security preferences like Network.enableIDN may be removed from Firefox without notice

UNCONFIRMED
Unassigned

Status

()

Firefox
Preferences
--
major
UNCONFIRMED
10 days ago
9 days ago

People

(Reporter: Vincent Lefevre, Unassigned)

Tracking

45 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 days ago
Preferences may silently disappear (e.g. as a consequence of a replacement) as Firefox evolves, and this is usually not a big problem. But this is a major problem for particular preferences related to security. For instance:

I had set the old network.enableIDN preference to false as a protection against homograph phishing attacks. FYI, I did this on 2005-02-08, thus even before bug 282270 was reported: this was the *standard* way to get this protection at that time. Later, network.IDN_show_punycode was added (bug 282270), and several years after, the network.enableIDN preference got removed (bug 842282). But since there was no explicit announce about that (e.g. some warning that would have been displayed after a Firefox upgrade) and there were no error messages, I wasn't aware of this change. And while I thought I was protected against all Unicode-related homograph phishing attacks, this wasn't the case.

Something should be done for such issues, such as an error message when some old preference is set but has been removed. For instance, there may be a blacklist for some particular preferences that have been removed, which would yield an error message if such a preference is set in the user's prefs.js file.
You need to log in before you can comment on or make changes to this bug.