SSL/TLS Settings

This section describes how to set your SSL/TLS preferences.

Privacy & Security Preferences - SSL/TLS

This section describes how to use the SSL/TLS preferences panel. If you are not already viewing the panel, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click SSL/TLS. (If no subcategories are visible, double-click Privacy & Security to expand the list.)

SSL/TLS Protocol Versions

The Secure Sockets Layer (SSL) protocol and its successor, the Transport Layer Security (TLS) protocol, are standards which define rules governing mutual authentication between a website and browser software and the encryption of information that flows between them. They are also used for secure communication in various other protocols, e.g., for protection of sensitive information exchanged with email, calendar, or directory servers.

The SSL 2.0 and SSL 3.0 protocols are insecure and thus deprecated. The current TLS protocol is based on SSL but with its own version numbering. TLS 1.0 can be thought of as SSL 3.1, TLS 1.1 is in turn an update to TLS 1.0, etc. Newer protocols are preferred over older ones as they provide better security and more features. Older protocols are supported to ensure compatibility.

By default, &brandShortName; will select the most secure version which is widely supported to connect to the server. If that attempt doesn't succeed, it will try to connect with the next older version, etc., to the extent allowed by the settings in this panel. The connection will fail if no protocol supported by both sides is found. You can exclude older versions explicitly or allow newer versions which may not be widely supported yet with the following options:

• Enable: Check the TLS 1.0, TLS 1.1, TLS 1.2, and/or TLS 1.3 boxes to indicate which protocol versions can be used for a secure connection to a server.

Notes:

• At least one protocol version must be selected, thus it is not possible to uncheck the last remaining box.
• Also, the selection must be contiguous. It is not possible to select both TLS 1.0 and TLS 1.2 but to exclude the intermediate TLS 1.1 version.
• You can extend the range by multiple versions. For example, if only TLS 1.0 is currently checked and you select TLS 1.2, the TLS 1.1 version is automatically selected as well.
• Checkboxes may appear checked but grayed out if you cannot uncheck them without violating these rules. Uncheck the outermost boxes to regain access to an enclosed intermediate version.

SSL/TLS Warnings

It's easy to tell when the website you are viewing is using an encrypted connection. If the connection is encrypted, the lock icon in the lower-right corner of the browser window is locked (). If the connection is not encrypted, the lock icon is unlocked (). Encrypted pages which contain some unencrypted items (mixed content) are shown with a broken-lock icon ().

If you want additional warnings, you can select one or more of the warning checkboxes in the SSL/TLS preferences panel. Unless stated otherwise, a notification bar will be presented at the top of the page triggering the alert, with an option to enter this panel to change the option if the alert is considered annoying.

To activate any of these warnings, select the corresponding checkbox:

• Loading a page that supports encryption: Select this warning if you want to be reminded whenever you are loading a page that supports encryption.
• Leaving a page that supports encryption: Select this warning if you want to be reminded whenever you are leaving a page that supports encryption for one that does not.
• Sending form data from an unencrypted page to an unencrypted page: Select this warning if you want to be alerted whenever you are submitting data over an unencrypted connection. When this option is selected, a dialog box will be presented to the user before the page is actually opened, which allows the loading of the page to be canceled before any potentially sensitive information is sent over an unencrypted connection that can easily be intercepted by others.

  Note: Submitting a form from an encrypted to an unencrypted page will always prompt a dialog prior to opening the page, regardless of this setting.

Mixed Content

In general, there are two major issues related to transmitting sensitive information over an unencrypted connection: One is the danger of someone eavesdropping on the line, thus listening to the content transmitted; the other of someone intercepting requests for the desired page and replacing the legitimate content of that page with own (potentially malicious) content. While so-called Man In The Middle attacks can usually be detected in encrypted connections (e.g., by a certificate mismatch or an invalid certificate presented by the interceptor), no such verification exists for unencrypted connections.

The term Mixed Content refers to a web page which itself is encrypted, but which includes content on the same or a different server which is not encrypted. Consequently, this part of the page is still subject to the vulnerabilities of an unencrypted line. While there are legitimate uses of that concept (such as including a company logo from a different insecure website into an otherwise secure page), such designs should be avoided.

There are two general types of mixed content:

• Mixed Active Content (or Mixed Script Content): This is content which has the potential to hide or modify parts of a web page, or to actively leak content from the secure part of the page to its insecure part. Examples include scripts (JavaScript), style sheets (CSS), or the embedding of entire web pages into the main web page (iframes).
• Mixed Passive Content (or Mixed Display Content): This type of content does not have the potential to alter or monitor the web page as such. Examples include images and audio or video streams. It is however possible that sensitive information is passed as an encoding of the content's location (URL), as cookies, or returned with the content itself (e.g., as text included in an image). Thus, passive content isn't entirely harmless either.

The following options allow you to be warned about and/or to block both mixed active and mixed passive content:

• Warn me when encrypted pages contain insecure content: Check this to instruct &brandShortName; to present a notification bar when mixed active content was loaded or blocked. The notification bar contains a button to open this preference panel.
• Don't load insecure content on encrypted pages: Check this to prevent mixed active content from being loaded at all but to be blocked. If also the Warn me option is checked, the notification bar will contain two additional buttons:
  • Keep Blocking: Dismiss the notification bar without loading the potentially insecure content.
  • Unblock: Load the potentially insecure content once but not automatically when this page is visited again in the future.
  Note: The selection of Unblock for a specific site can be revoked in the Permissions tab of the Data Manager. When in a private window, these options aren't available in the notification bar.
• Warn me when encrypted pages contain other types of mixed content: Check this to instruct &brandShortName; to present a notification bar when mixed passive content was loaded or blocked. The notification bar contains a button to open this preference panel.
• Don't load other types of mixed content on encrypted pages: Check this to prevent mixed passive content from being loaded at all but to be blocked. If also the Warn me option is checked, a notification is presented that such content was blocked.

For short definitions, click authentication, encryption, or certificate.

For more information about ciphers and encryption, see the following online documents:

• Introduction to Public-Key Cryptography
• Introduction to SSL
• Technologies Available in the Network Security Services (NSS).