This is a general rant (not aimed at anyone) .. enjoy
Getting fucking pressured and attacked at ghacks.net comments to make it active (both on and off), getting pressured here to fucking include (and fucking maintain it: yeah it's all good when you don't have to do the work), getting fucking criticized before I even do anything about it, getting fucking criticized for removing it, getting fucking criticized for not adding more to it (e.g bugs like trr=3) - and the whole fucking thing is a bit divisive and opinions on it are like assholes, every one has one. Whatever I do I am on a fucking losing streak and people will bitch and/or be sarcastic.
And this pref on it's own is fucking useless: it doesn't change anything as far as unwanted changes go. And I'm not fucking interested in more prefs (too many bugs, too many upcoming changes): one day, when some of the more serious bugs are fixed, and the UI is polished, then *maybe* the section 0720's can be expanded to include other settings. But by then, I can just say: go use the fucking UI.
Have I used the word fuck enough .. only eleven times .. should be more. Since 95% of the work falls on earthlng and myself: I reserve the right to not include a DoH section (for my own sanity)
* simplify ciphers
- let's not encourage (remove options 1, 2) changing your cipher suite FP
- remove "it's quite technical ..." (everything is technical to someone), trim to one line
- add test link so users can just see that it's FP'able
- reinforce not to fuck with the cipher suite in the cipher's sub-section
https://wiki.mozilla.org/Security:Renegotiation describes
> **the new default behaviour** that was introduced in experimental mozilla-central nightly versions on 2010-02-08
where the last step is
> - should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message
and then after talking about breakage ...
> The above defaults may break some client/server environments where a Server is still using old software and requires renegotiation.
mentions workarounds to reduce said breakage:
> In order to give such environments a way to keep using Firefox (et.al.) to connect to their vulnerable server infrastructure, the following preferences are available:
specifically talking about the first 2 prefs listed there, one allowing to specify a list of hosts "where renegotiation may be performed" and the 2nd one "completely disables the new protection mechanisms".
But both those prefs were removed in FF38, meaning that since then it's no longer possible to disable the default behaviour that is "should the server (or a MITM) request **renegotiation**, Mozilla will terminate the connection with an error message".
But all of this is about the **re**-negotiation part and not negotiation. And nowhere does it say "insecure" renegotiation, which, as I read it, means that FF will terminate the connection for any kind of **renegotiation**, safe or unsafe.
1201 controls the negotiation part:
> This pref controls the behaviour during the initial negotiation between client and server.
> If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.
> Setting this preference to “true” is the only way to guarantee full protection against the attack.
I think "servers that are still using the old SSL/TLS protocol" actually means servers that **only** support the old protocols.
Servers still supporting those old protocols in addition to some new protocol versions should not be affected by this pref because FF will be able to negotiate to use one of the newer protocol versions.
Ergo lets fix the title and remove the line about renegotiation support because I think that's irrelevant.
ps. the sslpulse link is nice and I'd like to keep it somewhere but it doesn't really fit in 1201 IMO so I moved it to 1202.
see `1273`
- we already make **all** windows do this (which overrides the pb mode setting), and these were inactive
- in FF70+ the icon pref (for PB mode and all windows) is now default true
- split geo related vs language/locale related
- rip out intl.locale.requested
- rip out intl.regional_prefs.use_os_locales
- add intl.charset.fallback.override