Skip to content

Commit 7016c20

Browse files
Thorin-OakenpantsThorin-Oakenpants
authored
move TLS 1.0/1.1 downgrades to don't bother
https://bugzilla.mozilla.org/show_bug.cgi?id=1745678
1 parent 2787da7 commit 7016c20

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

user.js

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -475,8 +475,6 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
475475
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
476476
* [4] https://www.ssllabs.com/ssl-pulse/ ***/
477477
user_pref("security.ssl.require_safe_negotiation", true);
478-
/* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/
479-
user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
480478
/* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
481479
* This data is not forward secret, as it is encrypted solely under keys derived using
482480
* the offered PSK. There are no guarantees of non-replay between connections
@@ -1108,6 +1106,10 @@ user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
11081106
* In FF96+ these are listed in about:compat
11091107
* [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
11101108
user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]
1109+
/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only
1110+
* [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed
1111+
* [TEST] https://tls-v1-1.badssl.com:1010/ ***/
1112+
user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
11111113
/* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/
11121114
// user_pref("dom.caches.enabled", "");
11131115
// user_pref("dom.storageManager.enabled", "");
@@ -1150,7 +1152,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
11501152
// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
11511153
// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
11521154
/* 7004: control TLS versions
1153-
* [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/
1155+
* [WHY] Passive fingerprinting and security ***/
11541156
// user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
11551157
// user_pref("security.tls.version.max", 4);
11561158
/* 7005: disable SSL session IDs [FF36+]

0 commit comments

Comments
 (0)