commit 0cc4007eda10a92dadbe8d3548a06a16c21a1d7b
parent 3003f2dd85be1851d1493e94df801c5c6d8c29ef
Author: Thorin-Oakenpants <Thorin-Oakenpants@users.noreply.github.com>
Date: Tue, 13 Nov 2018 16:19:23 +0000
1202: tls.min => inactive #533
TLS 1.0 and 1.1 are still secure. Sure, later versions are more secure, but 98% of the web is already upgraded - less than 2% of sites use < v1.2. So it's not very likely you would come across a site that requires it, but if you did, what's the point in breaking it. Mozilla and Chrome already have plans to deprecate TLS 1.0 & 1.1, and force that last 2% of sites.
TLS settings can be FP'ed without JS. By sticking with the defaults, I do not see any security issues, but an increase in potential anti-FPing. TBH, the chances of either (i.e being FP'ed with TLS as a entropy point, or being compromised due to TLS<1.2) are slim to non anyway.
Any arguments, please see @earthlng
Diffstat:
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/user.js b/user.js
@@ -725,7 +725,7 @@ user_pref("security.ssl.require_safe_negotiation", true);
* [1] http://kb.mozillazine.org/Security.tls.version.*
* [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
* [2] archived: https://archive.is/hY2Mm ***/
-user_pref("security.tls.version.min", 3);
+ // user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
/* 1203: disable SSL session tracking (FF36+)
* SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
