do something with security.tls.version.enable-deprecated
[1] https://www.ssllabs.com/ssl-pulse/
- Protocol Support: 99.5% of sites support TLS1.2
- Best Protocol: TLS1 + TLS1.1 combined ~ 0.5%
From 150k sites based on Alexa top sites. I would assume the tail is very long and the less popular a site the more likely it uses < TL1.2. Anyway you shake it, 0.5% of a gazillion is still a lot.
Load https://tls-v1-0.badssl.com:1010/ . The resulting interstitial has a button to Enable TLS 1.0 and 1.1 . If you click it and continue, you will continue to your site (note: the padlock in the urlbar has a warning symbol but it's not noticeable - black and white iconography and tiny warning symbol). This change is not site specific, but a permanent catch-all. The pref security.tls.version.enable-deprecated gets flipped to true and all future downgrades are silently downgraded .. we can do better than that, right?
Possible solutions
- reset the pref at runtime (bootstrap? newnym?), so at least any change would be session only
- lock the pref (and edit the interstitial, e.g. remove button and edit text)
- wait for "TLS 1.0 and TLS 1.1 will be permanently disabled in a future release" to be handled upstream (boo!!)