1. 30

  2. 3

    For the lazy… My stock Firefox 26 (current stable) failed until I set security.tls.version.max to 3 and security.ssl3.rsa_fips_des_ede3_sha to false (in about:config)

    1. 1

      That’s interesting. Just to contrast, I’m use Firefox Nightly 29.0a1 (2014-01-06), and it passes with the default security config. It’s good to see that Mozilla is being proactive then. I wonder when these defaults were changed.

      1. 2

        It looks like they changed in Firefox 27, but I’m still on 26 and can’t confirm for sure.

    2. 3

      This looks like a reasonable quick rating of SSL clients. If you’d like to test an SSL server, the canonical tool is Qualys SSL Labs https://www.ssllabs.com/.

      Since it looks like this is targeted at non-browser clients, it’s worth nothing that this won’t test the most common SSL mistake: not validating server certificates. Many HTTPS libraries won’t validate certificates by default for compatibility / since maintaining lists of CAs is hard, making it trivial to man-in-the-middle such applications.

      The examples from this 2012 paper “The Most Dangerous Code in the World: Validating SSL Certiļ¬cates in Non-Browser Software” are a great read: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

      And by great, I mean terrifying.