of 1.1 and 1.2, you shouldn't get 1.0.
To be honest, I don't know how many sites still lack support for TLS
1.1 or higher. I have no doubt that there are some, either running
outdated software or configured by administrators who don't know a lot
about TLS versions, but have no idea if it's 0.001% or 1% or some other
number. You can always disable TLS 1.0, do your normal everyday
activities for a while, and see if any of the sites you use break.
-Steve
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey