diff --git a/user.js b/user.js index 9f74ed7..e3bed20 100644 --- a/user.js +++ b/user.js @@ -640,8 +640,15 @@ user_pref("browser.shell.shortcutFavicons", false); ***/ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!"); /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ -/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack) - * [1] https://wiki.mozilla.org/Security:Renegotiation ***/ +/* 1201: require safe negotiation + * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially + * vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack + * if it disables renegotiations but the problem is that the browser can't know that. + * Setting this pref to true is the only way for the browser to ensure there will be + * no unsafe renegotiations on the channel between the browser and the server. + * [1] https://wiki.mozilla.org/Security:Renegotiation + * [2] https://tools.ietf.org/html/rfc5746 + * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/ user_pref("security.ssl.require_safe_negotiation", true); /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 @@ -747,8 +754,10 @@ user_pref("security.mixed_content.block_object_subrequest", true); // user_pref("security.ssl3.rsa_aes_256_sha", false); /** UI (User Interface) ***/ -/* 1270: display warning (red padlock) for "broken security" (see 1201) - * [1] https://wiki.mozilla.org/Security:Renegotiation ***/ +/* 1270: display warning on the padlock for "broken security" (if 1201 is false) + * Bug: warning padlock not indicated for subresources on a secure page! [2] + * [1] https://wiki.mozilla.org/Security:Renegotiation + * [2] https://bugzilla.mozilla.org/1353705 ***/ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); /* 1271: control "Add Security Exception" dialog on SSL warnings * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)