Browser Support • Re: Questions about security protocols and site access

The default for the lowest setting is actually TLS 1.0, not SSL 3.0.

Indeed, I just discovered that myself just earlier, together with something else very interesting (I'll send you a PM about that). But until then I didn't know (or have forgotten).

[...] I think setting the lowest setting to TLS 1.0 should be safe.

And so I did minutes ago. Hopefully it'll stick.

I just am vaguely aware that some modern websites will react very badly if they query the range of supported versions and see something like SSL 3.0 or lower rather than full-on TLS, and will then refuse the connection for no good reason.

So far I have not encountered such situation, but then again I'm not browsing frantically over the whole Internet so it may be that I just didn't stumble into such sites. Or maybe the change to SSL 3.0 was too recent to have had the opportunity to do that.

There may be rare edge cases where you'd want SSL 3.0, but those will require manual overrides [...]

Haven't yet encountered such cases either but it would be nice to have an easy way at hand to specify custom options per site other than manually adding/modifying keys in about:config, when needed. I'm not even sure whether one can actually set the connection protocol for a specific site through manipulating said keys.

You should not be using SSL 3.0 unless there is a very explicit reason to do so.

Agreed. Thing is, I have no idea how and when that change (both to SSL 3.0) occured - or, I might have a slight idea - will send you a PM too about that.

The reason sites might fail with SSL 3.0 as lowest is because handshakes are different, and IIRC we restricted graceful fallback of protocols to prevent known downgrade attacks a while back, [...] IOW it's complicated if you want to enable SSL 3.0 in 2026.

Understood. I did notice a few keys dealing with SSL connections, earlier while checking for settings, so I know what you mean.

You should be using at least TLS 1.0 anyway in website/server configurations (and preferably TLS 1.2) [...]

Right now lowest is set to TLS 1.0, at least for testing purposes. I'll probably/hopefully bump it up to TLS 1.2 at some point soon lest I forget.

would not surprise me in Linux land, where the latest trends have all revolved around cutting code out for "being old" regardless of compatibility

Sadly that's very true.