User.js: 1201: security.ssl.require_safe_negotiation

Created on 15 Oct 2018  路  5Comments  路  Source: arkenfox/user.js

coming up on 20 months .. is it time to flip this to active? Default is still false in FF62

current

/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
/* 1201: disable old SSL/TLS - vulnerable to a MiTM attack
 * [WARNING] Tested Feb 2017 - still breaks too many sites
 * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
   // user_pref("security.ssl.require_safe_negotiation", true);

I will see if I can find a relevant Mozilla Telemetry query

enhancement
Source
picture Thorin-Oakenpants
👍1

Most helpful comment

665859: Change default of security.ssl.treat_unsafe_negotiation_as_broken to true

I can't seem to work out, if any, telemetry data to pull, but the bugzilla leads to this: https://www.ssllabs.com/ssl-pulse/ - "across 150,000 SSL- and TLS-enabled websites, based on Alexa鈥檚 list of the most popular sites in the world", so not definitive

Renegotiation Support

Secure renegotiation 133,299 98.1%
Insecure renegotiation 618 0.5%
Both 243 0.2%
No support 1,740 1.3%

I think it's time for us to pull the trigger. Over 98% of top sites seem to comply now. I wonder if it's worth checking Scott Helme's latest 6monthly Alexa top 1M crawl results: https://scotthelme.co.uk/

Edit:

picture Thorin-Oakenpants on 15 Oct 2018
👍21

All 5 comments

Note: In our "Paste Your Overrides" sticky, only one person has/had this in their overrides - and that was The Big E

Thorin-Oakenpants picture Thorin-Oakenpants on 15 Oct 2018

^^ I am also using it as true for a few weeks now and no breakages so far.

crssi picture crssi on 15 Oct 2018

665859: Change default of security.ssl.treat_unsafe_negotiation_as_broken to true

I can't seem to work out, if any, telemetry data to pull, but the bugzilla leads to this: https://www.ssllabs.com/ssl-pulse/ - "across 150,000 SSL- and TLS-enabled websites, based on Alexa鈥檚 list of the most popular sites in the world", so not definitive

Renegotiation Support

Secure renegotiation 133,299 98.1%
Insecure renegotiation 618 0.5%
Both 243 0.2%
No support 1,740 1.3%

I think it's time for us to pull the trigger. Over 98% of top sites seem to comply now. I wonder if it's worth checking Scott Helme's latest 6monthly Alexa top 1M crawl results: https://scotthelme.co.uk/

Edit:

Thorin-Oakenpants picture Thorin-Oakenpants on 15 Oct 2018
👍21

OT: What about security.mixed_content.upgrade_display_content?

Start a new topic. It's not even in the user.js

Thorin-Oakenpants picture Thorin-Oakenpants on 15 Oct 2018

Here's the one we've all been waiting for, and this one is a pretty big announcement too. Not only because we've seen amazing growth in HTTPS again in this crawl, but because we've passed through 50% of the Alexa Top 1 Million sites actively redirecting to HTTPS for the first time!

Man... I'm so not thrilled by that. I fondly remember the good ol' days when HTTPS felt secure enough for me...

Anyway... Yes, I'm in favor of making this one active.

claustromaniac picture claustromaniac on 16 Oct 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kaliostro2 picture kaliostro2  路  7Comments
crssi picture crssi  路  3Comments
Thorin-Oakenpants picture Thorin-Oakenpants  路  3Comments
hunkjazz picture hunkjazz  路  5Comments
Thorin-Oakenpants picture Thorin-Oakenpants  路  4Comments