jannispinter / indicatetls

Addon for Mozilla Firefox that displays the TLS protocol version of websites you visit
https://addons.mozilla.org/firefox/addon/indicatetls/
Mozilla Public License 2.0
64 stars 12 forks source link

This website uses TLSv1.3 but content [...] less secure protocol versions. #11

Open rhardy613 opened 4 years ago

rhardy613 commented 4 years ago

Thanks for working on this plugin. I very much missed having connection details in Firefox. I am puzzled by something it reports though. On my personal home page I get a green 1.3 icon with yellow ! reporting: "This website uses TLSv1.3 but includes content from services that only support less secure protocol versions." It only shows a single connection to the site but reports information that conflicts with what Firefox reports in it's security tab i.e. the addon reports TLSv1.2 Key exchange P256. This does NOT match what SSL Labs reports for the site. SSL Labs gives it an A+ and for Firefox 67+ it used TLS 1.3 TLS_AES_256_GCM_SHA384 ECDH x25519 with FS. The Cloudfare TLS 1.3 client side test also passes for my browser. The images on it relatively links that are all local to the server so I don't know it is talking about. Firefox reports the connection is encrypted using TLS_AES_256_GCM_SHA384, 256 bit keys, TLS 1.3. Any idea why it is reporting this? P.S. other than this it would be nice if the cipher details i.e. TLS_AES_256_GCM_SHA384 showed in the pop up.

jannispinter commented 4 years ago

Hi @rhardy613, this odd. When the icon shows a yellow triangle the extension should display multiple entries with one that is TLS 1.3 and one that is TLS 1.2 (or older) to indicate that the main site is using TLS 1.3 but pulling resources (fonts, images, css) from other hosts with TLS 1.2 or older.

Can you try to refresh/reload the page (by pressing F5) and verify that the behaviour is still the same?

The cipher suite is shown as a tooltip by hovering over a table entry (because it takes up a lot of space).

d7415 commented 4 years ago

I found that during the upgrade process to TLSv1.3 this was shown for cached items - ctrl-F5 fixed it for me.

rhardy613 commented 4 years ago

The plugin did not show multiple connections. Everything was on one server. Wow that worked but it is a little crazy. F5 did nothing. Hitting CTRL-F5 on one page on the server fixed it for the whole server. I upgraded to the server to TLS 1.3 several months ago long before I found the add-in. I would never have imagined old cache data, especially on pages that have changed since the upgrade, would trigger this behavior. I suspect there was cache content for my server ex. icons or something that predated the server upgrade and the cache must have been brought in over TLS 1.2. The add-on just updated and it has a tab with the connection details clearly displayed. Thanks.

jannispinter commented 4 years ago

Thank you for bringing this up, I think this is related to #23 and #22. If we can fix #23, we may change the code such that we only look at the SecurityInfo of the main document (and not of the SecurityInfo of the resources, such as images and fonts which are likely to be cached for longer periods).