michel_ouba/FF_arkenfox_user.js
michel_ouba/FF_arkenfox_user.js
1
0
Fork 0
Code Releases Activity

http2, altsvc, ssl session ids vs FPI vs TB #571

Browse Source
This commit is contained in:
Thorin-Oakenpants 2018-12-18 15:54:57 +00:00 committed by GitHub
parent 5b0952f60a
commit ac4e764c37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
user.js
View File

@ -462,6 +462,9 @@ user_pref("network.dns.disableIPv6", true);
/* 0702: disable HTTP2 (which was based on SPDY which is now deprecated)
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
* privacy, and in fact opens up a number of server-side fingerprinting opportunities
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
* [1] https://http2.github.io/faq/
* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://queue.acm.org/detail.cfm?id=2716278
@ -470,6 +473,9 @@ user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
/* 0703: disable HTTP Alternative Services [FF37+]
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
* [1] https://tools.ietf.org/html/rfc7838#section-9
* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
user_pref("network.http.altsvc.enabled", false);
@ -756,11 +762,13 @@ user_pref("security.ssl.require_safe_negotiation", true);
// user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4);
/* 1203: disable SSL session tracking [FF36+]
* SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 24hrs.
* Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
* this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking
* SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
* [1] https://tools.ietf.org/html/rfc5077
* [2] https://bugzilla.mozilla.org/967977 ***/
* [2] https://bugzilla.mozilla.org/967977
* [3] https://arxiv.org/abs/1810.07304 ***/
user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
/* 1204: disable SSL Error Reporting
* [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/