Disable HTTP/1.1

[ghost]

Disable HTTP/1.1

• Enable HTTP/2
• Enable HTTP/3 by default

[uazo]

You should try if possible to be a little more detailed. I am only answering you because the issue is heartfelt.

so, http 1/1 is the connection without encryption, if you are in android there is already the flag to disable it completely.
based on privacytests, it seems that cromite does not block them by default in mixed content, it sounds strange to me, since I have not changed anything about it, but I still have to check.

http/3 is basically quic, active by default. in cromite the alt-svc to non-443 ports is disabled, because I think it can be used to track inter-session browsing if a site redirects users to specific ports (by the way, without the user knowing since the url does not change). in chromium, on restart, all alt-svc mappings is deleted, in chrome there is a flag that activates saving that information to disk as well, making it persistent.
the automatic upgrade to quic is not active, because information is needed, which to date has been retrieved in chromium via the components download, but is deactivated, because calls to google servers are not provided.
the auto upgrade is also active via the extension in the doh protocol, and not having changed anything, so I think it is active. I just hope that all doh services have that extension active, but even if not, I don't think it would change anything about how the device appears to the site.

the advantage of http3 is that in boringssl, the library used by chromium for ssl, the list and order of cipher protocols, used to establish the connection, are defined in code and immutable. this makes the devices identical at the network level.
I know that new cipher protocols have been activated under flags (which I deliberately did not activate), but, unfortunately, I have not yet been able to look at whether the activation is somehow device-based or not.
The disadvantage of http3 is that not all sites are ready for http3.

http2 is the most widely used standard, but in boringssl, due to performance, if the device does not support encryption via hardware, the ssl protocol order is changed, making the device detectable at the network level. in cromite, there is a patch that warns the user in case, basically telling him to throw the device away :)

for all protocols, tls resumption is disabled, although it may not be used to track the device, but tor team says to disable it so I did.

so that's good enough for now, in my opinion.

If you know something else that I don't, or if what I have written is incorrect, please let me know.