improve documenting of crl and ocsp

2022-03-07 12:01:19 +01:00 · 2022-03-07 12:01:19 +01:00 · 47bdeaae86
commit 47bdeaae86
parent 7c52bbde49
1 changed files with 2 additions and 0 deletions
--- a/librewolf.cfg
+++ b/librewolf.cfg
@ -201,6 +201,8 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /**
 * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
 * CRL instead, particularly the CRLite solution with no OCSP fallback.
+ * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require
+ * enabling OCSP and setting it to hard-fail. OCSP is stapled by default.
 */
 defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
 defaultPref("security.remote_settings.crlite_filters.enabled", true);