Jump to content

Search the Community

Showing results for tags 'tls'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 8 results

  1. Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google) Mozilla released Firefox 74.0 Stable to the public on March 10, 2020. The new version of Firefox came with a number of changes and improvements; among them the deprecation of the security protocols TLS 1.0 and TLS 1.1 in the Firefox web browser. The functionality has not been removed from Firefox but the default status of both protocols has been set to disabled in Firefox 74.0 by Mozilla. A consortium of browser makers, among them Mozilla, Google, Microsoft and Apple, vowed to remove TLS 1.0 and 1.1 from their browsers in order to improve the security and performance of Internet connections by relying on TLS 1.2 and TLS 1.3 for secure connections. Mozilla has re-enabled TLS 1.0 and 1.1 in the Firefox Stable and Beta browser; it is unclear when Mozilla did that but an update on the Firefox release notes page highlights why the protocols have been enabled again. Mozilla notes: We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information. According to the update posted on the release notes page, Mozilla made the decision because some government sites still rely on the old protocols. Mozilla does not provide any examples of government sites that still rely on these dated protocols. The organization's Site Compatibility site offers more details: Mozilla is going to temporarily re-enable the TLS 1.0/1.1 support in Firefox 74 and 75 Beta. The preference change will be remotely applied to Firefox 74, which has already been shipped. This is because many people are currently forced to work at home and relying on online tools amid the novel coronavirus (COVID-19) outbreak, but some of critical government sites still don’t support TLS 1.2 yet. A new bug on Mozilla's bug tracking site provides additional information and another reason entirely. Mozilla highlights that Google postponed Chrome releases and that it is unlikely that Google will disable TLS 1.0 and 1.1 in the Chrome browser for the time being and that this would leave Firefox as the sole browser with the protocols disabled in the Stable version. The consequence is that Mozilla re-enabled TLS 1.0 and 1.1 in Firefox Stable and Firefox Beta. Firefox users may still disable the protocols manually in the browser by setting the preference security.tls.version.min to 3 to allow TLS 1.2 or higher only. Source: Mozilla re-enables TLS 1.0 and 1.1 because of Coronavirus (and Google) (gHacks - Martin Brinkmann)
  2. Firefox 74 will drop support for TLS 1.0 and TLS 1.1 Version 74.0 of the Firefox web browser will drop support for the encryption protocols TLS 1.0 and TLS 1.1 entirely. Sites that don't support at least TLS 1.2 will show a "secure connection failed" error page when the change lands preventing users from accessing the sites. Mozilla and other browser makers including Google, Microsoft and Apple revealed plans in 2018 to deprecate TLS 1.0 and TLS 1.1 in 2020 to improve the security and performance of Internet connections. The announcement was made well in advance to give webmasters and organizations time to migrate services that still used one of the protocols to a newer protocol. TLS 1.3 Final was published in 2018 and browser makers like Mozilla or Google implemented support for the new protocol in their browsers. All major web browsers support TLS 1.3 as of today. While support for better more secure protocols is available, some sites have not migrated to using these protocols exclusively. A Mozilla scan in mid 2019 showed that about 8000 sites of a list with 1 million top sites were not supported TLS 1.2 or higher. The count may be lower by now considering that another six months have passed since the scan was made. Starting in Firefox 74, sites that use TLS 1.1 or lower won't load anymore in the browser. The same will happen at around the same time in Google Chrome and other major browsers such as Microsoft Edge or Apple Safari. In Firefox, the browser will throw a "secure connection failed" error message with the error code "SSL_ERROR_UNSUPPORTED_VERSION" with no option of bypassing the error (because support for TLS 1.0 and 1.1 is removed from the browser). Sites that are actively maintained will likely be updated in time to support newer protocol versions so that connections to these sites won't be interrupted. Some sites, e.g. those that are not actively maintained anymore or cannot be updated to support newer protocol versions, won't work anymore once the change lands. Most Firefox users will see minimal disruption, if any, when Firefox is upgraded to version 74.0. Firefox 74.0 Stable is scheduled for a March 10, 2020 release. Source: Firefox 74 will drop support for TLS 1.0 and TLS 1.1 (gHacks - Martin Brinkmann)
  3. New TLS protocol extension will shorten the window an attacker has to perform a man-in-the-middle attack. Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. HOW TLS DELEGATE CREDENTIALS WORKS For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key. The delegated credentials can live up to seven days and can be rotated automatically once they expire. TLS DELEGATED CREDENTIALS SHORTENS MITM ATTACK WINDOW The most important security improvement that comes with this new TLS extension is that if -- in the worst-case scenarios -- an attacker does manage to hack a server, the stolen private key (actually a delegated credential) won't work for more than a few days, rather than weeks, months, or even a year, as it does now. You can read more in-depth technical explanations about the new TLS Delegated Credentials extensions on the Facebook, Mozilla, and Cloudflare blogs. The IETF draft specification is available here. TLS Delegated Credentials will be compatible with the TLS protocol v1.3 and later. Source: Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard (via ZDNet)
  4. TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings Google announced today how the company's Google Chrome web browser will handle sites that use the security protocols TLS 1.0 or TLS 1.1 in the future. Major browser developers including Google, Mozilla, Microsoft, and Apple revealed in 2019 that they would deprecate support for TLS 1.0 and TLS 1.1 in their web browsers. The decision was made to improve security and performance on the Internet. The protocols have no known security vulnerabilities but they don't support modern cryptographic algorithm either. Mozilla started to disable TLS 1.0 and TLS 1.1 in Firefox Nightly, the cutting edge development version of the Firefox web browser, a few days ago. Google Chrome Not Secure warnings Starting with Google Chrome 79, Chrome will give sites a "not secure" label if TLS 1.0 or TLS 1.1 is used. The main intention is to provide users and webmasters with information that they may act upon; webmasters need to enable TLS 1.2 or later on the server to address the issue. Starting with Google Chrome 81, Chrome will prevent connections to sites that use TLS 1.0 or TLS 1.1. The browser displays a warning page instead that reads "Your connection is not fully secure. This site uses an outdated security configuration, which may expose your information". A click on the "not secure" label displays the very same message when Chrome 79 lands. Chrome users may set an experimental flag in the browser to test the new warning functionality before Chrome 79 lands. Here is how that is done: Load chrome://flags in the browser's address bar. Search for Show security warnings for sites using legacy TLS versions. You may also search for just TLS to speed this up. Set the flag to enabled. Restart the Google Chrome web browser. Chrome will display the "not secure" label if a site uses TLS 1.0 or TLS 1.1. The change is visual in nature; users are not blocked from accessing the resource. Chrome displays warnings in the browser's built-in Developer Tools as well to inform webmasters and developers about the deprecation of earlier versions of TLS. Chrome 81 will block connections to sites that use TLS 1.0 or 1.1. The browser displays an interstitial warning to users. Enterprise admins may set policies to disallow TLS 1.0 or TLS 1.1 connections in Chrome or re-enable support for the older protocols until January 2021 when support is removed. Additional information on Chrome policies is found here. Source: TLS 1.0 and 1.1 deprecation: Chrome to display "your connection is not fully secure" warnings (gHacks - Martin Brinkmann)
  5. Mozilla disables TLS 1.0 and 1.1 in Firefox Nightly in preparation of deprecation Firefox maker Mozilla disabled support for the protocols TLS 1.0 and TLS 1.1 in recent versions of the Firefox Nightly web browser. Major browser makers such as Mozilla and Google announced in 2018 that support for the decade-old standards would be dropped in 2020 to improve the security and performance of Internet connections. Back then it was revealed that TLS 1.1 was used by 0.1% of all Internet connections; the number has likely gone done in the meantime. Transport Layer Security (TLS) is a security protocol used to encrypt Internet traffic; TLS 1.3 Final was published in 2018 and companies started to integrate the final version into browsers shortly thereafter. Mozilla started to enable TLS 1.3 in Firefox Stable in 2018, and other browser makers such as Google added support for the new protocol version as well. Tip: here is a way to determine if your browser supports TLS 1.3 and other security features. Firefox and TLS 1.0 and 1.1 deprecation Mozilla disabled support for TLS 1.0 and TLS 1.1 in Firefox Nightly in preparation for the deprecation in Firefox Stable in 2020. A quick check on a SSL Labs test site confirms that TLS 1.2 and 1.3 are the only supported protocols by the browser. Sites that support TLS 1.0 and/or TLS 1.1 but not TLS 1.2 or newer will fail to load and throw a "secure connection failed" error instead. The error code is SSL_ERROR_UNSUPPORTED_VERSION. Firefox users may override the limitation in the following way currently but that option will likely go away once the change lands in Firefox Stable in early 2020. Load about:config in the web browser's address bar. Confirm that you will be careful. Search for security.tls.version.min. The default value of the preference is set to 3 which means that Firefox accepts TLS 1.2 and higher only. Change the value to 2 to add support for TLS 1.1, or to 1 to add support for TLS 1.0. The screenshot below shows the default value of the preference. Sites, including the dashboard of modems, routers and other local peripheral devices, that support only TLS 1.1 or TLS 1.0 will load after you make the change. Closing Words TLS 1.0 and 1.1 support will be removed from browsers in early 2020. While that should mean minimal interruption for most users, some, especially those working in local Intranets and other non-Internet environments, may run into issues connecting to certain sites and devices that don't support newer protocol versions for one reason or another.Some browsers may keep support for TLS 1.0 and 1.1 enabled, and it is also possible to use an older version of a browser to connect to these sites. Source: Mozilla disables TLS 1.0 and 1.1 in Firefox Nightly in preparation of deprecation (gHacks - Martin Brinkmann)
  6. The final version of TLS 1.3 -- Transport Layer Security -- has been published by the IETF, the Internet Engineering Task Force, and popular browsers such as Firefox support it already (an earlier draft version and soon the final version). Tip: point your browser to the SSL/TLS capabilities test on SSLLabs to find out which versions your browser supports. Check the protocol features on the page to find out which protocols the browser supports. If you want to check out which TLS versions a server supports, run the company's SSL Server Test tool instead. TLS 1.3 is a major update to TLS 1.2 even though the minor increase of the version might indicate otherwise. Transport Layer Security is what is used by devices for secure transactions on the Internet. Basically, if you see HTTPS being used in the browser it is powered by TLS. Whether that is TLS 1.3 already or TLS 1.2 depends on the browser and the site that the browser connects to. Multiple drafts of the new TLS 1.3 specification were released in the past four or so years ever since work began in earnest on the new standard. Browser makers like Mozilla or Google implemented support for various draft versions and the functionality was considered experimental at that time. Some sites did make use of TLS 1.3 already; Mozilla notes that about 5% of Firefox connections use TLS 1.3 already and that companies like Google, Facebook or Cloudflare support TLS 1.3 already. Firefox supports a draft version that is essentially identical to the final published version. Mozilla plans to release the final version in Firefox 63 which the organization plans to release in October 2018. Google Chrome supports an earlier draft version already as well and will support the final version of TLS 1.3 in an upcoming version. Chrome and Firefox include options to manage TLS support in the browsers. Mozilla started to enable TLS 1.3 support in Firefox Stable in 2018. What makes TLS 1.3 special? TLS 1.3 is a major update of the standard that improves speed and security significantly. One of the main advantages of TLS 1.3 is that basic handshakes take a single round-trip compared to TLS 1.2's two round-trips. The time it takes to connect to servers that support TLS 1.3 is reduced because of that which means that web pages that support TLS 1.3 load faster in browsers that support the new standard. Security is improved as well in TLS 1.3 when compared to previous versions. TLS 1.3 focuses on some widely known and analyzed cryptographic algorithms while TLS 1.2 includes support for more algorithms of which some were exploited successfully in the past. TLS 1.3 encrypts most of the handshake next to that which improves privacy when connecting to servers as much of the information that is in the open when TLS 1.2 is used is now encrypted and unreadable while in transit. Cloudflare published a technical overview of TLS 1.3 on the company blog; a good read for anyone interested in the topic. Source
  7. Threats using SSL encryption are on the rise. An average of 60 percent of the transactions in the Zscaler cloud have been delivered over SSL/TLS. Researchers also found that the Zscaler cloud saw an average of 8.4 million SSL/TLS-based security blocks per day this year. “Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications. In fact, our study found that the amount of phishing attempts per day delivered over SSL/TLS has increased 400 percent from 2016,” said Deepen Desai, senior director, security research and operations. Malicious payload distributions ThreatLabZ researchers also identified new malicious payload distributions, based off unique payloads hitting the Zscaler Cloud Sandbox, leveraging SSL/TLS for command and control (C&C) activity. Banking Trojans comprised 60 percent of the payloads, including families like Dridex, Zbot, Vawtrak and Trickbot, while 25 percent were comprised of multiple ransomware families. Less popular payloads included Infostealer Trojan families and other miscellaneous families. Additional findings The amount of malicious content being delivered over SSL/TLS has more than doubled in the last six months. The Zscaler cloud blocked an average of 12,000 phishing attempts per day delivered over SSL/TLS—an increase of 400 percent from 2016. New, increasingly sophisticated malware strains use SSL to encrypt their C&C mechanisms. Zscaler saw an average of 300 hits per day for web exploits that included SSL as part of the infection chain. The most prevalent malware family leveraging SSL-based callbacks was Dridex/Emotet, which contributed 34 percent of the total unique, new payloads in 2017. New malicious payloads leveraging SSL/TLS for C&C activity: 60 percent were comprised of multiple Banking Trojan families (Zbot, Vawtrak, Trickbot, etc.) 25 percent were comprised of ransomware families 12 percent were comprised of Infostealer Trojan families (Fareit, Papras, etc.) 3 percent were from other miscellaneous families. Article source
  8. TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol. But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below. The error message from Firefox 54 when a website does not support TLS 1.2 and it only supports TLS 1.2 For the benefit of search engines, the error reads The security protocol it refers to is TLS. There are three problems, however, with this Firefox error message. For one thing, TLS 1.0 and 1.1, which the website is using, is indeed supported by Firefox - its just that a particular instance of the browser was configured not to use them. And, annoyingly, the message does not say what unsupported version it encountered. Finally, the bottom of the message is a trap. Specifically, the note that "It looks like your network security settings might be causing this. Do you want the default settings to be restored?" along with the blue "Restore default settings" button. I consider this a trap because it resets Firefox to again accept the older, less secure TLS versions (1.0 and 1.1). The screen shot is from Firefox version 54 Windows, the error message on OS X is the same. On Android, however, Firefox 54 does not say that your network security settings are the issue and there is no button to restore the default settings. VERIFYING THE TWEAK You may go months before encountering a website that does not support TLS 1.2. In that case, how do you know the tweaking of Firefox really worked? In this blog I have repeatedly praised the SSL Server test from Qualys/SSL Labs. The same company also offers the reverse test. That is, rather than test websites, it tests your web browser. Visit the SSL Client Test site and the test runs automatically. Scroll down to the Protocols section. If the tweaking worked as expected, you should see a "Yes" for TLS 1.2 and a "No" for TLS 1.1, TLS 1.0, SSL 3 and SSL 2. That's good Defensive Computing. It also reports on TLS 1.3, but as this version is still in draft mode, it can be ignored. LIVE TESTING Tester pages are available at the badssl.com site, which is maintained by April King from Mozilla and Lucas Garron from Google. There are two test websites, one that only supports TLS version 1.1 and another that only supports version 1.0. They are TLS 1.1=> https://tls-v1-1.badssl.com:1011 TLS 1.0=> https://tls-v1-0.badssl.com:1010 If you try to load these pages in a normal web browser, all is well. But try to load them in a copy of Firefox that has been restricted to TLS 1.2 and they fail. Finally, is limiting Firefox to TLS 1.2 really worth the trouble? Qualys thinks so. At their SSL server test, any website that does not support TLS 1.2, can't score higher than a C. Deservedly so. Still to come: limiting Chrome and Internet Explorer to TLS 1.2, and doing the same with the Endless browser on iOS. Article source
×
×
  • Create New...