Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Tor Browser Tor Browser
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 831
    • Issues 831
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 4
    • Merge requests 4
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Applications
  • Tor BrowserTor Browser
  • Issues
  • #40565
Closed
Open
Issue created Jul 24, 2021 by Thorin@thorin👣Reporter

do something with security.tls.version.enable-deprecated

[1] https://www.ssllabs.com/ssl-pulse/

  • Protocol Support: 99.5% of sites support TLS1.2
  • Best Protocol: TLS1 + TLS1.1 combined ~ 0.5%

From 150k sites based on Alexa top sites. I would assume the tail is very long and the less popular a site the more likely it uses < TL1.2. Anyway you shake it, 0.5% of a gazillion is still a lot.

Load https://tls-v1-0.badssl.com:1010/ . The resulting interstitial has a button to Enable TLS 1.0 and 1.1 . If you click it and continue, you will continue to your site (note: the padlock in the urlbar has a warning symbol but it's not noticeable - black and white iconography and tiny warning symbol). This change is not site specific, but a permanent catch-all. The pref security.tls.version.enable-deprecated gets flipped to true and all future downgrades are silently downgraded .. we can do better than that, right?

Possible solutions

  • reset the pref at runtime (bootstrap? newnym?), so at least any change would be session only
  • lock the pref (and edit the interstitial, e.g. remove button and edit text)
  • wait for "TLS 1.0 and TLS 1.1 will be permanently disabled in a future release" to be handled upstream (boo!!)

@sysrqb

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking