1202: tls.min => inactive #533

TLS 1.0 and 1.1 are still secure. Sure, later versions are more secure, but 98% of the web is already upgraded - less than 2% of sites use < v1.2. So it's not very likely you would come across a site that requires it, but if you did, what's the point in breaking it. Mozilla and Chrome already have plans to deprecate TLS 1.0 & 1.1, and force that last 2% of sites. TLS settings can be FP'ed without JS. By sticking with the defaults, I do not see any security issues, but an increase in potential anti-FPing. TBH, the chances of either (i.e being FP'ed with TLS as a entropy point, or being compromised due to TLS<1.2) are slim to non anyway. Any arguments, please see @earthlng
2025-11-03 23:35:26 +01:00 · 2018-11-13 16:19:23 +00:00
parent 3003f2dd85
commit 0cc4007eda
1 changed files with 1 additions and 1 deletions
--- a/user.js
+++ b/user.js
@@ -725,7 +725,7 @@ user_pref("security.ssl.require_safe_negotiation", true);
 * [1] http://kb.mozillazine.org/Security.tls.version.*
 * [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
 * [2] archived: https://archive.is/hY2Mm ***/
-user_pref("security.tls.version.min", 3);
+   // user_pref("security.tls.version.min", 3);
 user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
 /* 1203: disable SSL session tracking (FF36+)
 * SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.