All of a sudden, Firefox (62.0.3) is failing to load CSS and other content forfrom Twitter related web sites. For example, connecting to Twitter with the "Network" panel open, I see that it is failing to retrieve content from:

Twitter uses these domains for hosting content such as images, CSS stylesheets, Javascript, etc.

If I try connecting to one of those URLs directly, Firefox tells me:

An error occurred during a connection to abs.twimg.com.

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

I'm not sure exactly what this error message is trying to tell me.

  • 1
  • Can confirm, I'm on 63.0b13 (64-bit). – user3108268 Oct 12 at 8:47
  • I have no idea what are these two websites, but they are not functional at all, on any browser. – harrymc Oct 12 at 9:25
  • They don't look like Twitter at all - Twitter works. – harrymc Oct 12 at 10:24
  • 1
    @harrymc they look exactly like twitter. Open the "network" developer panel and watch what resources get loaded when you vist twitter.com...or just "view source" on twitter.com and look at all the twimg.com links. I suspect that you are either on a different browser or different version of firefox. – larsks Oct 12 at 11:56
up vote 4 down vote accepted

I was able to resolve this issue by changing security.tls.version.max in about:config. It showed a default of 4, which enables TLS version 1.3. Setting it to 3 (TLS 1.2) resolved the issue for me. To be safe, I also changed security.tls.version.fallback-limit to 3 as well.

According to release notes, the default for this setting was changed all the way back in Firefox 60. But I definitely just started noticing this behaviour recently.

  • TLSv1.3 wasn't officially finished at that time, the implementations in OpenSSL and GnuTLS were still in progress, and very few web servers offered it until now. – grawity Oct 12 at 21:56
  • Thanks! That fixed Twitter and a handful of other sites that had the same issue... – larsks Oct 13 at 0:52

These webservers don't do TLSv1.3 right.

HTTP/2 has fairly strict requirements regarding the cipher strength of the underlying TLS session, and web servers are supposed to enforce a certain security level.

It seems that some web servers (specifically, the Verizon Edgecast/VDMS CDN) have implemented it in the form of a whitelist of cipher codepoints or something similar – but as TLSv1.3 has completely redone the protocol negotiation, even the strongest ciphers no longer match the whitelist because they're negotiated using different codepoints. As a result, the server kicks you off with an "insufficient security" error code.

$ nghttp -vn <url>
...
[  0.153] recv GOAWAY frame <length=26, flags=0x00, stream_id=0>
          (last_stream_id=0, error_code=INADEQUATE_SECURITY(0x0c), opaque_data(18)=[cipher is banned! ])

However, it seems Twitter just disabled TLSv1.3 right in the middle of writing this post. Other sites will probably fix this soon as well.

For the time being, you can too limit Firefox to TLSv1.2 via about:config.

Related links:

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.