In Pale Moon 28.3.0 security.tls.enable_0rtt_data by default false
In Firefox 64.0.2 security.tls.enable_0rtt_data by default true
Why block a very useful option that significantly reduces the time for repeated ssl approvals ?
security.tls.enable_0rtt_data
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
Re: security.tls.enable_0rtt_data
I think Moonchild's answer in this thread is relevant? viewtopic.php?f=26&t=20881
Unless I'm so confused about the topic that I misunderstood it a lot, which is a possibility.
Unless I'm so confused about the topic that I misunderstood it a lot, which is a possibility.
Re: security.tls.enable_0rtt_data
Thank you very much - I wrote the answer in the topic that you specified.Potkeny wrote:I think Moonchild's answer in this thread is relevant? viewtopic.php?f=26&t=20881
Although there is no talk about Pale Moon.
I duplicate my answer here too:
1.Moonchild wrote: [*]0-RTT with TLS 1.3 is trickier and has a replay attack risk. All 0-RTT solutions require sending key material and encrypted data from the client without waiting for any feedback from the server, meaning a bad actor can intercept and replay the connection. This is a significant risk and the reason why it is disabled in Pale Moon.
When I implemented 0-RTT on my website, I took this into account in the nginx settings:
"To protect against such attacks at the application layer, the $ssl_early_data variable should be used.
Code: Select all
proxy_set_header Early-Data $ssl_early_data;
And I think that most webmasters also follow this advice.
2.
In Firefox 64.0.2 security.tls.enable_0rtt_data by default true
I think the danger is somewhat exaggerated once firefox defaults to true
3.
0-RTT with TLS 1.3 I find it a useful function.
Even in the best verification service, they began to determine its presence:
https://www.htbridge.com/ssl/?id=mr7ExbBc -- Server's TLSv1.3 Early Data (RFC 8446, page 17) is properly implemented