Slashdot Mirror
Mozilla Begins To Move Towards HTTPS-Only Web
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
More wildcard certs for me to buy.
If my website just serves up public data that I don't care about the government seeing, you're going to disable new features on it anyway? Seems a bit extreme.
== Jez ==
Do you miss Firefox? Try Pale Moon.
First, you introduce "features" like https://bugzilla.mozilla.org/show_bug.cgi?id=435013 and then you want to block the rest of pages the mighty Mozilla Security Council does not approve?? Get stuffed.
When I hear that Mozilla is removing http
No more http://slashdot.org?
So where does that leave home users who use self encrypted certificates ? These are currently untrusted and I'm not paying a big chunk of money for the little server I run my friends and I use to collaborate.
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
This HTTP website is best viewed with...
IE >= 11
Chrome >= 42
Firefox <= 37
A lot of content out there is benign, or crackable - what you want to make sure of is that you're connecting to the site you intended, and that the content you're getting is what's intended. What the content actually IS (cat memes) can be less important.
Two years after snowdens revelations we're seeing a reality come to pass. After the NSA swept its most damning indictments under the rug, after congress gave a sigh and a shrug and stifled a syrupy belch from the afternoons filet mignon lunch, we still see this change. After the TV spotlights were turned back to fashion trends, civil unrest, diet pills and other nonesuch this persisted despite the best effort. and its extremely unfortunate
Instead of watching discourse spread and meaningful legislation come to pass we're watching a largely uninformed electorate occasionally mistake snowden for assange on national television, and the elected officials with whom our protection they are charged bungle through bills that dont really do much of anything. We're seeing the alternative that no nation wants, and that alternative is a two-tier us-versus-them system in which groups of dedicated hackers fight back. It sets the stage for good-versus-bad and the determinant for this assertion to eventually become the existence of crypto or passwords and ones general willingness to divulge them in the face of overwhelming yet unconstitutional authoritarian presence.
expect 3 letter government organizations to get frustrated, and angry, very quickly. Aaron Schwartz was a prime example of how, in the future, citizens who act to protect themselves with crypto and security will face the bureaucratic version of biblical retribution in the form of endless charges, indefinite espionage, and a litany of convictable offenses that would result in a lifetime of imprisonment for anyone who dares not to divulge their password.
Good people go to bed earlier.
There's still no opportunistic encryption in HTTPS. Does that mean I'm going to have to buy a TLS certificate for my printer every year?
So Mozilla you do not want me to use your browser? You are going to cripple your browser for your perceived 'better' agenda.
I was thinking that.
The goal of this effort is also to send a message to the web developer community that they need to be secure.
No, Mozilla.
The message this sends to the web developer community is "Don't bother with Mozilla because no one will keep using it so just develop for browsers that actually get used."
In the free world the media isn't government run; the government is media run.
I fully support this proposal. In addition to APIs, I'd like to propose prohibiting caching any resources loaded over insecure HTTP, regardless of Cache-Control header, in Phase 2.N. The reasons are:
1) MITM can pollute users' HTTP cache, by modifying some JavaScript files with a long time cache control max-age.
2) It won't break any websites, just some performance penalty for them.
3) Many website operators and users avoid using HTTPS, since they believe HTTPS is much slower than plaintext HTTP. After deprecating HTTP cache, this argument will be more wrong.
I'm sure the users will appreciate the extra traffic!
I can see 1 being a thing, but 2 is a penalty for the end-user on metered connections, and 3 is an argument for "Mozilla is much slower than [insert browser here]".
Mozilla used to be the Savior of the Web. But after these last few years, I fear they've lost that role.
The UI changes to Firefox were totally unwanted, and have pretty much killed it as a product. Its share of the market keeps dropping and dropping. When we look at global web browser usage stats like these, we see that Firefox is now maybe 10% of the market, if even that. Chrome for Android alone, Chrome 41 alone and Chrome 40 alone each have about the same or more users than all versions of Firefox. Heck, even IE 11 alone and Safari have about the same number of users these days.
Mozilla has also engaged in numerous other half-arsed efforts, like Firefox OS and Persona, that nobody wants. Every review I've seen of Firefox OS has been negative. Nobody likes it, and nobody wants it, even the third-worlders they've had to resort to targeting it to. With Android, iOS, and so many other alternatives that are so much better, why the heck would anyone sensible use Firefox OS? The only reason to use it is to try to conform with some weird fringe ideology that worships HTML5/JS/CSS above all else, even above usable, working applications.
Then there was the whole Eich debacle. Regardless of your stance, it's pretty disgusting that somebody had to lose his job merely because of his beliefs regarding same-sex marriages. It would be considered unacceptable if a homosexual was forced out of a job for supporting same-sex marriage, and it should be considered just as unacceptable if a heterosexual was forced out of a job for not supporting same-sex marriage. This is no place for hypocrisy or double standards.
Now there's this shit that will cause headaches and problems for so many Web users.
We need a new organization to save us, and the Web, from Mozilla. We need an organization that will put out a usable browser. We need an organization that focuses on doing what's right, and what the Web community wants, rather than what it wants. We need an organization that will listen and respect its users, rather than trampling on them and ignoring their pleas. We need a new Savior, and we need it now.
.now, if EVERY browser did this, that's another story..
Well, I've put in a similar request with Chrome.
I hope they give a setting choice similar to:
* Block all non-HTTPS sites
* Prompt on all non-HTTPS sites (view/no-view confirmation, perhaps with a "remember choice for this site" option.)
* Automatically allow all non-HTTPS sites, with a yellow warning bar and disabling of JavaScript.
* Automatically allow all non-HTTPS sites, with a yellow warning bar.
* Automatically allow all non-HTTPS sites, withOUT a warning bar.
(There may be a way to simplify this by putting some of the questions in the warning bar.)
Mozilla has gotten brazen lately about forcing questionable changes on users in the name of progress (per their view of "progress"). This includes forced tabs*, goofy search bar "split" (eventually fixed), and disabling "back" on POST forms (instead of prompting). They gave very round-about and fishy reasons for all 3 of these.
* Fortunately somebody created a "Hide tab bar for 1 tab" addon. Thank You, Fixers!
Table-ized A.I.
Unintended Affordances
(or why I believe encrypting everything is a bad idea) is worth a read on this.
I am not sure I agree on every point, but it's well thought out post.
HTTP needs to be phased out, but that doesn't mean everything needs to be encrypted. A lot of sites serve static content thats not a secret to anyone. Even in an encrypted stream, the contents of static files isn't really a secret. What you don't want is some man in the middle intercepting your request for some static file and responding with something malicious like the Great Cannon.
If static content were signed with the server's cert, its authenticity could be verified more cheaply than with HTTPS. This would also leave open the possibility for network cacheing, which benefits hosts, ISPs, and reduces traffic on the entire route. You'd want the content signing to cover the HTTP headers, and probably require an "expires" header.
With this approach, you could red flag all HTTP traffic as insecure, and signed traffic could be shown as normal.
Trying to mix content is more of a problem. It may be possible to securely deliver HTTPS dynamic content mixed with just-signed static content, but that'd probably get screwed up too often to leave that option open.
Okay, but if you're going to do that, you might want to throw out all the incredibly dire warnings about self-signed certificates. Nobody should be forced to pay a cartel for SSL certificates.
Instead, throw out the dire warnings when the self-signed certificates aren't correct, such as when it changes.
HTTPS is all well and good, but the certificate situation is just a mess. Currently, essentially any CA can issue a certificate for any website anywhere. That means that every time you surf, you are placing your trust in literally hundreds of CAs.
Meanwhile, self-signed certificates bring up horrendous warnings, or are simply refused. The chance of verifying a self-signed certificate (for example, getting the fingerprint via another channel) are a lot better than the chance of verifying that some random CA hasn't been bribed or pressured.
Can we please fix this mess, along the way to making HTTPS standard?
Enjoy life! This is not a dress rehearsal.
Wireshark is a useful debugging tool. The ability to snap off encryption to analyze things at the wire is a lifesaver.
That said, if I'm debugging something a browser is doing, the developer console is usually better anyway. There remains the case where you are trying to debug a tester's experience without access to their browser, but the scenarios where that is true *and* it would be a good idea to disable TLS are limited. Being able to disable encryption is more important for clients that aren't so developer-enabled.
XML is like violence. If it doesn't solve the problem, use more.
While TLS *could* be secure, I've been in too many discussions where it is assumed to be the only way to be secure and that it is secure in spite of the current state of CAs and the practical behavior of internal servers with respect to certificates.
There really needs to be more critical discussion along this front, as I see quite reasonable security strategies that fare well in the *real* world torn up and replaced with TLS because of an idealized view of how it could be implemented.
XML is like violence. If it doesn't solve the problem, use more.
Doesn't that depend on the configuration and purpose? If the HTTP server's running on my own machine and the URL is "http://localhost/...", am I automatically insecure because I can't get an SSL certificate for "localhost"? And how would an attacker not already on my machine exploit this?
If I can't test the full capabilities of a Web site because the browser won't let me, I'm going to have to switch browsers and relegate Firefox to testing-only just like IE is currently.
There are still plenty of clients out there that support neither SNI nor IP6, so the implication of everyone going to SSL is that everyone needs a static IP4 address. That sounds unsustainable to me.
It would be nice if they focused on fixing the certificate authority structure by supporting DANE, using DNS records to indicate certificates. Even though there is plenty of interest at https://bugzilla.mozilla.org/s... , Mozilla doesn't seem interested in solving this problem:
https://bugzilla.mozilla.org/s...
Thanks, Mozilla, for yet another reason to stop using Firefox.
Just decouple the traffic encryption and the identity verification already.
All hope abandon ye who enter here.
Can't upgrade since it causes me to be locked out of the Windows domains at work if I go to 37.
[John]
Shit better not happen!
You almost got the message correctly. The right message is no should ever develop for mozilla, or chrome, or internet explorer, or opera, or any other browser in particular. Developers should be able to develop using standards, and the browsers should correctly display content based on standards.
So ... when did http cease to be a standard?
My bank still insists on using RC4 ciphers and TLS 1.
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
What bank is this? There's nothing wrong with public shaming in cases like this, in fact it does the world a service.
Also, you should seriously consider switching banks. Your post prompted me to check the banks I use. One is great, one is okay. I'll watch the okay one.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
My bank still insists on using RC4 ciphers and TLS 1.
If Firefox were to stop supporting the bank's insecure website, it would surely get their attention better than I've been able to.
As others have pointed out, they might claim that the latest Firefox was defective and encourage users to stay at an old version or switch browsers "until it is fixed". Once such decisions are written into policy, front line workers unwittingly protect the decision makers from having to find out that they were wrong. They will simple 'teach' the users one-by-one to 'fix the problem' by installing a different browser.
It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous. It could start with a subtle change in the lock icon, then a mild click through warning, then a warning with a scary graphic and phrases such as "proceed at your own risk".
The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it. This makes it instantly a "a well-known security flaw in our website" rather than a "known problem with a version of Firefox used by two customers".
At that point they can either fix their website or block Firefox. But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Um, you write: "[CA] could issue a bogus certificate in your name whether you work with them or not" and also "Your CA being in the US isn't a risk".
That's kind of a contradiction. Ok, so where my CA is located isn't the issue, but given "National Security Letters" and all, I'd say allowing any CA in the US to issue certificates is a risk, at least for non-US domains.
Enjoy life! This is not a dress rehearsal.
Car analogy time: Mozilla wants everyone to use paved roads so car drivers can see hazards more effectively.
Continued car analogy: Mozilla, to this end, builds a car that shuts down when you try to drive it on a dirt road. Why would anybody want to buy a car that did that?
You should find another bank.
Yep. There are plenty of banks to choose from that - whatever their other flaws - at least take security seriously. If your bank can't or won't lock down their website, then you already know that they're negligent in at least one area. What else are they neglecting?
Dewey, what part of this looks like authorities should be involved?
If you look you will find that pretty much every bank has RC4 as their top cipher in the list. This is due to the fact that, while relatively weak, there are no known attacks against the cipher itself (other than brute force).
My eyes reflect the stars and a smile lights up my face.
Universal encryption is much better for us consumers than the current situation.
What current situation? Care to clarify? Most of current day total 0wnage of Internet users has nothing to do with insecure transports and will continue totally unimpeded long after all the transports are "encrypted".
The core problem here the larger you make trust anchors the more incentive exists for adversaries to co-opt them. People look at proliferation of PKI as a positive thing... I don't... I see it as disaster waiting to happen like overprescribing anti-biotics and getting doubly fucked over when it becomes useless.
Global trust anchors play an important role but we need to take responsibility for trust ourselves and diversify as quickly as possible away from them as more localized sources are established...otherwise we will continue to live in our fantasy world where centralized content and security is swell as it represents our best interests. It isn't and won't.
But the government refuses to mandate it, because the government doesn't represent us.
In the US we have a representational democracy. Technology companies are not democracies. I can't write my Mozilla or Google representative or senator to complain... in fact there is often little to no governance structure of any kind. The only means of influence most users have is the ear of their sales rep and associated threat of jumping ship. In this case Firefox is free and site operators don't have any practical say.
It isn't always wrong to use force.
I was not arguing for pacifism only the folly of assuming ends justify means.
It depends on what you use if for and what the consequences of not using it are. In this case, using force is clearly the right thing to do.
So what are the consequences? Why is it clearly the right thing to do? Can you even articulate the problem?
Last time I tried, https didn't work. Kinda surprised me.
This is done ALL THE TIME by too many entities to even count. The only time this is potentially bad is when it is done in self interest. This is clearly not the case here.
In this case, the encryption is not about asserting identity, it is about encrypting the data stream from point-to-point. This solves a lot of issues that currently plague the Internet as a whole while, at the same time, introducing new problems which will need to be worked out.
I believe this is a move in the right direction and can only help people be more secure, not less.
My eyes reflect the stars and a smile lights up my face.
This is done ALL THE TIME by too many entities to even count.
Well then as long as other people are doing it too then it must be ok.
The only time this is potentially bad is when it is done in self interest.
Was this intended to be a tautology? What does any company do that can't be viewed from the prism of self interest? Charitable contributions = PR + Tax benefit. Giving shit away = Free advertising + support + advertising revenue.
This is clearly not the case here.
Clearly.
In this case, the encryption is not about asserting identity,
Well then its worthless.
In this case, the encryption is not about asserting identity, it is about encrypting the data stream from point-to-point.
If you don't know who you are talking to why does it matter that the data stream is encrypted in the first place? What when the other "point" is the front page of the New York times or some random haxor at your friendly neighborhood Starbucks WiFi?
This solves a lot of issues that currently plague the Internet as a whole while
A lot of issues that currently plague... What are you talking about?
I believe this is a move in the right direction and can only help people be more secure, not less.
No question you believe it. But why? Because it solves a lot of unspecified issues?
Even with the identity verification, the encryption is not a guarantee against the MITM.
Because the man (the one in the middle) could have hijacked the certificate.
The oft quoted example here is the China injecting the JS into the unencrypted traffic. They probably do not even need to hack anything to hijack the certificate - they likely already have the laws which force the CA to hand over the certificates legally. And once that happens, back you are at the drawing board.
Decoupling at least allows the two technologies (A) to be developed independently and (B) to be easier replaced.
All hope abandon ye who enter here.
As long as I can continue to create exceptions for self-signed certs. I have a bad feeling about this though, from both google and mozilla.
If the letsencrypt project delivers then I'll gladly use them to create validated certs.
No question that the current certification system is a scam.
Salut,
Jacques
It would be better to have Firefox warn that the site had "outdated security" or something like that. The warnings could start out hardly noticeable and gradually become more conspicuous.
You mean like the unending stream of "security policy violation" messages that some sites trigger by, IIRC, mixing https and http content? The popups that come so fast that you can't get rid of one and stop loading the page before the next one comes up? And then you need to try to get through a dozen of them before doing anything else, except killing one causes two more to pop up?
That kind of "hardly noticeable"? Firefix has a history of not dealing with "security policy" warnings intelligently.
The idea is to get the message in front of as many Firefox using customers as possible before the businesses are aware of it.
That's the kind of action that causes websites to stop supporting browsers. If a specific browser prevents the user from accessing a website, then the business will ultimately react, but it can't do it by just waving a magic wand. Their support will be telling people that the browser is no longer supported -- because that's the truth.
At that point they can either fix their website or block Firefox.
They won't have to block firefox, firefox will be blocking itself.
But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Haha haha. Most people won't understand why, and most people won't care. They'll use a browser that works, and since that browser can deal with it, it will be firefox that's broken.
But now if they block Firefox the reason will be widely known and the bank subject to public ridicule.
Haha haha. Most people won't understand why, and most people won't care.
And then there will be people like me: who understand why, and still don't care. If Firefox stops working with web sites I need to go to, I'll just stop using Firefox. I'm already a long way there: there is an increasing number of websites that Firefox doesn't work well with, and so I have to use a different browser for them.
Yes, the browser wars are on their way back.
I believe this is a move in the right direction and can only help people be more secure, not less.
I'm very much in favor of end-to-end encryption of all things. That said, I think this is a seriously bad move on the part of Mozilla.
There's a pretty huge difference between helping people to be more secure and forcing people to be more secure. Mozilla is forcing people. This is Mozilla attacking people so they'll do what Mozilla has deemed to be The Right Thing. That it is indeed The Right Thing in no way excuses using the tactic of force.
Nah, it's more like Mozilla won't let you drive without a seatbelt, even if you're on a mobility scooter in a sealed off car park.
As it is now, you are not notified of security issues when you have no security whatsoever. HTTP sites should be given a dire, red warning because they represent the least secure position online. An SSL site with an expired certificate is far more desirable than an HTTP website.
Green should represent proper SSL certificates, as it does now.
But there's one more problem with SSL/HTTPS sites that nobody talks about: the fake SSL certificate. Your browser *probably* trust a multitude of SSL certificate vendors, and *any* of them can issue a certificate for *any* domain.
So there are literally hundreds of SSL certificate vendors that could issue a cert for google.com or whatever, and you wouldn't know. If the NSA offered a bit of $$ to a commonly trusted (but otherwise unheard of) certificate vendor to issue a few certificates to be used discreetly....
See the problem?
If I go to Thawte or RapidSSL to get a cert, I should have the ability to publish my vendor of choice, and nobody else's certificates should be considered trustworthy. Similarly, I should be able to publish revoked certificates the same way.
Why hasn't this already been done?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It seems Mozilla wants to move away from http, but here are some use cases they will be breaking:
I have a slow and expensive Internet connection used by a few people on a few different devices, I use a proxy-cache to improve page load times and reduce network traffic.
I am a parent, and while I try to be present whenever the kids use the internet, I run a proxy-filter (e.g. DansGuardian) to prevent them from stumbling across less suitable sites.
I am a service provider, and I use a transparent proxy to cache large files downloaded from international sites. This saves me about 10% of my running costs.
I am a service provider provoding internet access with high input costs, in order to provide reasonably-priced services I have quota-based products. In order to be friendly to my customers and avoid them incurring over-use charges, I inject JS notifications at various thresholds. With only HTTPS, I will just have to wait until they are over quota and then block all HTTPS traffic and hope I can redirect some HTTP traffic to a page informing them that they are over quota.
I am a security engineer for my company, for various reasons we need to be able to inspect http traffic (prevent users from visiting malicious sites, enforce productivity controls etc.).
Sure, there are technical means around some of these challenges (e.g. devices that ship with/use CA certs and dynamically generate SSL certs to MITM the traffic), but this initiative is just going to increase costs for everyone.
And who will benefit? Well, most of the main sponsors of Let's encrypt. Cisco will be selling you more network equipment that can MITM SSL, Akamai will get more business as ISPs will not be able to cache on their own and content owners will have to pay Akamai instead.
Maybe some affected parties will start blocking Firefox (or block ssl upgrade checks), or some service providers may start charging Firefox users more.
I am a supporter of open source and have used Firefox as my primary browser since before the 1.0 release, but some of the supposed security braindeadness has made life more difficult, and this is just another example, and may be the one that forces me to change to a web browser, instead of an HTTPS-only browser.
With all this hassle for updating the web recently, including the permanent surveilance by Facebook/WhatCrap/Whatever, the Snowden leaks and the NSA/BND disasters and the broaded discussion about encrypting services it's becoming more and more evident that we need a complete bottom-up redo of all popular services on the internet.
The most pressing and obvious is E-Mail, which, by any standard imanginable is about the worst protocol and service still in widespread use. But before that can happen properly, there's another thing that should be redone befor everything else: DNS.
DNS needs to be abstracted away from the carriers and core services into something based on cryptographic signature. It should be possible for me to buy a domain for life simply by purchasing a slip or paper or a piece of code containing a register key to which I can tie a domain that is still free for choosing. Moving to a different provider with my domain or hosting it on my own small VM should be a matter of minutes.
Next up would be E-Mail. Zero-fuss end-to-end encryption and cpu-expensive hashing to make mass-mail expensive and spamming virtually impossible. Setting up a mailserver should be as easy as setting up a mail client today. In fact, it should be much of a difference wetther I'm setting up a client or a server - one of the big problems with E-Mail today.
Next up would be the Web. Let's face the facts: The Web today is a pile of junk. It's only thanks to Netscape freeing its browser (Mozilla) and Goolgle buying V8 and fighting for a free (beer) web that benefits their business that we have a half-way feasible free web. Flash - and I'm sorry to break this to the /. crowd - was lightyears ahead of everything else on the client-based web. CSS3 / HTML5 and JS are a joke in comparsion. Clients are strange hacks with arcane technologies strapped together with glue and duct-tape, doing insane stunts and feats to build rich clients. The entire service could use a complete redo for design/UX, documents and programming. Javascript is neat and fun, but I can think of a few PLs that would do a better job, be easyer to use and perhaps even easyer to compile into binary.
Moving the Web into https is all fine and dandy - it's using FOSS technology and open standards - which is always the main big plus - but yet again it's only a dirty hack compared to what would be possible if we would base a rebuilt web-like service on what is technologically possible today.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
HTTPS is already designed with that kind of decoupling in mind. But it wouldn't make sense to offer encryption without identity verification to the end-user, because that would make the encryption useless, so any protocol that does encryption has to do both.
I know that. That's basic AAA.
Also note that for an effective MITM attack you would need to have new certificate for which you have got the private key. There are a number of things that will make this increasingly difficult in the future, like certificate pinning, increased willingness of browsers and OS vendors to blacklist CAs, and increased monitoring for rogue certificates which makes it easier to find rogue CAs.
I think you fail to realize the scale, the proportions, of the opposition the browsers face.
It's not some script kiddies who are threat here.
That's countries covering close to a half planet's population. They might as well simply outlaw the browsers. In fact, they already do outlaw some encryption software.
I personally would still argue that the CA system is the Achilles heel of HTTPS but the situation is getting better and it's a matter of time until we get a more distributed and robust way of certificate verification.
But that's another problem: you can't make CA distributed. CAs are the "single point of failure" which are allowed to be that, based on the promise that they will work hard not to fail. Making it distributed would basically nullify the promise, making the whole CA system vulnerable. IOW, nothing changes.
All hope abandon ye who enter here.
This could not go wrong, really (or could it!?).
This is a bad move and will force people away from using Mozilla because it will mean a Joe Citizen wanting to have a website will need to purchase SSL certificates - at significantly greater cost than the hosting cost of the web host that supplies the web hosting capability.
I understand the rationale, but very bad move!
Firefox has already done this. Since Firefox 37 the default preference does not allow fall back to TLS 1.0 or 1.1. So if your bank's website is not using TLS 1.2 then you will not be able to connect to it. There is no user friendly UI to change the setting, but you can change the fall back setting using the about:config mechanism. Check the release notes here - https://www.mozilla.org/en-US/... Also SSL labs has already planned to give low grade to websites using RC4 over next few months - https://community.qualys.com/b... You can check the status of your baks security infrastructure with ssl labs scanning tool and complain about it in bank support forum - https://www.ssllabs.com/ssltes... The client I worked for has same problem with some websites and hence started getting calls from customers. Thankfully they have quickly recognised the potential loss of business and are working on upgrading the infrastructure.