shvchk
commented
4 years ago Maybe consider adding HTTPS only mode available from FF 76.
Open StarPicard opened 6 years ago
shvchk
commented
4 years ago Maybe consider adding HTTPS only mode available from FF 76.
allo-
commented
4 years ago @StarPicard I am not sure if we discussed this already in an issue:
Your settings look good, but they are a rather opaque set of "trust me, this will improve your security" settings, that are just described with labels like ultra. This is fine for copy & paste from a user.js file, but I am not sure how it fits in the generator that tries to be transparent in what each switch does.
In addition you may need to be careful not to set things, that are obsolete later. Let's say we would have set a TLSv1.1-only switch, then users would now need to change it to use TLSv1.2 and TLSv1.3.
I am still thinking about a "paranoid" (or similar) profile for users who know a bit more and risk to break more, but get the best security as default. There it may fit in, or will fit in split into a few more settings, so I kept this PR open.
@shvchk This looks promising and is easy to understand.
My personal opinion: From the post you linked I think it looks too much like a "real" security error considering the current internet, but it should look like this, once we are able to really obsolete plain HTTP. I guess Mozillas plan is to enable it by default in some future release, probably when Google does the same. I would have preferred for now a warning in another style and with a bit more explanation.
For the generator: I think we can include this with an appropriate warning. Do you like to open an own issue for that containing the setting and the link, so you get notified when it's added?
First implementation of some https presets. Source: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js#L691