diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2024-07-22 08:31:32 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2024-07-22 08:31:32 +0100 |
| commit | abc4b35b8bc5ff9514ad3ac40c7cbe3fd7d27ea0 (patch) | |
| tree | d3db72f7e648faa7a15ca73f26d3c41ba004be26 | |
| parent | ff10782d4347979edc2231410c04d09ecd8fe9f7 (diff) | |
| download | dotfiles-abc4b35b8bc5ff9514ad3ac40c7cbe3fd7d27ea0.tar.gz dotfiles-abc4b35b8bc5ff9514ad3ac40c7cbe3fd7d27ea0.tar.bz2 dotfiles-abc4b35b8bc5ff9514ad3ac40c7cbe3fd7d27ea0.zip | |
[LW] Disable OCSP stapling hard fail
| -rw-r--r-- | firefox/user-overrides.js | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 5856110..002c84b 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -83,4 +83,14 @@ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); * [1] https://bugzilla.mozilla.org/1635603 ***/ user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com"); +/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail + * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR + * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) + * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) + * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it + * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) + * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ + * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ +user_pref("security.OCSP.require", false); + user_pref("browser.fixup.domainsuffixwhitelist.i2p", true); |