I am pleased to announce the latest release of NetSurf is now available.
NetSurf 3.9 features support for CSS Media Queries (level 4) and
Also included are many bug fixes and improvements.
We recommend all users upgrade to NetSurf 3.9.
I will note that we should be disabling SSL3 too, and TLS 1.0 and 1.1 next year.
(moved to dev list where it is more appropriate)
On Jul 5, 2019, 05:32 +0100, ferrite61(a)yahoo.com, wrote:
> Little more than a week ago I posted about the Security Certs for NS 3.8. I was not aware at that time that NS 3.9 was already available (I was using a link provided for D/L of 3.8). Since there has been other bugs/problems, I thought to provide the actual results. The location of this Qualys Client Test is
> Presuming the Certs are within NS 3.8, it would appear that the "weak" certs be removed for added security. I did not receive an answer to the question if the certs are tapped from the Distribution or the Browser. So, here are the results...
> TLS 1.3 No
> TLS 1.2 Yes*
> TLS 1.1 Yes*
> TLS 1.0 Yes*
> SSL 3 Yes*
> SSL 2 No
> Cipher Suites (in order of preference)
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Forward Secrecy 256
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Forward Secrecy 256
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) WEAK 256
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) WEAK 256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Forward Secrecy 128
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Forward Secrecy 128
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) WEAK 128
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) WEAK 128
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) Forward Secrecy 256
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) WEAK 256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) Forward Secrecy 128
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) WEAK 128
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) WEAK 256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) WEAK 128
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) WEAK 256
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) WEAK 128
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0xff) -
> (1) When a browser supports SSL 2, its SSL 2-only suites are shown only on the very first connection to this site. To see the suites, close all browser windows, then open this exact page directly. Don't refresh.
> Protocol Details
> Server Name Indication (SNI) Yes
> Secure Renegotiation Yes
> TLS compression No
> Session tickets Yes
> OCSP stapling No
> Signature algorithms SHA512/RSA, SHA512/DSA, SHA512/ECDSA, SHA384/RSA, SHA384/DSA, SHA384/ECDSA, SHA256/RSA, SHA256/DSA, SHA256/ECDSA, SHA224/RSA, SHA224/DSA, SHA224/ECDSA, SHA1/RSA, SHA1/DSA, SHA1/ECDSA
> Named Groups secp256r1, secp521r1, brainpoolP512r1, brainpoolP384r1, secp384r1, brainpoolP256r1, secp256k1, sect571r1, sect571k1, sect409k1, sect409r1, sect283k1, sect283r1
> Next Protocol Negotiation Yes
> Application Layer Protocol Negotiation No
> SSL 2 handshake compatibility No
> Paul S. in CT
A lot of features and bug fixes have happened since the 3.8 release so
I am considering producing a 3.9 soon.
The merging of the work to add css media queries has resulted in much
improved rendering on many web sites including making our handling of
CSS length  calculations much more sensible especially useful on
higher DPI displays.
The completion of the monkey test frontend harness and associated
infrastructure has resulted in numerous issues being discovered and
Additional testing also means our handling of some core things like
HTTP headers and basic web authentication has improved and should not
regress in future.
There have also been a great number of resource leaks fixed improving
the browsers overall memory usage.
I had intended to release before now but testing kept revealing
issues, however I now believe that we are ready for a 3.9 release
candidate on Sunday June 16th with the actual release on Saturday June
22nd unless critical bugs are discovered.
If anyone has a reasonable objection to this please let me know as
soon as possible and I will reconsider.