[jjjeffrey]

Say I change security.tls.version.max to 3, which changes it's status from 'default' to 'user set'. In the future, if the default for security.tls.version.max is changed to, say, 4, would the fact that my setting has the 'user set' status prevent it from incrementing to the better default?

I'm not proposing that this is a risk or that Firefox behaves this way---I have no idea. Does anyone else know?

[hsivonen]

The (non-about:config) UI for these settings was removed for a reason. Even though it makes sense for these to be configurable for testing, end users are more likely to break their browser (make it less secure or make it incompatible with real sites they need to use) by tweaking these settings.

Firefox developers have had to reset these settings in the past in order to save users from self-inflicted insecurity.

Without an explicit effort by Firefox developers to reset these prefs, the prefs won't automatically reset to make sense in the future if the value space of the prefs grows. There is no guarantee of what explicit effort might be taken to deal with non-default values of these prefs in the future.

In my opinion, anyone who wants https://www.howsmyssl.com/ to tell them they are probably okay today should install Firefox Beta (or Aurora or Nightly) instead of manually changing these settings.

(Disclosure: I'm a Gecko developer but I don't work on TLS. Disclaimer: The above is my personal understanding and opinion, not any sort of official statement.)

[erichurkman]

Often with settings like this, they will flip the preference name to something like `security.tls.max_version` or something so user-set and extension-set overrides are invalidated. They've done this with other common, significant settings that users often overrode.

[djcapelis]

I believe it would, but I'm not certain. This is one of reasons not to mess with it and just wait until the next version which will be out RSN (real soon now) that has a better default.

For whatever it's worth though, while I'm not sure how they're doing their version numbers and it may be quite awhile until this is relevant, you could probably just set the integer really high (like 99 or something) and that would effectively translate into "try the highest version you've got" which might break things sometimes, but it wouldn't leave you stuck in a lower version later at least.