user.js

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README
commit 4074a37e1d3a2492e0fd28bcc9289b8b88e94b58
parent 97043b0ce15fd8fbcc16343bdce235c8fc824fc3
Author: earthlng <earthlng@users.noreply.github.com>
Date:   Sat,  7 Dec 2019 18:26:39 +0000

1201 + 1270 update (#859)



trim by a line, remove extra space, fixup on red, indicate it only applies if 1201 is false

Diffstat:

Muser.js | 17+++++++++++++----


1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/user.js b/user.js
@@ -640,8 +640,15 @@ user_pref("browser.shell.shortcutFavicons", false);
 ***/
 user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
-/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack)
- * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
+/* 1201: require safe negotiation
+ * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially
+ * vulnerable to a MiTM attack [3]. A server *without* RFC 5746 can be safe from the attack
+ * if it disables renegotiations but the problem is that the browser can't know that.
+ * Setting this pref to true is the only way for the browser to ensure there will be
+ * no unsafe renegotiations on the channel between the browser and the server.
+ * [1] https://wiki.mozilla.org/Security:Renegotiation
+ * [2] https://tools.ietf.org/html/rfc5746
+ * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/
 user_pref("security.ssl.require_safe_negotiation", true);
 /* 1202: control TLS versions with min and max
  * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
@@ -747,8 +754,10 @@ user_pref("security.mixed_content.block_object_subrequest", true);
    // user_pref("security.ssl3.rsa_aes_256_sha", false);
 
 /** UI (User Interface) ***/
-/* 1270: display warning (red padlock) for "broken security" (see 1201)
- * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
+/* 1270: display warning on the padlock for "broken security" (if 1201 is false)
+ * Bug: warning padlock not indicated for subresources on a secure page! [2]
+ * [1] https://wiki.mozilla.org/Security:Renegotiation
+ * [2] https://bugzilla.mozilla.org/1353705 ***/
 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /* 1271: control "Add Security Exception" dialog on SSL warnings
  * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)