%brandDTD; ]>
This section describes how to set your SSL/TLS preferences.
This section describes how to use the SSL/TLS preferences panel. If you are not already viewing the panel, follow these steps:
The Secure Sockets Layer (SSL) protocol and its successor, the Transport Layer Security (TLS) protocol, are standards which define rules governing mutual authentication between a web site and browser software and the encryption of information that flows between them. They are also used for secure communication in various other protocols, e.g., for protection of sensitive information exchanged with email, calendar, or directory servers.
The SSL 2.0 and SSL 3.0 protocols are insecure and thus deprecated. The current TLS protocol is based on SSL but with its own version numbering. TLS 1.0 can be thought of as SSL 3.1, TLS 1.1 is in turn an update to TLS 1.0, etc. Newer protocols are preferred over older ones as they provide better security and more features. Older protocols are supported to ensure compatibility.
By default, &brandShortName; will select the most secure version which is widely supported to connect to the server. If that attempt doesn't succeed, it will try to connect with the next older version, etc., to the extent allowed by the settings in this panel. The connection will fail if no protocol supported by both sides is found. You can exclude older versions explicitly or allow newer versions which may not be widely supported yet with the following options:
Notes:
It's easy to tell when the web site you are viewing is using an encrypted connection. If the connection is encrypted, the lock icon in the lower-right corner of the browser window is locked (). If the connection is not encrypted, the lock icon is unlocked (). Encrypted pages which contain some unencrypted items (mixed content) are shown with a broken-lock icon ().
If you want additional warnings, you can select one or more of the warning tickboxes in the SSL/TLS preferences panel. Unless stated otherwise, a notification bar will be presented at the top of the page triggering the alert, with an option to enter this panel to change the option if the alert is considered annoying.
To activate any of these warnings, select the corresponding tickbox:
Note: Submitting a form from an encrypted to an unencrypted page will always prompt a dialogue prior to opening the page, regardless of this setting.
In general, there are two major issues related to transmitting sensitive
information over an unencrypted connection: One is the danger of someone
eavesdropping on the line, thus listening to the content transmitted; the
other of someone intercepting requests for the desired page and replacing
the legitimate content of that page with own (potentially malicious)
content. While so-called Man In The Middle
attacks can usually be
detected in encrypted connections (e.g., by a certificate mismatch or an
invalid certificate presented by the interceptor), no such verification
exists for unencrypted connections.
The term Mixed Content
refers to a web page which itself is
encrypted, but which includes content on the same or a different server
which is not encrypted. Consequently, this part of the page is
still subject to the vulnerabilities of an unencrypted line. While there
are legitimate uses of that concept (such as including a company logo from
a different insecure web site into an otherwise secure page), such designs
should be avoided.
There are two general types of mixed content:
The following options allow you to be warned about and/or to block both mixed active and mixed passive content:
Warn meoption is ticked, the notification bar will contain two additional buttons:
Unblockfor a specific site can be revoked in the Permissions tab of the Data Manager. When in a private window, these options aren't available in the notification bar.
Warn meoption is ticked, a notification is presented that such content was blocked.
For short definitions, click authentication, encryption, or certificate.
For more information about ciphers and encryption, see the following online documents: