Firefox is unable to update itself, or download the executable if only TLS1.3 is allowed (1.2 disabled)
Try this test first. Go to About:Config, write TLS , change the setting to max (4) . Then attempt to download the firefox installer. The website won't load, as the webmasters did not enable TLS 1.3 , which in 2023 is kind of a shame. The browser cannot update itself either automatically if only TLS 1.3 is allowed, and TLS1.2 is disabled.
The can be an easy fix. I wonder why Mozilla did not solve this already years back. I also wonder why fans, and security researchers did not scream about it in the past..
For the download.mozilla.org the cipher suite Key Exchange is P256, while the Signature is RSA-PKCS1-SHA512, for Transport Layer Security 1.2
I'm sure Mozilla can do better then this, so kindly review these items, and update your website with stronger / modern encryption standards. Decommission the legacy ones please. While you are at it, please also enable HSTS. ;) Cheers!
All Replies (5)
Just to check, you can download and install Firefox without making those changes...?
I would guess that the settings are as they are so that Firefox can work for may people across many sites and would be adjusted over time to make sure that people are secure. Changing settings now to a higher level may break the browsing experience for many people.
Hi Paul, I appreciate the prompt response! That was a surporise. Thanks ;)
I understand, that backwards compatibility is important for the masses. However, what I would really like to see is: "forward compatibility" . Please be so kind to escalate this suggestion to the engineers, webmasters at Mozilla.
I'm just one of the security engineers, who are working on the edge, using the latest available technology, and disabling old ones.
To demonstrate this, I've attached two screenshot. One is an ideal version, where TLS 1.2, and TLS1.3 are simultaneously present. All the insecure protocols are disabled. This setting is what every internet user should strive for.
Then, on the second picture with the yellow items, those are the legacy cipher suites, that should be turned off.
PS: Back to your question, if I return to default settings, then the download works of course. Still, my goal would be that, Mozilla leadership, would consider supporting/upgrading to latest standards. I don't mind if they keep backwards compatibility.. but really those should be phased out.
Thanks once again, and have a great day!
The people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or developers. If you want to leave feedback for developers, you can go to the Firefox Help menu and select either Share ideas and feedback… or Submit feedback…, depending on your Firefox version. Alternatively, you can use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.
You can also file a bug report or feature request. See File a bug report or feature request for Mozilla products for details.
Excelllent, thank you very much Paul! I'll contact them. Kind regards!
No problem, happy to help.