On 6/11/18, Mason83 <root@dom.invalid> wrote: > On 08/06/2018 21:02, Andy K wrote: > >> June 30, 2018 is the deadline for disabling SSL/early TLS and >> implementing a more secure encryption protocol – TLS 1.1 or higher >> (TLS v1.2 is strongly encouraged) in order to meet the PCI Data >> Security Standard (PCI DSS) for safeguarding payment data. >> >> For Firefox and Seamonkey >> >> In about:config, set security.tls.version.min to 2 to prevent >> protocols lower than TLS 1.1 from being used. >> >> Reference: http://kb.mozillazine.org/Security.tls.version.* > > FWIW, one of the largest banks in France seems to be stuck > using TLS 1.0 > > Trying to connect to https://particuliers.secure.lcl.fr/ > leads to this error message: > > """ > Secure Connection Failed > > An error occurred during a connection to particuliers.secure.lcl.fr. > > Peer using unsupported version of security protocol. > > Error code: <a id="errorCode" > title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a> > > The page you are trying to view cannot be shown because the authenticity of > the received data could not be verified. > > Please contact the website owners to inform them of this problem. > """ > > > https://www.ssllabs.com/ssltest/analyze.html?d=particuliers.secure.lcl.fr > > This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade > capped to B. MORE INFO » > The server supports only older protocols, but not the current best TLS 1.2. > Grade capped to C. MORE INFO » > This server accepts RC4 cipher, but only with older protocols. Grade capped > to B. MORE INFO » > This server does not support Forward Secrecy with the reference browsers. > Grade capped to B. MORE INFO » > This server does not support Authenticated encryption (AEAD) cipher suites. > Grade capped to B. MORE INFO » > > > When will these people take security seriously?
When they're forced to? On a related note, how are the https intercepting anti-virus vendors doing these days? I haven't found anything later than Feb 2017: https://www.zdnet.com/article/google-and-mozillas-message-to-av-and-security-firms-stop-trashing-https/ 'In an evaluation of antivirus products that feature TLS interception, only Avast AV 11 and AV 10 score an A grade, while all others score a C or F. They award a C to products containing a known TLS vulnerability, such as BEAST, FREAK, and Logjam; or an F for products with a severely broken connection due to weak ciphers or not validating certificates." If you're concerned about online banking, it might be worth to checking https://www.ssllabs.com/ssltest/viewMyClient.html Lee _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
