Firefox is configured to allow use of SSL 3.0.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-15767 | DTBF020 | SV-16706r3_rule | ECSC-1 | Medium |
| Description |
|---|
| DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. Firefox has this set to on by default but this is not apparent in the GUI options screen. |
| STIG | Date |
|---|---|
| Mozilla FireFox | 2014-07-03 |
Details
| Check Text ( C-16453r4_chk ) |
|---|
| Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "security.enable_ssl3" and set the value to "true" or “false” and locked. Criteria: If the value of "security.enable_ssl3" is "true" or “false”, this is not a finding. If the value is locked, this is not a finding. |
| Fix Text (F-15956r3_fix) |
|---|
| Set the preference "security.enable_ssl3" to "true" or “false” and lock using the Mozilla.cfg file. |