From b2bd1ab0d70b95608732e7a666083fa709b5ca0f Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 24 Jul 2024 23:01:43 +0100 Subject: [LW] Remove OCSP soft-fail --- firefox/user-overrides.js | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'firefox') diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 514bcb9..9e02248 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -75,14 +75,4 @@ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); * [1] https://bugzilla.mozilla.org/1635603 ***/ user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com"); -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail - * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ -user_pref("security.OCSP.require", false); - user_pref("browser.fixup.domainsuffixwhitelist.i2p", true); -- cgit v1.2.3-70-g09d2