As many of you know, I setup my own email server back when Edward Snowden first leaked the story about the NSA's Prism program. I wanted to get my email off of Google, and not only make an email server as secure as I could, I wanted to make it so that the government couldn't request my emails from a third party without my knowledge with a national security letter.
Anyway, up until last month all modern browsers supported at least TLS 1.1 with the exception of Firefox. Since I don't use Internet Explorer, and I stopped using Chrome because of Google's involvement with the NSA, that really left me with Firefox. Since Firefox didn't support TLS 1.1 or TLS 1.2, I had to configure webmail on my server to use the less secure RC4 128 bit encryption to make my server PCI compliant, and mitigate against the BEAST Attack. Not to mention being able to access it in Firefox.
That's all changed now. Like I said, last month Firefox 23 came out with TLS 1.1 support! The only problem is it's not enabled by default. To enable it you need to do the following:
- In Firefox type about:config in the address bar and you will get this error:
- Click the I'll be careful button to proceed
- Search for security.tls.version.max and change the value from 1 to 2
That's exactly what I did on my email server. I configured GnuTLS to use 256 bit encryption and I disabled TLS 1.0, SSL3 and below. I also disabled 128 bit RC4, and disabled RSA to force perfect forward secrecy.
Are you going to force TLS 1.1 and TLS 1.2 now that Firefox supports it? Why or why not? Let us know in the comments.