Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-11-03 23:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

1211+1212: OCSP info tweaking, fixes #334

Browse Source
This commit is contained in:
Thorin-Oakenpants
2018-01-12 05:26:42 +13:00
committed by GitHub
parent f820ecbacb
commit b30b988137
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
user.js
View File

@@ -734,16 +734,19 @@ user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
user_pref("security.ssl.enable_ocsp_stapling", true);
/* 1211: control use of OCSP responder servers to confirm current validity of certificates
* 0=disable, 1=validate only certificates that specify an OCSP service URL (default)
* 2=enable and use values in security.OCSP.URL and security.OCSP.signing.
* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
* It's a trade-off between security (checking) and privacy (leaking info to the CA)
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
* [1] https://en.wikipedia.org/wiki/Ocsp ***/
user_pref("security.OCSP.enabled", 1);
/* 1212: enable OCSP revocation. When a CA cannot be reached to validate a cert, Firefox currently
* continues the connection. With OCSP revocation, Firefox terminates the connection instead.
* [WARNING] Since FF44 the default is false. If set to true, this will cause some site breakage
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
/* 1212: set non-stapled OCSP to hard-fail
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
* For more info about the problems with soft/hard-fail (and OCSP in general) see [2]
* [NOTE] this pref is ignored if 'security.OCSP.enabled' is set to 0
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
* [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
user_pref("security.OCSP.require", true);
/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
/* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)