|
|
@@ -735,19 +735,18 @@ user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
|
|
|
/* 1210: enable OCSP Stapling
|
|
|
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
|
|
|
user_pref("security.ssl.enable_ocsp_stapling", true);
|
|
|
-/* 1211: control use of OCSP responder servers to confirm current validity of certificates
|
|
|
+/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
|
|
|
* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
|
|
|
* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
|
|
|
* It's a trade-off between security (checking) and privacy (leaking info to the CA)
|
|
|
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
|
|
|
* [1] https://en.wikipedia.org/wiki/Ocsp ***/
|
|
|
user_pref("security.OCSP.enabled", 1);
|
|
|
-/* 1212: set non-stapled OCSP to hard-fail
|
|
|
+/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
|
|
|
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
|
|
|
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
|
|
|
- * OCSP fetching without hard-fail is completely pointless ("seat belts that break when they are needed most")
|
|
|
- * For more info about the problems with soft/hard-fail (and OCSP in general) see [2]
|
|
|
- * [NOTE] this pref is ignored if 'security.OCSP.enabled' is set to 0
|
|
|
+ * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
|
|
|
+ * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
|
|
|
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
|
* [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
|
|
|
user_pref("security.OCSP.require", true);
|
Thorin-Oakenpants