[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor-browser] 01/08: fixup! Firefox preference overrides.



This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch tor-browser-91.13.0esr-11.5-1
in repository tor-browser.

commit 5eba1842a0124ea28e7f211d7cb6fdb1793e6e3b
Author: Richard Pospesel <richard@xxxxxxxxxxxxxx>
AuthorDate: Thu Aug 4 09:00:02 2022 +0000

    fixup! Firefox preference overrides.
    
    Bug 27719: Treat unsafe renegotiation as broken
---
 browser/app/profile/001-base-profile.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/browser/app/profile/001-base-profile.js b/browser/app/profile/001-base-profile.js
index 79538d3e809ee..2752e95313751 100644
--- a/browser/app/profile/001-base-profile.js
+++ b/browser/app/profile/001-base-profile.js
@@ -64,6 +64,18 @@ pref("media.memory_cache_max_size", 16384);
 pref("dom.security.https_only_mode", true);
 pref("dom.security.https_only_mode.upgrade_onion", false);
 
+// Require Safe Negotiation ( https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/27719 )
+// Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a
+// MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations
+// but the problem is that the browser can't know that. Setting this pref to true is the only way for the
+// browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
+// [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4]
+// [1] https://wiki.mozilla.org/Security:Renegotiation
+// [2] https://datatracker.ietf.org/doc/html/rfc5746
+// [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
+// [4] https://www.ssllabs.com/ssl-pulse/
+pref("security.ssl.require_safe_negotiation", true);
+
 // Misc privacy: Remote
 pref("browser.send_pings", false);
 pref("geo.enabled", false);

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits