✨ 5 firefox about:config rule to improve privacy & security #815
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#815
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
1.Disable the 3DES cipher – This setting allows the 3DES cipher, which has multiple known security weaknesses. It needs to be disabled.
security.ssl3.rsa_des_ede3_sha >> false
2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used.
security.ssl.require_safe_negotiation >> true
3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.
security.tls.enable_0rtt_data >> false
4.Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.
plugin.scan.plid.all >> false
5.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.
network.dns.disableprefetch >> true
source : PIA Blog
Or just use ghacks user.js ...
My 5 cents
security.ssl3.rsa_des_ede3_sha
- do not meddle with FF ciphers, all you do is change your cipher fingerprint. I'm sure you can pull this info from Mozilla's telemetry (I do this to look at stats like IPv4 and IPv6 info, or TLS version requests), and I'm sure you will find the threat is zero to none in the wild.plugin.scan.plid.all
- no need to add this, Flash is the only plugin allowed since FF52, and it is already default click to play. Why put up another barrier for an end user to try and overcome breakage (e.g flash games). RFP also effectively disables Flash as sites cannot detect it (for those that use RFP)FYI: the ghacks-user.js sets these
security.ssl.require_safe_negotiation
-true
network.dns.disableprefetch
-true
security.tls.enable_0rtt_data
-false
PS: for the love of [insert deity here], can you please
browser.sessionstore.max_tabs_undo
- this is practically a useless pref. It has an edge case, but that's it. For starters, data is still written to the session restore files, so all you're really doing is removing something that is hidden behind a menu. If you do not use Session Restore (SR), the session restore files are destroyed at the end of each session. And if you do use SR, then it's just another thing for an end-user to work out how to unbreak something.browser.sessionstore.privacy_level
you already have, and that DOES do something for privacy.geo.enabled
is not needed. Geo is behind a prompt by default, so it does nothing extra for privacy - no location data will leak unless the end user allows it in the per domain prompt. So all you are doing is putting up yet another block for users e.g. those who want to use location servicespermissions.default.geo
(0=always ask (default), 1=allow, 2=block) as2
which then allows the user to set a site override for sites they want it, and this will get rid of any prompt fatigue (if it exists), but be aware that this setting can be detected by JS and will raise entropy (if any fingerprinting script ever uses it: very low risk)network.cookie.lifetimePolicy
1 = Prompt for each cookie
was removed a long time ago (so long ago I do not know offhand the bugzilla to show you)3 = Accept for N days
was removed in FF63 (so maybe add that), and in FF62 and under, thatN days
is 90 days, and unless you tell the end user how to set the number of days, I think it's totally useless as an option - I would just remove itreferer
prefs: the three prefs you have set as2
, are all set to the hardest value they can be = lots of breakage. I think you are better off with more mild settings as a recommendation, along with a big fat message, that if you want to have ANY control over referers, you need to use an extension: e.g. Smart Referer - this is the one I would recommend, as it just focuses on Referers and allows Source<->Destination complexity. uMatrix can also cover this on a per domain scope where it just spoofs as same domainThat'll do for now. The rest looks OK, but the TP is a bit "naff"
If you would like me to present a cleaner neater version for your perusal (based on your list, I won;t add anything), just let me know. You can always just reject it if you don;t like it, or may take something from it (like the order and grouping etc)
I agree with @Thorin-Oakenpants comment, I think the geo prefs should not get touched by us even their default choice setting, because that will greatly can get used for fingerprinting without much improvement to privacy as @Thorin-Oakenpants said, the browser will prompt for it.
Although i think putting some security related configs like require_safe_negotiation and 0rtt data will be good as most of people don't have time to read ghacks-user.js
@Thorin-Oakenpants Sorry, I am not very up-to-date on our situation with about:config and the different options. Is there something here that should be addressed or could this be closed in favour of https://github.com/privacytoolsIO/privacytools.io/issues/1212 ?
@Mikaela . well #1212 says to remove the section but could be re-purposed as a clean-up of the section, but then doesn't really discuss the prefs much - as long as I don't have to type out https://github.com/privacytoolsIO/privacytools.io/issues/815#issuecomment-491410317 again
We could edit the title and make us just review each pref again.
Assigning to me so I will hopefully remember and check this at a better time due to it appearing at https://github.com/issues/assigned .
Please feel free to self-assign or PR regardless though.
feel free to close this: it's all being handled under #1212