From a6d20eaf5b4d6fc306257cf56beb89595c6be173 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 23 Jun 2021 16:22:10 +0000 Subject: [PATCH] 1264: update ciphers, fixes #1196 (#1197) --- user.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 928d15b..7d5b929 100644 --- a/user.js +++ b/user.js @@ -740,8 +740,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("dom.securecontext.whitelist_onions", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] - * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1]) - * Additionally some have other weaknesses like key sizes of 128 (or lower) [2] and/or no Perfect Forward Secrecy [3]. + * These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, + * and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 * [1] https://browserleaks.com/ssl * [2] https://en.wikipedia.org/wiki/Key_size * [3] https://en.wikipedia.org/wiki/Forward_secrecy @@ -756,6 +756,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", false); // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); + // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS + // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS