Create https.json #112
Create https.json #112
Conversation
First implementation of some https presets. Source: <a href="https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js#L691">https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js#L691</a>
According to allo-#114
allo-
force-pushed
the
master
branch
2 times, most recently
from
1276e30 to
0c10046
Compare
|
Maybe consider adding HTTPS only mode available from FF 76. |
|
@StarPicard I am not sure if we discussed this already in an issue: Your settings look good, but they are a rather opaque set of "trust me, this will improve your security" settings, that are just described with labels like In addition you may need to be careful not to set things, that are obsolete later. Let's say we would have set a TLSv1.1-only switch, then users would now need to change it to use TLSv1.2 and TLSv1.3. I am still thinking about a "paranoid" (or similar) profile for users who know a bit more and risk to break more, but get the best security as default. There it may fit in, or will fit in split into a few more settings, so I kept this PR open. @shvchk This looks promising and is easy to understand. My personal opinion: From the post you linked I think it looks too much like a "real" security error considering the current internet, but it should look like this, once we are able to really obsolete plain HTTP. I guess Mozillas plan is to enable it by default in some future release, probably when Google does the same. For the generator: I think we can include this with an appropriate warning. Do you like to open an own issue for that containing the setting and the link, so you get notified when it's added? |
| "security.pki.sha1_enforcement_level": 1, | ||
| "security.ssl.treat_unsafe_negotiation_as_broken": true, | ||
| "browser.ssl_override_behavior": 1, | ||
| "security.insecure_connection_icon.enabled": true, |
There was a problem hiding this comment.
You could also add security.insecure_connection_text.enabled = true, which adds text "Not Secure" to HTTP sites.
| { | ||
| "security.tls.version.min": 3, | ||
| "security.tls.version.fallback-limit": 3, | ||
| "security.tls.version.max": 4, |
There was a problem hiding this comment.
Setting a max version may be dangerous when there are newer TLS versions and the old ones are proven to be insecure
| { | ||
| }, | ||
| { | ||
| "security.tls.version.min": 3, |
There was a problem hiding this comment.
Min TLS 1.3 would be nice, but probably still breaks many websites. We need to split this into multiple settings.
| "security.tls.version.max": 4, | ||
| "security.ssl.disable_session_identifiers": true, | ||
| "security.ssl.errorReporting.automatic": false, | ||
| "security.ssl.errorReporting.enabled": false, |
There was a problem hiding this comment.
Error reporting is more about privacy. I guess security is even improved by sending error reports (so sites can be fixed).
| "security.OCSP.enabled": 1, | ||
| "security.OCSP.require": true, |
There was a problem hiding this comment.
OCSP without stapling is a privacy problem, disabling OCSP is a security problem. I am not sure if we should change anything here.
allo-
force-pushed
the
master
branch
3 times, most recently
from
6b454a5 to
ab6c362
Compare
First implementation of some https presets.
Source: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js#L691