diff --git a/docs/Changelog.md b/docs/Changelog.md index e760f9f..1b1b657 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -1,7 +1,7 @@ This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version. Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config. -# 5.6 +# 6.0 **target commit**: @@ -10,12 +10,14 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl **References**: - we are going to force history to custom mode and hide the UI for always on PB mode, a bunch of pointers are collected in [this MR](https://gitlab.com/librewolf-community/browser/source/-/merge_requests/21). - [handlers prefs are deprecated](https://bugzilla.mozilla.org/show_bug.cgi?id=1733497). +- for OCSP see [this issue](https://gitlab.com/librewolf-community/settings/-/issues/150). #### Added preferences ``` pref("privacy.history.custom", true); pref("browser.privatebrowsing.autostart", false); defaultPref("browser.preferences.moreFromMozilla", false); // hide about:preferences#moreFromMozilla +defaultPref("security.OCSP.require", true); // set to hard-fail ``` #### Removed preferences @@ -33,6 +35,11 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", ""); lockPref("gecko.handlerService.schemes.ircs.0.name", ""); ``` +#### Changed preferences +``` +defaultPref("security.OCSP.enabled", 1); +``` + # 5.5 **target commit**: 0fc1ff53c99379d9d4625de65ea51287d57a0a3a diff --git a/librewolf.cfg b/librewolf.cfg index f66d593..8525c82 100755 --- a/librewolf.cfg +++ b/librewolf.cfg @@ -6,7 +6,7 @@ * * WARNING: please make sure the first line of this file is empty. this is a known bug. */ -defaultPref("librewolf.cfg.version", "5.6"); +defaultPref("librewolf.cfg.version", "6.0"); /** INDEX @@ -205,14 +205,15 @@ defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certific defaultPref("security.ssl.require_safe_negotiation", true); defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); /** - * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use - * CRL instead, particularly the CRLite solution with no OCSP fallback. - * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require - * enabling OCSP and setting it to hard-fail. OCSP is stapled by default. + * our strategy with revocation is to perform all possible checks with CRL, but when a cert + * cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and + * increase security. + * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. */ -defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching defaultPref("security.remote_settings.crlite_filters.enabled", true); -defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback +defaultPref("security.pki.crlite_mode", 2); // mode 2 means enforce CRL checks +defaultPref("security.OCSP.enabled", 1); // default +defaultPref("security.OCSP.require", true); // set to hard-fail /** [SECTION] TLS/SSL */ lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security