1201 + 1270 update

user.js

@@ -640,8 +640,16 @@ user_pref("browser.shell.shortcutFavicons", false);
 ***/
 user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
-/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack)
- * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
+/* 1201: require safe negotiation
+ * Blocks connections to servers that don't support RFC 5746 [2] as they're
+ * potentially vulnerable to a MiTM attack [3].
+ * A server *without* RFC 5746 can be safe from the attack if it disables
+ * renegotiations but the problem is that the browser can't know that.
+ * Setting this pref to true is the only way for the browser to ensure there will be
+ *  no unsafe renegotiations on the channel between the browser and the server.
+ * [1] https://wiki.mozilla.org/Security:Renegotiation
+ * [2] https://tools.ietf.org/html/rfc5746
+ * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ***/
 user_pref("security.ssl.require_safe_negotiation", true);
 /* 1202: control TLS versions with min and max
  * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
@@ -748,7 +756,9 @@ user_pref("security.mixed_content.block_object_subrequest", true);
 
 /** UI (User Interface) ***/
 /* 1270: display warning (red padlock) for "broken security" (see 1201)
- * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
+ * Bug: warning padlock not indicated for subresources on a secure page! [2]
+ * [1] https://wiki.mozilla.org/Security:Renegotiation
+ * [2] https://bugzilla.mozilla.org/1353705 ***/
 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /* 1271: control "Add Security Exception" dialog on SSL warnings
  * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)