michel_ouba/FF_arkenfox_user.js
michel_ouba/FF_arkenfox_user.js
1
0
Fork 0
Code Releases Activity

1202: tls.min => inactive #533

Browse Source 
TLS 1.0 and 1.1 are still secure. Sure, later versions are more secure, but 98% of the web is already upgraded - less than 2% of sites use < v1.2. So it's not very likely you would come across a site that requires it, but if you did, what's the point in breaking it. Mozilla and Chrome already have plans to deprecate TLS 1.0 & 1.1, and force that last 2% of sites.

TLS settings can be FP'ed without JS. By sticking with the defaults, I do not see any security issues, but an increase in potential anti-FPing. TBH, the chances of either (i.e being FP'ed with TLS as a entropy point, or being compromised due to TLS<1.2) are slim to non anyway.

Any arguments, please see @earthlng
This commit is contained in:
Thorin-Oakenpants 2018-11-13 16:19:23 +00:00 committed by GitHub
parent 3003f2dd85
commit 0cc4007eda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
user.js
View File

@ -725,7 +725,7 @@ user_pref("security.ssl.require_safe_negotiation", true);
* [1] http://kb.mozillazine.org/Security.tls.version.*
* [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
* [2] archived: https://archive.is/hY2Mm ***/
user_pref("security.tls.version.min", 3);
// user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
/* 1203: disable SSL session tracking (FF36+)
* SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.