'Security? You Don't Really Want That ...'

Today I heard that Linux Journal has resurfaced after going bankrupt a couple years ago. I loved them when they were a print publication and owned a large portion of their print run. But after they changed exclusively to electronic format I let my subscription lapse. Still, I thought I'd look at their website: https://www.linuxjournal.com/ . But my browser wouldn't let me go there, saying this:

Firefox telling you that your browser is too secure and you should reset it

This occurred because I did a lot of reading about browser security and decided I should change one of Firefox's many obscure settings under about:config. This one is security.tls.version.min which by default is set to "1" (and means the minimum acceptable version of TLS is 1.1), and I changed it to "2" because I really think that that's the minimum acceptable version (ie. TLS v1.2). TLS 1.2 became an official standard a decade ago, and has been readily available to website operators for at least five years, probably more. More importantly, TLS 1.1 is deprecated because it's weak.

Here's Qualys's low opinion of linuxjournal.com. I see a lot of "B" grades on that test, but it takes persistent neglect and incompetence to achieve the "C" grade that Linux Journal has managed.

So here we have a website about Linux, which should ostensibly be run by knowledgeable computer people. And a browser that touts its own security (they all do) that's now saying "you're asking for too much security." If I ask for a website with a bad security certificate, Firefox offers to let me make a temporary exception: that's the sane way to handle this. But not in this case: it says "you should just junk those cautious settings you have."

As the Dead Kennedys said 30 years ago, "give me convenience or give me death." An attitude so prevalent that your browser suggests giving up your security and privacy for an instant of convenience. Call me paranoid, but I'm a bit reluctant ...