The Center for Internet Security publishes a number of security baselines.
Firefox’s baseline is very old and does not appear to be updated so I took the
older ESR version and looked at Policies and settings to come with my own newer
version.
“4.6 (L2) Set OCSP Response Policy (Scored)
Profile Applicability:
Level 2
Description:
This setting dictates whether Firefox will consider a given certificate to be
invalid if Firefox is unable to obtain an Online Certificate Status Protocol
(OCSP) response for it.
Rationale:
Requiring an OCSP response will reduce an adversary's ability to successfully
leverage a compromised and revoked certificate.
Audit:
Perform the following procedure:
1. Type about:config in the address bar
2. Type security.ocsp.require in the filter
3. Ensure the preferences listed are set to the values specified below:
security.ocsp.require=true
Remediation:
Perform the following procedure:
1. Open the mozilla.cfg file in the installation directory with a text editor
2. Add the following lines to mozilla.cfg:
lockPref("security.ocsp.require", true);
Impact:
Enabling OCSP carries potential privacy implications. For each HTTPS site
Firefox visits, a request is sent to an OCSP server to determine if the site's
certificate has been revoked. This provides the OCSP server with the IP address
of the requester (Firefox or NAT) and, among other properties, the domain name
of the site Firefox is accessing.
Additionally, requiring an OCSP response increases opportunity for valid
certificates to be deemed invalid. This may occur if OCSP server becomes
unavailable or is not accessible.
Firefox 26+ support OCSP Stapling which mitigates the aforementioned privacy
implications.
Default Value:
false
https://www.cisecurity.org/benchmark/mozilla_firefox/
From: Mike Kaply <[email protected]>
Sent: Tuesday, February 25, 2020 2:04 PM
To: Eddie Rowe <[email protected]>
Cc: [email protected]
Subject: Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites
Where did you get this recommendation?
Mike
On Tue, Feb 18, 2020 at 3:18 PM Eddie Rowe
<[email protected]<mailto:[email protected]>> wrote:
// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);
I have enabled this setting in ESR 68.4 x64 and many sites such as Google and
even Mozilla just do not work. I don’t see how this could be adopted at a
company level without created chaos. Are there persons still using this
setting? Have you adjusted other settings to help out Firefox?
Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.mozilla.org_en-2DUS_questions_1169855&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=1gfyof2BDbKdaMtS3X1yoavdemIu5fMDFWHFXT93r2s&e=>
Error:
“Secure Connection Failed
An error occurred during a connection to
support.mozilla.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__support.mozilla.org&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=k-oJjLpgKiazaRkgpbJD84MDnC50VXZxOlLxZdUFpus&e=>.
The OCSP server experienced an internal error. Error code:
SEC_ERROR_OCSP_SERVER_ERROR
The page you are trying to view cannot be shown because the authenticity of
the received data could not be verified.
Please contact the website owners to inform them of this problem.”
_______________________________________________
Enterprise mailing list
[email protected]<mailto:[email protected]>
https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=N37LXZPziqVHUwJMZrqHk6XLMbxeFwJsTtyDhrVK2yY&e=>
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=x4xnAy81ZJ6ezld36K8XvRnmYgyXP4N1mgDsgXjxNvw&s=N37LXZPziqVHUwJMZrqHk6XLMbxeFwJsTtyDhrVK2yY&e=>
or send an email to
[email protected]<mailto:[email protected]> with a
subject of "unsubscribe"
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
