diff --git a/user.js b/user.js index e96ad75..8284a93 100644 --- a/user.js +++ b/user.js @@ -734,16 +734,19 @@ user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true) * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ user_pref("security.ssl.enable_ocsp_stapling", true); /* 1211: control use of OCSP responder servers to confirm current validity of certificates - * 0=disable, 1=validate only certificates that specify an OCSP service URL (default) - * 2=enable and use values in security.OCSP.URL and security.OCSP.signing. + * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) * It's a trade-off between security (checking) and privacy (leaking info to the CA) + * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling * [1] https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 1); -/* 1212: enable OCSP revocation. When a CA cannot be reached to validate a cert, Firefox currently - * continues the connection. With OCSP revocation, Firefox terminates the connection instead. - * [WARNING] Since FF44 the default is false. If set to true, this will cause some site breakage - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ +/* 1212: set non-stapled OCSP to hard-fail + * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) + * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) + * For more info about the problems with soft/hard-fail (and OCSP in general) see [2] + * [NOTE] this pref is ignored if 'security.OCSP.enabled' is set to 0 + * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ + * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ user_pref("security.OCSP.require", true); /** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/ /* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)