Hi,
In securing IceDragon from Poodle, Beast, and other SSL vulnerablities, I first went to https://www.ssllabs.com/ssltest/viewMyClient.html, which told me I only had TLS 1.0 and SSL v3 enabled. I went into about:config, and I see the defaults are security.tls.version.min = 0 and max = 1.
I changed them to min = 1 and max = 3, and that URL now tells me I have only TLS 1.0, 1.1, and 1.2 enabled, which is good (we should all be disabling SSL2 and SSL3 in any browsers).
My question is why the default max is 1, with TLS 1.1 and 1.2 disabled? Are the disabled protocols actually supported by IceDragon?
Can you please set the default min to 1 in the next version, to follow Firefox’s lead? The POODLE Attack and the End of SSL 3.0 - Mozilla Security Blog Then you don’t have to get IceDragon up to FF v34 but you still close the SSL v3 vulnerabilities.
