From 0cc4007eda10a92dadbe8d3548a06a16c21a1d7b Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 13 Nov 2018 16:19:23 +0000 Subject: [PATCH] 1202: tls.min => inactive #533 TLS 1.0 and 1.1 are still secure. Sure, later versions are more secure, but 98% of the web is already upgraded - less than 2% of sites use < v1.2. So it's not very likely you would come across a site that requires it, but if you did, what's the point in breaking it. Mozilla and Chrome already have plans to deprecate TLS 1.0 & 1.1, and force that last 2% of sites. TLS settings can be FP'ed without JS. By sticking with the defaults, I do not see any security issues, but an increase in potential anti-FPing. TBH, the chances of either (i.e being FP'ed with TLS as a entropy point, or being compromised due to TLS<1.2) are slim to non anyway. Any arguments, please see @earthlng --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index be8a695..aa4a1a2 100644 --- a/user.js +++ b/user.js @@ -725,7 +725,7 @@ user_pref("security.ssl.require_safe_negotiation", true); * [1] http://kb.mozillazine.org/Security.tls.version.* * [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/ * [2] archived: https://archive.is/hY2Mm ***/ -user_pref("security.tls.version.min", 3); + // user_pref("security.tls.version.min", 3); user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3 /* 1203: disable SSL session tracking (FF36+) * SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.