Oh, I see. So it wasn't a bug, it was intentionally inserted as a backdoor. Well, that certainly makes it a lot worse.
I went through the article and found these entries:
Code: Select all
security.ssl.disable_session_identifiers (hidden feature)
First is the one I already mentioned that gets rid of the various session identifiers. No change here.
False start is enabled in Pale Moon so I disabled it.
0rtt_data is disabled by default in Pale Moon, no change here.
doesn't exist. Can I add it just like with the session identifiers or does Pale Moon not support that? It seems to be the least important and can break websites, but I'd like to check what happens anyway.
And, now that we know it not a bug but a feature (everyone just loves backdoors in encryption), I once again suggest to make not only mine but the first three settings standard in Pale Moon. Well, the third one already is, so that's a good start.