X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Three years on: When will we see TLS1.1 and TLS1.2 in Firefox?

Kuphostiwe

So three years on we still appear to be waiting for an answer!

My FF17 still only has options for SSL3.0 and TLS1.0 so presumably the 'Bug' 565047 and 480514 are still in the process of being resolved?

The problem is in the meantime, is that the recently the PCI people started flagging up BEAST as a FAIL. Other assessors may have already been doing this since June 2012 or earlier, but ours has just started it since their last report. Organisations wishing to be compliant must remove or disable certain ciphers from the server, forcing the connecting browser to use RC4. (Some assessors will permit prioritising but ours will fail us and force us to appeal after every assessment). We know FF supports RC4 so that's no problem, but pressure is also mounting to ensure that only SSL3.0, and TLS1.1/.12 are enabled at the server to ensure the best security posture and full compliance. For example in Windows 2008RC2 this is neccessary in order to mitigate against BEAST and our understanding is that this is what the MS12-006 patch does.

This means that browser support for TLS1.1 and TLS1.2 is now essential rather than optional. In the current climate we are forced to seriously consider banning and removing browsers that do not support the latest TLS versions from our workstations as these are now being regarded as non-compliant with the latest security standards.

So will someone at Mozilla therefore please answer the question : WHEN will support for TLS1.1 and TLS1.2 be available please?

If it is already available (and we missed it) then how do we ensure it is enable please?

Thanks.

So three years on we still appear to be waiting for an answer! My FF17 still only has options for SSL3.0 and TLS1.0 so presumably the 'Bug' 565047 and 480514 are still in the process of being resolved? The problem is in the meantime, is that the recently the PCI people started flagging up BEAST as a FAIL. Other assessors may have already been doing this since June 2012 or earlier, but ours has just started it since their last report. Organisations wishing to be compliant must remove or disable certain ciphers from the server, forcing the connecting browser to use RC4. (Some assessors will permit prioritising but ours will fail us and force us to appeal after every assessment). We know FF supports RC4 so that's no problem, but pressure is also mounting to ensure that only SSL3.0, and TLS1.1/.12 are enabled at the server to ensure the best security posture and full compliance. For example in Windows 2008RC2 this is neccessary in order to mitigate against BEAST and our understanding is that this is what the MS12-006 patch does. This means that browser support for TLS1.1 and TLS1.2 is now essential rather than optional. In the current climate we are forced to seriously consider banning and removing browsers that do not support the latest TLS versions from our workstations as these are now being regarded as non-compliant with the latest security standards. So will someone at Mozilla therefore please answer the question : WHEN will support for TLS1.1 and TLS1.2 be available please? If it is already available (and we missed it) then how do we ensure it is enable please? Thanks.

Eminye Imininingwane Yohlelo

Fakela amapulagi

  • Shockwave Flash 11.5 r502
  • Next Generation Java Plug-in 10.9.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • ActiveTouch General Plugin Container Version 105
  • Microsoft Lync 2010 Meeting Join Plug-in
  • Google Update
  • 4.1.10329.0
  • Foxit Reader Plug-In For Firefox and Netscape
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • Office Plugin for Netscape Navigator

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0

Eminye Imininingwane

None. PCI compliance related request for information.

Impendulo Ewusizo

Previous (unresolved?) discussions on the subject: https://support.mozilla.org/en-US/questions/710646 https://support.mozilla.org/en-US/questions/781028 https://support.mozilla.org/en-US/questions/877528
Hiawatha 0 izisombululo 2 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Firefox's SSL library (NSS) recently included support for TLS1.1. I thought this would be a perfect time to hear some feedback from Mozilla on this matter. But so far, no TLS1.1 support and not a single word about any planning. Seriously guys, this is a big disgrace. I'm really thinking about moving to Chrome, only because of this single but big issue.

Firefox's SSL library (NSS) recently included support for TLS1.1. I thought this would be a perfect time to hear some feedback from Mozilla on this matter. But so far, no TLS1.1 support and not a single word about any planning. Seriously guys, this is a big disgrace. I'm really thinking about moving to Chrome, only because of this single but big issue.
Hiawatha 0 izisombululo 2 izimpendulo
Kuphostiwe

Due to recently discovered problems with RC4, support for TLS 1.1 is crucial! Anybody from Mozilla finally willing to share some thoughts on this matter?

Due to recently discovered problems with RC4, support for TLS 1.1 is crucial! Anybody from Mozilla finally willing to share some thoughts on this matter?