: K-Meleon Forum
You can talk about issues with k-meleon here.
[quote=guenter] [quote=gordon451] Ummmm... Some background: [quote=Wikipedia "Transport Layer Security"]TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade to SSL Version 3.0. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and SSL 3.0 do not interoperate."[/quote] TLS 1.1 and 1.2 both defeat the BEAST. You're right. FIPS="Federal Information Processing Standard", and FIPS 140-2 (which is what we're interested in) mandates (as far as I can see) a minimum of TLS 1.1 (SSL 3.2) and preferably TLS 1.2 (SSL 3.3). Looking at the FF and Chrome implementations, enabling FIPS means disabling TLS 1.0, SSL 2 and SSL 3. >Is it of any use to non US government users? Yes. They MUST use it. But we can get the benefit of client-side mandated security. Downside is that FIPS will break most websites that don't have TLS 1.1 or 1.2 -- but we can toggle provided we can get it to work in the first place. [/quote] 1.) I read Wikipedia already. 2.) To which FF/SM implementation of TLS 1.1 or better are You referring? Am I overlooking something on the two quoted linked pages? TLS 1.1: https://bugzilla.mozilla.org/show_bug.cgi?id=565047 TLS 1.2: https://bugzilla.mozilla.org/show_bug.cgi?id=480514 3.) So FIPS 140-2 will break 99% or so of non US government sites currently? Net Result: We get no protection instead of week protection? :( That is no improvement since the BEAST exploit needs 20-30 minutes to break TLS 1.0 protected sessions if I understand the reports about the proof of concept right. BTW The home-page of my bank for example has a time out after 12 minutes inertia. Apart from that, who'd use only a single channel for a save money transaction. I get a 6 digit pin/transaction number send to my cell phone. So a ptential attacker must compromise in a coordinated attack my PC and my cellphone security at the same time.[/quote]
K-Meleon forum is powered by