[nSLUG] TLS/HTTPS

Joel Maxuel j.maxuel at gmail.com
Thu Apr 18 07:31:52 ADT 2019


I have encountered the reverse problem with modern browsers.  Firefox and
chromium (and derivatives) don't like, or refuse to do TLS 1.0 at this
point (Firefox needs a few security options flipped to resolve this,
chromium has no workaround AFAIK).

FWIW, I do have a use case for this, and no, it's not for anything outside
my house, and for the times I use that browser otherwise, JavaScript
operates under a short whitelist.

Browsers change behaviour (Chrome has since moved or removed this detail
however if you can find the right version of any of the popular ones):
https://security.stackexchange.com/questions/19096/how-to-determine-if-a-browser-is-using-an-ssl-or-tls-connection#19097


Example, slashdot now forwards HTTP traffic to HTTPS with "TLS 1.2, AES
with 256 bit encryption (High); ECDH_P384 with 256 bit exchange".

Alternatively, you can share (if comfortable in doing so) a couple websites
that you suspect have changed their base security settings (and we can look
at the HTTPS details).

--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Thu, Apr 18, 2019 at 2:58 AM Mike Spencer <mspencer at tallships.ca> wrote:

>
> I'm encountering web sites that a browser won't talk to.  Variously,
> there's a report of a crypto mismatch or the remote site just closes
> the connection.
>
> Browsers both claim to support TLS 1.2.
>
> Are sites already requiring TLS 1.3? Or do some implementations use
> differing crypto protocols unsupported by others? Or something else?
>
> Is there a way, short of deciphering a packet sniffer's output (such
> as Wireshark) to get a report on what, exactly, happens in the setup
> negotiation for HTTPS?  wget(1) will report the HTTP headers but not what
> happens in the security setup phase.
>
> Is there a way to beat this up, understand what's going on, without
> reading a slew of RFCs?
>
> - Mike
>
> PS:
>
> I know, I know, "Do you have the latest browser available?"  No, I
> don't.  Every new version implements something I don't want that I
> have to try to disable or disables something I rely on forcing a
> work-around or abject submission.  I just learned about the "ping"
> attribute for anchor tags, one more thing to filter.
>
> --
> Michael Spencer                  Nova Scotia, Canada       .~.
>                                                            /V\
> mspencer at tallships.ca                                     /( )\
> http://home.tallships.ca/mspencer/                        ^^-^^
> _______________________________________________
> nSLUG mailing list
> nSLUG at nslug.ns.ca
> http://nslug.ns.ca/mailman/listinfo/nslug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nslug.ns.ca/pipermail/nslug/attachments/20190418/96d2f3b7/attachment.html>


More information about the nSLUG mailing list