❌ Software Removal | pyllyukko/user.js #1240

New Issue

Closed

opened 2019-08-30 09:34:08 +00:00 by Thorin-Oakenpants · 1 comment

Thorin-Oakenpants commented 2019-08-30 09:34:08 +00:00 (Migrated from github.com)

Copy Link

Remove pyllyukko/user.js from the Firefox user.js Templates section

• https://www.privacytools.io/browsers/#about_config (at the end)

edit disclosure: For those who do not know, I started and maintain the ghacks user.js. I also actively participated in the past in pyllyukko's repo. I have never actively sort ghacks-user.js promotion: and it was only recently added to PTIO, after four+ years, when someone else asked for that. This is not a competition, I always try to be subjective. end edit

🔷 foreword

• GH = ghacks user.js repo
• PK = pyllyukko's user.js repo
• active = pref is not commented out, inactive = commented out
• this is a subjective analysis and nothing personal
  • I only care that information is available and correct for all users to make informed decisions
  • it's also not self-serving: never gone out of my way to promote GH
• I'm also a human (well, a dwarf to be exact), and I could be wrong about something
  • please correct me if I am

---

🔷 proposal

Simply put: remove PK's repo from the site.

• I cannot find pyllyukko's comment where he discussed removing deprecated prefs but it went something like "if it's applicable to the current ESR, allowing time for packages to deploy on Linux distros, then we leave it in". But nothing really ever gets cleaned up. It contains a large percentage of deprecated prefs (soon to be more when ESR60 reaches EOL). Deprecated prefs don't do any harm, except give a false sense of security/privacy. The percentage of deprecated prefs is mind-boggling!
• It is not maintained to a high enough degree: prefs are added that a few releases later get replaced, but the new pref is never added <-- false sense of privacy
• Very little activity: a lot of new relevant prefs are simply not being introduced: and all this over a period where changes in FF prefs has been bigger than in the past due to the large number of changes due to Quantum, and that now engineers can implement changes far more quickly than in the past with legacy extensions and XUL etc. I can show you stats from FF version diffs if you want.
• It also introduces unnecessary risk to the end user (through enforcing default values: this should be done very selectively)
• PK's primary goal seems to be about "hardening" (security): at least that's what I read from the readme, and from his pref choices. This often compromises privacy for what I believe to be almost zero gain (browsers are already highly secure and highly vetted). This does not fit with PTIO's primary goal in my opinion

---

🔷 activity analysis

Note: Don't take "same as GH" too literally

• I'm just saying that GH also has this pref/info
• I've checked that we're currently the same (both value and state: commented out or not), but may have missed something
• I'm not implying PK did the same as GH (i.e copying). I don't care who did what first

🔻 Summary

Read the proposal. PK is simply not maintained enough. See in the details, how new prefs which replace deprecated ones are not added. I know we're all human (or dwarves) and make mistakes and/or lack time, but some items are not researched enough: see super old prefs getting added, see incorrect values being set and not corrected (even when informed).

For all intents and purposes, PK is essentially abandoned: that's my view, but I'll provide some stats. This is no reflection on pyllyukko and contributors et al: we all have lives outside of the internet.

🔻 Details

the last 12 months

8 changes total: 5 active changes. And nothing for the last 6 months!

2019

Feb 09: browser.discovery.enabled -> added: same as GH
Feb 06: browser.newtabpage.activity-stream.asrouter.userprefs.cfr -> added: same as GH
   - deprecated in FF67, but still applicable to ESR60 users
   - replaced by two new prefs which haven't been added to PK, but are in GH
Jan 15: network.trr.mode -> added commented out: same as GH

2018

Nov 13: dom.workers.enabled -> removed: same as GH [deprecated in FF60]
Oct 12: toolkit.telemetry.archive.enabled -> added: same as GH
Oct 03: svg.disabled -> commented out: same as GH
Sep 23: extensions.systemAddon.update.enabled -> added: same as GH
Sep 06: javascript.options.wasm -> added: same as GH

the last 12 months prior to that

effectively just a very small handful of useful prefs added

2018-continued

Jun 17: network.http.keep-alive.timeout -> added but not a threat IMO
Jun 16: removed three prefs which GH never had since they don't work and/or cause issues
May 05: intl.accept_languages -> reverted the value (case) to same as GH
   - ^^ this went on a whole year despite me letting them know it screwed their FP and wasn't the solution to a perceived (minor) problem
Feb 19: privacy.firstparty.isolate -> added: same as GH
Jan 23: network.captive-portal-service.enabled -> added: same as GH
Jan 06: signon.formlessCapture.enabled -> added: same as GH

2017

Nov 22: browser.newtabpage.activity-stream.enabled -> added: same as GH [deprecated in FF60]
Nov 22: browser.newtabpage.activity-stream.feeds.section.topstories -> added: same as GH
Oct 07: dom.network.enabled - added but useless
  - this was **deprecated in FF32**. In Oct 2017 ESR was 52.4 and stable was 56!
Oct 07: browser.startup.homepage_override.buildID -> added but not a threat IMO
Oct 07: `dom.maxHardwareConcurrency` -> added: same as GH but redundant with RFP
Oct 07: added two shield study prefs same as GH, one of which was removed in FF60
Sep 22: general.useragent.locale - removed: same as GH [deprecated in FF59]

---

🔷 preferences analysis

🔻 Summary

• 310 total prefs
• 64 (20%) -> deprecated since at least ESR/FF60 (that I know about)
• 21 -> enforcing the default value since at least ESR/FF60
  • can carry serious risk e.g. if Mozilla need to flip a pref for security, privacy reasons
  • perfect examples are the ciphers and TLS pref in the details below
• 7 -> redundant, pointless, or no threat (IMO)
• 17 -> deprecated when ESR60 reaches EOL in approx 2 months
  • I do not envisage these being cleaned out: see the previous 64 deprecated prefs
• 25 -> left
  • 5 I can't be bothered checking (at least 2 are redundant), and 22 are overkill (protocol handler blocking and then a heap of whitelisting)
  • note: I am ignoring prefs (not values or state) both PK and GH have in common

🔻 Conclusion

• 92 (30%) prefs do nothing for the end user right now
• 109 (35%) prefs will do nothing for the end user in approx two months
• At best, PK gives a false sense of security/privacy. At worst it introduces unnecessary risk: in fact right now it causes risk (see TLS)
• There is nothing in PK that GH doesn't have
  • the exception being the 25 remaining prefs - debatable

details

---
sources
- https://github.com/ghacksuserjs/ghacks-user.js/issues/123
- a couple of others are provided below in the details: I specially looked them up for this post

  27 prefs: A: deprecated in ESR/FF60 + lower [with sources]
  37 prefs: B: deprecated in ESR/FF60 + lower [no sources]
  21 prefs: C: default value since at least FF60
   7 prefs: D: redundant, no threat, or pointless
  17 prefs: E: deprecated with EOL for ESR60 [with sources]
  25 prefs: F: left

A: deprecated ESR/FF60 + lower [with sources]

browser.casting.enabled
browser.newtabpage.activity-stream.enabled
browser.newtabpage.directory.ping
browser.newtabpage.directory.source
browser.newtabpage.enhanced
browser.pocket.enabled
browser.safebrowsing.enabled
browser.selfsupport.url
camera.control.face_detection.enabled
datareporting.healthreport.service.enabled
devtools.webide.autoinstallFxdtAdapters
dom.archivereader.enabled
dom.enable_user_timing
dom.flyweb.enabled
dom.network.enabled
dom.telephony.enabled
extensions.shield-recipe-client.enabled
intl.locale.matchOS
loop.enabled
loop.logDomains
plugins.update.notifyUser
security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha
security.tls.unrestricted_rc4_fallback
security.xpconnect.plugin.unrestricted

B: deprecated ESR/FF60 + lower [no sources]

- these ciphers do not exist anymore and haven't for a VERY long time
- just rechecked ESR60 today
- checked in the past, and been deep diving into Firefox prefs for 5+ years

security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.dhe_dss_des_ede3_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_aes_128_sha
security.ssl3.ecdh_ecdsa_aes_256_sha
security.ssl3.ecdh_ecdsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_null_sha
security.ssl3.ecdh_ecdsa_rc4_128_sha
security.ssl3.ecdh_rsa_aes_128_sha
security.ssl3.ecdh_rsa_aes_256_sha
security.ssl3.ecdh_rsa_des_ede3_sha
security.ssl3.ecdh_rsa_null_sha
security.ssl3.ecdh_rsa_rc4_128_sha
security.ssl3.ecdhe_ecdsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_null_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.ecdhe_rsa_null_sha
security.ssl3.rsa_1024_rc4_56_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.rsa_camellia_256_sha
security.ssl3.rsa_fips_des_ede3_sha
security.ssl3.rsa_null_md5
security.ssl3.rsa_null_sha
security.ssl3.rsa_rc2_40_md5
security.ssl3.rsa_rc4_40_md5
security.ssl3.rsa_seed_sha
---

- these six are not in ESR/FF60+: not found on DXR
- checked in the past, and been deep diving into Firefox prefs for 5+ years

browser.download.manager.retention
browser.newtab.url
network.negotiate-auth.allow-insecure-ntlm-v1
network.negotiate-auth.allow-insecure-ntlm-v1-https
plugin.state.libgnome-shell-browser-plugin
shumway.disabled

C: default value since at least FF60

- note: the six ciphers below are enforcing default true. If Mozilla needed to
        flip one (or more) for security reasons, you wouldn't be protected

browser.offline-apps.notify
browser.safebrowsing.blockedURIs.enabled
browser.safebrowsing.malware.enabled
browser.safebrowsing.phishing.enabled
browser.urlbar.filter.javascript
media.webspeech.recognition.enable
network.stricttransportsecurity.preloadlist
privacy.trackingprotection.pbmode.enabled
security.fileuri.strict_origin_policy
security.insecure_field_warning.contextual.enabled
security.insecure_password.ui.enabled
security.sri.enable
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256
security.ssl.enable_ocsp_must_staple
signon.autofillForms.http
signon.storeWhenAutocompleteOff
   - ^^ inactive: thus defacto not changing default: added it to this list: or things get too messy
   - ^^ I don't agree with the changing from default true to false anyway

D: redundant (but I do get the defense in depth argument), no threat, or pointless

browser.formfill.expire_days
   - ^^ already cleared by privacy.clearOnShutdown.formdata
media.navigator.video.enabled
   - ^^ covered by media.navigator.enabled
dom.mozTCPSocket.enabled
   - ^^ only exposed in chrome contexts
network.dns.blockDotOnion
   - ^^ only useful over Tor: people should use Tor Browser
   - ^^ name is be ambiguous: s/be true when using Tor but I've seen
   - ^^ many users think it has to be false so onion services are not blocked
- security.tls.version.fallback-limit
  - ^^ set as 3: this is at odds with stable (at 4) vs ESR
  - ^^ a classic example of trying to enforce defaults that create risk
browser.startup.homepage_override.buildID
   - ^^ I do not see any threat here
network.http.keep-alive.timeout
   - ^^ I do not see any threat here

E: deprecated with EOL for ESR60 [with sources]

app.update.enabled
browser.aboutHomeSnippets.updateUrl
browser.fixup.hide_user_pass
browser.newtabpage.activity-stream.asrouter.userprefs.cfr
browser.search.countryCode
browser.urlbar.autocomplete.enabled
devtools.webide.autoinstallADBHelper
experiments.enabled
experiments.manifest.uri
experiments.supported
lightweightThemes.update.enabled
network.allow-experiments
network.jar.open-unsafe-types
plugin.state.java
security.csp.experimentalEnabled
browser.urlbar.autoFill.typed - bugzilla 1239708
services.blocklist.update_enabled - bugzilla 1458917

F: left: debatable: I stopped checking

- misc
devtools.debugger.force-local
media.gmp-gmpopenh264.enabled
   - redundant: see ghacks
media.gmp-manager.url
   - ^^ redundant: see previous pref
pdfjs.enableWebGL
privacy.trackingprotection.enabled
   - ^^ this is good

- overkill
network.protocol-handler.expose-all
network.protocol-handler.expose.about
network.protocol-handler.expose.blob
network.protocol-handler.expose.chrome
network.protocol-handler.expose.data
network.protocol-handler.expose.file
network.protocol-handler.expose.ftp
network.protocol-handler.expose.http
network.protocol-handler.expose.https
network.protocol-handler.expose.javascript
network.protocol-handler.expose.moz-extension
network.protocol-handler.external.about
network.protocol-handler.external.blob
network.protocol-handler.external.chrome
network.protocol-handler.external.data
network.protocol-handler.external.file
network.protocol-handler.external.ftp
network.protocol-handler.external.http
network.protocol-handler.external.https
network.protocol-handler.external.javascript
network.protocol-handler.external.moz-extension
network.protocol-handler.warn-external-default

Remove `pyllyukko/user.js` from the `Firefox user.js Templates` section - https://www.privacytools.io/browsers/#about_config (at the end) `edit` disclosure: For those who do not know, I started and maintain the ghacks user.js. I also actively participated in the past in pyllyukko's repo. I have never actively sort ghacks-user.js promotion: and it was only recently added to PTIO, after four+ years, when someone else asked for that. This is not a competition, I always try to be subjective. `end edit` ### 🔷 foreword - `GH` = ghacks user.js [repo](https://github.com/ghacksuserjs/ghacks-user.js) - `PK` = pyllyukko's user.js [repo](https://github.com/pyllyukko/user.js) - `active` = pref is not commented out, `inactive` = commented out - this is a subjective analysis and nothing personal * I only care that information is available and correct for all users to make informed decisions * it's also not self-serving: never gone out of my way to promote GH - I'm also a human (well, a dwarf to be exact), and I could be wrong about something * please correct me if I am --- ### 🔷 proposal Simply put: remove PK's repo from the site. - I cannot find pyllyukko's comment where he discussed removing deprecated prefs but it went something like "if it's applicable to the current ESR, allowing time for packages to deploy on Linux distros, then we leave it in". But nothing really ever gets cleaned up. It contains a large percentage of deprecated prefs (soon to be more when ESR60 reaches EOL). Deprecated prefs don't do any harm, except give a false sense of security/privacy. The percentage of deprecated prefs is mind-boggling! - It is not maintained to a high enough degree: prefs are added that a few releases later get replaced, but the new pref is never added <-- false sense of privacy - Very little activity: a lot of new relevant prefs are simply not being introduced: and all this over a period where changes in FF prefs has been bigger than in the past due to the large number of changes due to Quantum, and that now engineers can implement changes far more quickly than in the past with legacy extensions and XUL etc. I can show you stats from FF version diffs if you want. - It also introduces unnecessary risk to the end user (through enforcing default values: this should be done very selectively) - PK's primary goal seems to be about "hardening" (security): at least that's what I read from the readme, and from his pref choices. This often compromises privacy for what I believe to be almost zero gain (browsers are already highly secure and highly vetted). This does not fit with PTIO's primary goal in my opinion --- ### 🔷 activity analysis Note: Don't take "same as GH" too literally - I'm just saying that GH also has this pref/info - I've checked that we're *currently* the same (both value and state: commented out or not), but may have missed something - I'm not implying PK **did** the same as GH (i.e copying). I don't care who did what first 🔻 Summary Read the proposal. PK is simply not maintained enough. See in the details, how new prefs which replace deprecated ones are not added. I know we're all human (or dwarves) and make mistakes and/or lack time, but some items are not researched enough: see super old prefs getting added, see incorrect values being set and not corrected (even when informed). For all intents and purposes, PK is essentially abandoned: that's my view, but I'll provide some stats. This is no reflection on pyllyukko and contributors et al: we all have lives outside of the internet. 🔻 Details <details><summary>the last 12 months</summary><p> 8 changes total: 5 active changes. And nothing for the last 6 months! 2019 ``` Feb 09: browser.discovery.enabled -> added: same as GH Feb 06: browser.newtabpage.activity-stream.asrouter.userprefs.cfr -> added: same as GH - deprecated in FF67, but still applicable to ESR60 users - replaced by two new prefs which haven't been added to PK, but are in GH Jan 15: network.trr.mode -> added commented out: same as GH ``` 2018 ``` Nov 13: dom.workers.enabled -> removed: same as GH [deprecated in FF60] Oct 12: toolkit.telemetry.archive.enabled -> added: same as GH Oct 03: svg.disabled -> commented out: same as GH Sep 23: extensions.systemAddon.update.enabled -> added: same as GH Sep 06: javascript.options.wasm -> added: same as GH ``` </p></details> <details><summary>the last 12 months prior to that</summary><p> effectively just a very small handful of useful prefs added 2018-continued ``` Jun 17: network.http.keep-alive.timeout -> added but not a threat IMO Jun 16: removed three prefs which GH never had since they don't work and/or cause issues May 05: intl.accept_languages -> reverted the value (case) to same as GH - ^^ this went on a whole year despite me letting them know it screwed their FP and wasn't the solution to a perceived (minor) problem Feb 19: privacy.firstparty.isolate -> added: same as GH Jan 23: network.captive-portal-service.enabled -> added: same as GH Jan 06: signon.formlessCapture.enabled -> added: same as GH ``` 2017 ``` Nov 22: browser.newtabpage.activity-stream.enabled -> added: same as GH [deprecated in FF60] Nov 22: browser.newtabpage.activity-stream.feeds.section.topstories -> added: same as GH Oct 07: dom.network.enabled - added but useless - this was **deprecated in FF32**. In Oct 2017 ESR was 52.4 and stable was 56! Oct 07: browser.startup.homepage_override.buildID -> added but not a threat IMO Oct 07: `dom.maxHardwareConcurrency` -> added: same as GH but redundant with RFP Oct 07: added two shield study prefs same as GH, one of which was removed in FF60 Sep 22: general.useragent.locale - removed: same as GH [deprecated in FF59] ``` </p></details> --- ### 🔷 preferences analysis 🔻 Summary - `310` total prefs - `64` (**20%**) -> deprecated since at least ESR/FF60 (that I know about) - `21` -> enforcing the default value since at least ESR/FF60 * can carry serious risk e.g. if Mozilla need to flip a pref for security, privacy reasons * perfect examples are the ciphers and TLS pref in the details below - `7` -> redundant, pointless, or no threat (IMO) - `17` -> deprecated when ESR60 reaches EOL in approx 2 months * I do not envisage these being cleaned out: see the previous 64 deprecated prefs - `25` -> left * 5 I can't be bothered checking (at least 2 are redundant), and 22 are overkill (protocol handler blocking and then a heap of whitelisting) * note: I am ignoring prefs (not values or state) both PK and GH have in common 🔻 Conclusion - `92` (**30%**) prefs do nothing for the end user **right now** - `109` (**35%**) prefs will do nothing for the end user **in approx two months** - At best, PK gives a false sense of security/privacy. At worst it introduces unnecessary risk: in fact right now it **causes** risk (see TLS) - There is nothing in PK that GH doesn't have * the exception being the `25` remaining prefs - debatable <details><summary>details</summary><p> ``` --- sources - https://github.com/ghacksuserjs/ghacks-user.js/issues/123 - a couple of others are provided below in the details: I specially looked them up for this post 27 prefs: A: deprecated in ESR/FF60 + lower [with sources] 37 prefs: B: deprecated in ESR/FF60 + lower [no sources] 21 prefs: C: default value since at least FF60 7 prefs: D: redundant, no threat, or pointless 17 prefs: E: deprecated with EOL for ESR60 [with sources] 25 prefs: F: left ``` A: deprecated ESR/FF60 + lower [with sources] ``` browser.casting.enabled browser.newtabpage.activity-stream.enabled browser.newtabpage.directory.ping browser.newtabpage.directory.source browser.newtabpage.enhanced browser.pocket.enabled browser.safebrowsing.enabled browser.selfsupport.url camera.control.face_detection.enabled datareporting.healthreport.service.enabled devtools.webide.autoinstallFxdtAdapters dom.archivereader.enabled dom.enable_user_timing dom.flyweb.enabled dom.network.enabled dom.telephony.enabled extensions.shield-recipe-client.enabled intl.locale.matchOS loop.enabled loop.logDomains plugins.update.notifyUser security.ssl3.ecdhe_ecdsa_rc4_128_sha security.ssl3.ecdhe_rsa_rc4_128_sha security.ssl3.rsa_rc4_128_md5 security.ssl3.rsa_rc4_128_sha security.tls.unrestricted_rc4_fallback security.xpconnect.plugin.unrestricted ``` B: deprecated ESR/FF60 + lower [no sources] ``` - these ciphers do not exist anymore and haven't for a VERY long time - just rechecked ESR60 today - checked in the past, and been deep diving into Firefox prefs for 5+ years security.ssl3.dhe_dss_aes_128_sha security.ssl3.dhe_dss_aes_256_sha security.ssl3.dhe_dss_camellia_128_sha security.ssl3.dhe_dss_camellia_256_sha security.ssl3.dhe_dss_des_ede3_sha security.ssl3.dhe_rsa_camellia_128_sha security.ssl3.dhe_rsa_camellia_256_sha security.ssl3.dhe_rsa_des_ede3_sha security.ssl3.ecdh_ecdsa_aes_128_sha security.ssl3.ecdh_ecdsa_aes_256_sha security.ssl3.ecdh_ecdsa_des_ede3_sha security.ssl3.ecdh_ecdsa_null_sha security.ssl3.ecdh_ecdsa_rc4_128_sha security.ssl3.ecdh_rsa_aes_128_sha security.ssl3.ecdh_rsa_aes_256_sha security.ssl3.ecdh_rsa_des_ede3_sha security.ssl3.ecdh_rsa_null_sha security.ssl3.ecdh_rsa_rc4_128_sha security.ssl3.ecdhe_ecdsa_des_ede3_sha security.ssl3.ecdhe_ecdsa_null_sha security.ssl3.ecdhe_rsa_des_ede3_sha security.ssl3.ecdhe_rsa_null_sha security.ssl3.rsa_1024_rc4_56_sha security.ssl3.rsa_camellia_128_sha security.ssl3.rsa_camellia_256_sha security.ssl3.rsa_fips_des_ede3_sha security.ssl3.rsa_null_md5 security.ssl3.rsa_null_sha security.ssl3.rsa_rc2_40_md5 security.ssl3.rsa_rc4_40_md5 security.ssl3.rsa_seed_sha --- - these six are not in ESR/FF60+: not found on DXR - checked in the past, and been deep diving into Firefox prefs for 5+ years browser.download.manager.retention browser.newtab.url network.negotiate-auth.allow-insecure-ntlm-v1 network.negotiate-auth.allow-insecure-ntlm-v1-https plugin.state.libgnome-shell-browser-plugin shumway.disabled ``` C: default value since at least FF60 ``` - note: the six ciphers below are enforcing default true. If Mozilla needed to flip one (or more) for security reasons, you wouldn't be protected browser.offline-apps.notify browser.safebrowsing.blockedURIs.enabled browser.safebrowsing.malware.enabled browser.safebrowsing.phishing.enabled browser.urlbar.filter.javascript media.webspeech.recognition.enable network.stricttransportsecurity.preloadlist privacy.trackingprotection.pbmode.enabled security.fileuri.strict_origin_policy security.insecure_field_warning.contextual.enabled security.insecure_password.ui.enabled security.sri.enable security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256 security.ssl3.ecdhe_ecdsa_aes_256_sha security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256 security.ssl3.ecdhe_rsa_aes_128_gcm_sha256 security.ssl3.ecdhe_rsa_aes_256_sha security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256 security.ssl.enable_ocsp_must_staple signon.autofillForms.http signon.storeWhenAutocompleteOff - ^^ inactive: thus defacto not changing default: added it to this list: or things get too messy - ^^ I don't agree with the changing from default true to false anyway ``` D: redundant (but I do get the defense in depth argument), no threat, or pointless ``` browser.formfill.expire_days - ^^ already cleared by privacy.clearOnShutdown.formdata media.navigator.video.enabled - ^^ covered by media.navigator.enabled dom.mozTCPSocket.enabled - ^^ only exposed in chrome contexts network.dns.blockDotOnion - ^^ only useful over Tor: people should use Tor Browser - ^^ name is be ambiguous: s/be true when using Tor but I've seen - ^^ many users think it has to be false so onion services are not blocked - security.tls.version.fallback-limit - ^^ set as 3: this is at odds with stable (at 4) vs ESR - ^^ a classic example of trying to enforce defaults that create risk browser.startup.homepage_override.buildID - ^^ I do not see any threat here network.http.keep-alive.timeout - ^^ I do not see any threat here ``` E: deprecated with EOL for ESR60 [with sources] ``` app.update.enabled browser.aboutHomeSnippets.updateUrl browser.fixup.hide_user_pass browser.newtabpage.activity-stream.asrouter.userprefs.cfr browser.search.countryCode browser.urlbar.autocomplete.enabled devtools.webide.autoinstallADBHelper experiments.enabled experiments.manifest.uri experiments.supported lightweightThemes.update.enabled network.allow-experiments network.jar.open-unsafe-types plugin.state.java security.csp.experimentalEnabled browser.urlbar.autoFill.typed - bugzilla 1239708 services.blocklist.update_enabled - bugzilla 1458917 ``` F: left: debatable: I stopped checking ``` - misc devtools.debugger.force-local media.gmp-gmpopenh264.enabled - redundant: see ghacks media.gmp-manager.url - ^^ redundant: see previous pref pdfjs.enableWebGL privacy.trackingprotection.enabled - ^^ this is good - overkill network.protocol-handler.expose-all network.protocol-handler.expose.about network.protocol-handler.expose.blob network.protocol-handler.expose.chrome network.protocol-handler.expose.data network.protocol-handler.expose.file network.protocol-handler.expose.ftp network.protocol-handler.expose.http network.protocol-handler.expose.https network.protocol-handler.expose.javascript network.protocol-handler.expose.moz-extension network.protocol-handler.external.about network.protocol-handler.external.blob network.protocol-handler.external.chrome network.protocol-handler.external.data network.protocol-handler.external.file network.protocol-handler.external.ftp network.protocol-handler.external.http network.protocol-handler.external.https network.protocol-handler.external.javascript network.protocol-handler.external.moz-extension network.protocol-handler.warn-external-default ``` </p></details>

👍 5

blacklight447 commented 2019-08-30 12:47:26 +00:00 (Migrated from github.com)

Copy Link

I would agree with the removal.

I would agree with the removal.

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

master

dependabot/bundler/nokogiri-1.13.6

dependabot/bundler/addressable-2.8.0

freddy-m-patch-3

pr-add_RemoveMyPhone_sponsor

pr-browser_cleanup_1257_1328_1430

freddy-m-patch-2

freddy-m-patch-1

pr-vpn_hated_one_video

cdn

update-nitrohorse-image

promote-metager-to-card

hardware

pr-add_azirevpn

pr-add_mailfence

shop

1673

pr/1658

i18n-simple

sponsorship-edits-nov2019

i18n

ipfs

blacklight447-ptio-patch-3

blog

remove-windows-icons

pr/1147

i18n-testing

add-beautify

No results found.

Labels

Clear labels

🔍🤖 Search Engines

approved

approved, waiting for a PR

dependencies

Pull requests that update a dependency file

duplicate

feedback wanted

high priority

I2P

The Invisible Internet Project (I2P)

iOS

low priority

OS

Operating Systems

Self-contained networks

Social media

stale

A label for stalebot if it gets added

streaming

Anything related to media streaming.

todo

Tor

Anything covering the Tor network

WIP

active work in progress, do not merge or PR (yet)!

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

XMPP

Extensible Messaging and Presence Protocol

[m]

Matrix protocol

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

Browser Extension related issues

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

Correction of content on the website

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

Firefox & forks, about:config etc.

💻 hardware

🌐 hosting

🏠 housekeeping

Anything primarily related to site cleanup.

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

Virtual Private Network

🌐 website issue

*Technical* issues with the website.

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

Domain Name System

🗨️ instant messaging (im)

🇦🇶 translations

Anything covering a translated version of the site

No Label

❌ software removal

🦊 Firefox

Milestone

No items

No Milestone

Assignees

Clear assignees

jonah

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1240

No description provided.