colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

firefox: disable "security.tls.enable_0rtt_data"; add docs to other settings

Browse Source 
i'm not that passionate about the 0rtt setting; but i worry the vulnerabilities could stack with e.g. insecure renogiation or other vulns
This commit is contained in:
Colin
2025-07-21 08:16:39 +00:00
parent 496b2a10b4
commit f49ce4b2fd
1 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
hosts/common/programs/firefox/user.js
View File

@@ -19,15 +19,25 @@
// browser.sessionstore.privacy_level: 0, 1, 2
// 0: persist partially-filled forms to disk, across browser restarts
defaultPref("browser.sessionstore.privacy_level", 0);
// enable 0-round-trip TLS resumption, at the expense that MITM can replay the client's first packet.
defaultPref("security.tls.enable_0rtt_data", true);
//
// `enable_0rtt_data=true`: enable 0-round-trip TLS resumption, at the expense that MITM can replay the client's first packet.
// defaultPref("security.tls.enable_0rtt_data", true);
//
// `require_safe_negotiation=false`: allow TLS 1.2 connections even to servers potentially vulnerable to CVE-2009-3555.
// this allows a MITM attacker to prefix arbitrary data to my request.
// as of 2025-07-20: 99.9% of sites support safe negotiation. 0.1% do not;
// google-chrome, epiphany, and stock firefox (not arkenfox) do not enforce safe negotiation.
// - <https://lwn.net/Articles/362234/>
// defaultPref("security.ssl.require_safe_negotiation", false);
//
// OCSP queries SSL cert revocation status on every connect; that means letting a 3rd party know every site you visit.
// disable that, how in hell is that good for privacy.
// N.B.: i'm pretty sure this keeps CRlite enabled, which is the better implementation of cert revocation (i.e. performed locally).
// see: <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>
defaultPref("security.OCSP.enabled", 0);
// if we can't query the revocation status of a SSL cert because the issuer is offline,
// treat it as unrevoked.
//
// `security.OCSP.require=false`: if we can't query the revocation status of a SSL cert because
// the issuer is offline, treat it as unrevoked.
// see: <https://librewolf.net/docs/faq/#im-getting-sec_error_ocsp_server_error-what-can-i-do>
defaultPref("security.OCSP.require", false);
defaultPref("browser.display.use_system_colors", true);