c13dbdf40d
https://wiki.mozilla.org/Security:Renegotiation describes > **the new default behaviour** that was introduced in experimental mozilla-central nightly versions on 2010-02-08 where the last step is > - should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message and then after talking about breakage ... > The above defaults may break some client/server environments where a Server is still using old software and requires renegotiation. mentions workarounds to reduce said breakage: > In order to give such environments a way to keep using Firefox (et.al.) to connect to their vulnerable server infrastructure, the following preferences are available: specifically talking about the first 2 prefs listed there, one allowing to specify a list of hosts "where renegotiation may be performed" and the 2nd one "completely disables the new protection mechanisms". But both those prefs were removed in FF38, meaning that since then it's no longer possible to disable the default behaviour that is "should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message". But all of this is about the **re**-negotiation part and not negotiation. And nowhere does it say "insecure" renegotiation, which, as I read it, means that FF will terminate the connection for any kind of **renegotiation**, safe or unsafe. 1201 controls the negotiation part: > This pref controls the behaviour during the initial negotiation between client and server. > If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack. > Setting this preference to “true” is the only way to guarantee full protection against the attack. I think "servers that are still using the old SSL/TLS protocol" actually means servers that **only** support the old protocols. Servers still supporting those old protocols in addition to some new protocol versions should not be affected by this pref because FF will be able to negotiate to use one of the newer protocol versions. Ergo lets fix the title and remove the line about renegotiation support because I think that's irrelevant. ps. the sslpulse link is nice and I'd like to keep it somewhere but it doesn't really fit in 1201 IMO so I moved it to 1202. |
||
|---|---|---|
| .github/ISSUE_TEMPLATE | ||
| scratchpad-scripts | ||
| wikipiki | ||
| .gitattributes | ||
| .travis.yml | ||
| LICENSE.txt | ||
| README.md | ||
| _config.yml | ||
| prefsCleaner.bat | ||
| prefsCleaner.sh | ||
| updater.bat | ||
| updater.sh | ||
| user.js | ||
README.md
user.js
A user.js is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the overview wiki page.
ghacks user.js
The ghacks user.js is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen).
Everyone, experts included, should at least read the implementation wiki page, as it contains important information regarding a few ghacks user.js settings.
Note that we do not recommend connecting over Tor on Firefox. Use the Tor Browser if your threat model calls for it, or for accessing hidden services.
Also be aware that this user.js is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
Sitemap: Releases, changelogs, Wiki, stickies. diffs
acknowledgments
Literally thousands of sources, references and suggestions. That said...
- Martin Brinkmann at ghacks 1
- The ghacks community and commentators
- 12bytes
- The 12bytes article now uses this user.js and supplements it with an additional JS hosted at Codeberg
1 The ghacks user.js was an independent project by Thorin-Oakenpants started in early 2015 and was first published at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.
