[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

#33534: Review FF release notes from FF69 to latest (FF73)
--------------------------------------+--------------------------------
 Reporter:  pospeselr                 |          Owner:  pospeselr
     Type:  defect                    |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:  12
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:  Sponsor58-must
--------------------------------------+--------------------------------

Comment (by Thorin):

 Replying to [comment:8 pospeselr]:
 > dom.push.enabled
 >     - set to false to disable push notifications

 Default false in ESR68. I also think it's not enabled/doesn't do anything
 in PB mode, since it requires service workers which are also disabled (see
 next comment)

 However, disabling SWs (pref below) and push (pref above) is not enough to
 stop Firefox polling the Mozilla Push Server - which assigns a persistent
 ID
 - see `dom.push.userAgentID` (without testing, I am not sure if this still
 gets sets when started in PB mode)
 - you could blank 'dom.push.serverURL' for good measure

 > dom.serviceWorkers.enabled
 >     - set to false to disable service workers

 This isn't new. It's default false in ESR60-68 and service workers are not
 available in PB mode

 > security.insecure_connection_icon.enabled
 >     - when true shows crossed out padlock on HTTP sites ->
 https://www.askvg.com/firefox-tip-show-hide-insecure-connection-icon-in-
 address-bar/

 Just FYI: if this is true, then both normal and PB modes display the
 padlock, but if false, then the pref
 `security.insecure_connection_icon.pbmode.enabled` is used in PB mode.
 They are currently both default false in ESR68, true in non ESR

 > security.tls.version.enable-deprecated
 >     - we probably want this to be false to disable old TLS

 Setting to false still allows downgrading, but makes that downgrading
 **session only**. To force TLS 1.0 and 1.1 permanently disabled, just set
  - `security.tls.version.min` = 3
  -  ^^ 3 was the default in FF74 but got reversed due to govt websites
 using TLS <1.2
  - no idea what it will be in ESR78 stable

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33534#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs