How to disable SSL and the older TLS in Firefox?
Hi!
First of all, mods, if I chose the wrong category and this had to go in "customize settings and preferences" feel free to move it :)
So, for several reasons I decided to completely disable SSL and the old TLS 1.0 and 1.1. I still didn't decide if TLS 1.2 is still important or it's enough with 1.3 so for now I am leaving them both. I did this system wide, with PowerShell, following the instructions in THIS THIS article.
But then there's Firefox. I don't know if Firefox can establish SSL (or old TLS) connections despite the system "ban". But I came across THIS THIS article about how to enable TLS 1.3 in Firefox and when I went in about:config and I typed "security" I saw that there are a lot of voices with SSL and a lot more about TLS than just the security.tls.version.max mentioned in that article, so I am here to ask you what to do to be 1000% sure that all SSL and older TLS are completely disabled in Firefox, and that only TLS 1.3 is enabled.
If you have reasons to believe that disabling TLS 1.2 is not a good idea, let me know, but in THIS THIS article I've read that 1.3 is much better and it's anyway backwards compatible with 1.2 in case some server only supports 1.2, so I decided to leave only 1.3.
Thanks!
All Replies (6)
TyDraniu said
I'm not sure we're using older protocols. See https://browserleaks.com/tls to confirm.
Thanks, I had forgotten about that website, so useful. It doesn't show anything at all about SSL, so I suppose it's not active? It only shows TSL and it says that 1.2 and 1.3 are enabled, while the older ones aren't. Now, does this mean that Firefox can bypass the system wide settings? I mean, I have 1.2 disabled system wide... Anyway where it says "handshake" it says 1.3, so I guess this means that although 1.2 is enabled the active one is 1.3?
An off topic question which I don't think it's worth opening a new thread for, I had a look at the other things that browserleaks offer and in the canvas test it says 100% unique in their database. Is this how it is supposed to be to avoid fingerprinting? Is uniqueness not a bad thing for fingerprinting, which helps them identify you? And if so, how is this happening when I have the Enhanced Tracking Protection in FF in Custom with all cross sites cookies disabled and the tracking and fingerprinting option in "in all windows", and CanvasBlocker on top of that (although in the Stealth preset, which maybe doesn't block all fingerprinting in exchange for making it more difficult to spot that you are using anti-fingerprint, but still, it should not suck so much to make me 100% unique).
Thanks
Okulungisiwe
Just to know, are comments in this place held for review before they are posted? Because my reply to you disappeared after I sent it. So, this comment is also a test, if I see it posted immediately that's already an answer, although I still wouldn't know why the previous one wasn't posted. Hmm...
Ah, ok, so, this was posted, so I have no idea what happened to the previous one.
Ok, then, again:
thanks for the reply, I had forgotten about that website, super helpful.
So, supposedly it should show info about SSL and TSL but it wasn't saying anything about SSL. Does that mean that it's not even present or what?
About TLS it was saying that 1.2 and 1.3 are enabled, 1.0 and 1.1 are not. Now the question would be, does this mean that Firefox "bypass" the system wide settings? I mean, I have TLS 1.2 completely disabled system wide... Anyway, where it says "handshake" it shows 1.3. Am I correct to assume that this means that the active protocol is 1.3 and that 1.2 will only be used when a website can't do otherwise? Which bring to the next question: what happened to "1.3 is backwards compatible with 1.2"?
Oki, thanks :)
Firefox uses prefs in about:config to set maximum and the minimum TLS version (3:TLS 1.2; 4:TLS 1.3).
- security.tls.version.max (4)
- security.tls.version.min (3)
Note that Firefox comes with security.tls.version.enable-deprecated to enable TLS 1.0 and 1.1.
The TLS 1.1, 1.0 has been disabled by default since Firefox 78.0 and the option to enable TLS 1.0 and 1.1 was removed from the error page in Firefox 97.
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/ https://www.mozilla.org/firefox/78.0/releasenotes/
We have disabled TLS 1.0 and TLS 1.1 to improve your website connections. Sites that don't support TLS version 1.2 will now show an error page.
AlternativeTotal2211 said
Just to know, are comments in this place held for review before they are posted? Because my reply to you disappeared after I sent it. So, this comment is also a test, if I see it posted immediately that's already an answer, although I still wouldn't know why the previous one wasn't posted. Hmm
For non trusted contributors if you have a link in your reply that is not of a short whitelisted list of sites then it will likely get hidden as spam and needing approval. We have to do this as spammers do post spam links in their replies, often hidden with a period or comma so they may get missed if not for the auto-flag. Also just so you know, try not to use three of more periods like ... as it may trigger the auto flag of reply as spam.