checking client-side ssl/tls

At the tail end of last year I mentioned a couple of tools I had used in my testing of SSL/TLS certificates used for trivia itself and my mail server. However, that post concentrated on the server side certificates and ignored the security, or otherwise, offered by the browser’s configuration. It is important to know the client side capability because without proper support there for the more secure ciphers it is pointless the server offering them in the handshake – the client-server interaction will simply negotiate downwards until both sides reach agreement on a capability. That capability may be sub-optimal.

A recent post to the Tor stackexchange site posed a question about the client side security offered by the TorBrowser Bundle v. 3.5 (which uses Firefox). The questioner had used the “howsmyssl” site to check the cipher suites which would be used by firefox in a TLS/SSL exchange and been disturbed to discover that it reportedly offered an insecure cipher (SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA). Sam Whited responded with a pointer to his blog post about improving FF’s use of TLS.

From that post, it appears that TLS 1.1 and 1.2 were off by default in FF versions prior to 27. Hence they would have been off in the TorBrowser Bundle as well.

Permanent link to this article: https://baldric.net/2014/02/12/checking-client-side-ssltls/