Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there a setting to change this in firefox?


There is a setting (security.ssl.disable_session_identifiers). You have to add it yourself, it's not in about:config by default. See https://bugzilla.mozilla.org/show_bug.cgi?id=967977


And many settings are documented in this project https://github.com/pyllyukko/user.js

https://github.com/pyllyukko/user.js/blob/master/user.js#L10...


It also seems to get deleted across browser version updates, at least on (old) Aurora. Pocket got re-enabled for me as well after 64 came out :/


I don't think Firefox ever touches your user.js, I've never seen that happen or anyone complaining about it. And then it overrides prefs.js generated settings. The only time I encountered problems was with a big update failing to replace a couple of prefs.js entries, and it was some really obscure settings.


That does not seem to work according to ssllabs browser test.


I dont think this is correct. I added the boolean security.ssl.disable_session_identifiers set to true in Firefox 62.0.3 and ran the SSL Labs browser test here: https://www.ssllabs.com/ssltest/viewMyClient.html. With the boolean set to true, Session Tickts under the Protocol Details section says false. Toggling the setting back to false and rerunning the set showed Session Tickets Yes. So perhaps you had a typo in the seeting name?


Under Firefox 62.0 (64-bit), setting security.ssl.disable_session_identifiers=true, I also see "Session tickets" change from Yes to No. Thanks!


you are right, bad case of a Layer 8 issue.


There is a Firefox configuration hardening project: https://github.com/pyllyukko/user.js It has security.ssl.disable_session_identifiers enabled


I was unable to find one. Right now the only way seems to be to patch nss.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: