Skip to content

Using SSL securely in your browser

The website How's My SSL shows you, how your Browser handles HTTPS connections. In the case of Firefox 24 it shows:

Your SSL client is Bad.

But how can you improve this? I wrote some hints below:

Firefox

I use Firefox 24. So all I wrote below belongs to this version. Future Firefox versions will bring some improvements. So some settings will be unnecessary then.

All settings must be made by using about:config. The configuration menu is not able to handle it. Enter about:config into the address bar. Firefox prints a warning, that changes will have effects on the security, stability etc. I assume that none of the settings below have negative impact. Thatswhy I confirmed it and came to the next window.

The config window has a search bar and a listing of configuration settings. Enter tls.v (or tls.version) into the search bar. Now you see four or five results. The important options are security.tls.version.min and security.tls.version.max. Both lines have an integer value in the last column. Those can be 0 (SSL 3.0), 1 (TLS 1.0), 2 (TLS 1.1) or 3 (TLS 1.2). You can change them by double clicking on it. I'd change the value security.tls.version.min to at least 1 (better 2)and security.tls.version.max to 3. If you change the first value to 2, it might be, that some pages don't work anymore. This is because they use some older protocol. However the minimum value should be 1 which is TLS version 1.0. You should contact the administrator of those pages and recommend to change to a newer TLS version. I'd like to hear which sites are affected.

Firefox also uses some insecure cipher suites. So i.a. is the cipher SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA supported. To change it, enter fips into the about:config search bar. You should see one result. By double-clicking you can set it to False. Brian Smith pointed out that SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA is not insecure. In his pull request at Github he describes why it is the case.

When you reload the HowsMySSL-page, you'd see a new result:

Your SSL client is Probably Okay.

Furthermore I usually deactivate all RC4 cipher suites. I look for rc4 and set them all to False

The Twitter user @andiheimann commented, that the Tor Browser Bundle fails:

Tor has to balance anonymity and security. With those settings the anonymity set reduces and there might be some risks to the anonymity of a Tor user. Thatswhy it is probably better to wait for the new Firefox version.

The Tor Project released version 4 of the Tor Browser Bundle. This version comes with Firefox 31 ESR and disables SSLv3.

Google Chrome and Chromium

Internet Options within IEChrome and Chromium doing a good job by default. Only when you want to disable RC4, you have to call both with specific command line options:

In October 2014 Google announced the POODLE exploit. So you should use at least TLS 1.0 in your browser. This option does exactly this: --ssl-version-min=tls1.

Opera

When using Opera 12 with the SSL-test-site it shows bad results. The recent Windows version 18 as well as Opera Next 19 are shown as »good«. If you see bad result then type Ctrl+F12 to open the settings and navigate to »Advanced« --> »Security« --> »Security Protocols«. You should make sure, that only TLS 1.1 and 1.2 is enabled. In the detail view you'll see all supported ciphers. Disable all ARC4-based ciphers.

A reload shows Opera as Improvable. This is caused by SSL Session Tickets. Unfortunately I found no settings. If you know where to find them, please leave a message.

Safari

Apple's Browser is like Opera: Improvable. Also SSL Session Tickets downgrade the result. As said before, if you know where to change it, please leave a message in the comment section.

Internet Explorer

Internet Explorer comes with support for SSLv3. To disable it, go to Internet Options and select the Advanced tab. Near the bottom you'll find a checkbox for using SSLv3. Uncheck and save it. You're done. :-)

Others

I'll add more browsers later.

Updates:

  1. Thanks to Brian for his comments on SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA and morphium for his comment on Opera
  2. Recommended TLS 1.0 in Chrome because POODLE.
  3. Mention that Tor Browser 4 comes without SSLv3.
  4. Added info about IE

Trackbacks

Heiko Linke am : Heiko Linke via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

Hackerei am : Hackerei via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

Anne Roth am : Anne Roth via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

ONO am : ONO via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

One Time Pad am : One Time Pad via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

Encrypt.to am : Encrypt.to via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

Andreas T. am : Andreas T. via Twitter

Vorschau anzeigen
Using SSL securely in your browser http://t.co/0eIcqeCMIO

WiseWoman am : WiseWoman via Twitter

Vorschau anzeigen
RT @qbi: Using #SSL #TLS securly in your browser: http://t.co/VrQbdVFl2n #security #crypto

Ingo Jürgensmann am : Ingo Jürgensmann via Twitter

Vorschau anzeigen
Der @qbi hat übrigens einen brauchbaren Tip gebloggt: http://t.co/HWA2iKpQ0k - Browser ganz einfach sicherer machen. #servicetweet #nsa

Samir Nassar am : Samir Nassar via Twitter

Vorschau anzeigen
Check how your browser implements TLS: https://t.co/zNfZtBjveP, fix Firefox with http://t.co/XfkFejXvDc - Might break some sites.

Bernard Tyers am : Bernard Tyers via Twitter

Vorschau anzeigen
RT @samirnassar: Check how your browser implements TLS: https://t.co/zNfZtBjveP, fix Firefox with http://t.co/XfkFejXvDc - Might break some…

Samir Nassar am : Samir Nassar via Twitter

Vorschau anzeigen
@Raed667 @huslage Check Firefox’s TLS: https://t.co/zNfZtBjveP, fix Firefox with http://t.co/XfkFejXvDc - Might break some sites.

Raed667 am : Raed667 via Twitter

Vorschau anzeigen
RT @samirnassar: @Raed667 @huslage Check Firefox’s TLS: https://t.co/zNfZtBjveP, fix Firefox with http://t.co/XfkFejXvDc - Might break some…

? Fernando am : ? Fernando via Twitter

Vorschau anzeigen
RT @samirnassar: Check how your browser implements TLS: https://t.co/zNfZtBjveP, fix Firefox with http://t.co/XfkFejXvDc - Might break some…

? Fernando am : ? Fernando via Twitter

Vorschau anzeigen
Using SSL securely in your browser - Qbi’s Weblog http://t.co/F01ByZCvjT

Chris Palmer am : Chris Palmer via Twitter

Vorschau anzeigen
This fun brought to you by @qbi: http://t.co/oND6b5KVbA “Your SSL client is Bad.”

Bernhard R. Fischer am : Bernhard R. Fischer via Twitter

Vorschau anzeigen
Using SSL securely in your browser http://t.co/hcXxzcl92Q

cara marie am : cara marie via Twitter

Vorschau anzeigen
RT @fugueish: This fun brought to you by @qbi: http://t.co/oND6b5KVbA “Your SSL client is Bad.”

Anne Roth am : Anne Roth via Twitter

Vorschau anzeigen
Improve your browser’s security with just a few clicks http://t.co/IoSKlXJAHv

? ?r?u? k?in?m No??r am : ? ?r?u? k?in?m No??r via Twitter

Vorschau anzeigen
RT @Anne_Roth: Improve your browser’s security with just a few clicks http://t.co/IoSKlXJAHv

Daniel Kinzler am : Daniel Kinzler via Twitter

Vorschau anzeigen
RT @Anne_Roth: Improve your browser’s security with just a few clicks http://t.co/IoSKlXJAHv

Es Geh am : Es Geh via Twitter

Vorschau anzeigen
RT @Anne_Roth: Improve your browser’s security with just a few clicks http://t.co/IoSKlXJAHv

Christian Pietsch am : Christian Pietsch via Twitter

Vorschau anzeigen
RT @qbi: My blog post on how to securely  use #SSL in your browser is still valid: http://t.co/ywK3NApnHV #SSLv3 #POODLE #crypto

Andrea Knabe-S. am : Andrea Knabe-S. via Twitter

Vorschau anzeigen
RT @qbi: My blog post on how to securely  use #SSL in your browser is still valid: http://t.co/ywK3NApnHV #SSLv3 #POODLE #crypto

Sebastian Beitlich am : Sebastian Beitlich via Twitter

Vorschau anzeigen
RT @qbi: My blog post on how to securely  use #SSL in your browser is still valid: http://t.co/ywK3NApnHV #SSLv3 #POODLE #crypto

Jan de Muijnck am : Jan de Muijnck via Twitter

Vorschau anzeigen
RT @qbi: @FredericJacobs I also leave out RC4 and wrote some more words on browser settings here: http://t.co/VrQbdVFl2n

ubuntu.itsprite.com am : PingBack

Die Anzeige des Inhaltes dieses Trackbacks ist leider nicht möglich.

Kommentare

Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Kommentar schreiben

Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Standard-Text Smilies wie :-) und ;-) werden zu Bildern konvertiert.
BBCode-Formatierung erlaubt
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA

Sie können [geshi lang=LANG][/lang] Tags verwenden um Quellcode abhängig von der gewählten Programmiersprache einzubinden
Formular-Optionen
cronjob