✨ 5 firefox about:config rule to improve privacy & security #815

New Issue

2019-04-02T14:06:46Z

hasux3 commented

2019-04-02 14:06:46 +00:00

(Migrated from github.com)

1.Disable the 3DES cipher – This setting allows the 3DES cipher, which has multiple known security weaknesses. It needs to be disabled.

security.ssl3.rsa_des_ede3_sha >> false

2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used.

security.ssl.require_safe_negotiation >> true

3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.

security.tls.enable_0rtt_data >> false

4.Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.

plugin.scan.plid.all >> false

5.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.

network.dns.disableprefetch >> true

source : PIA Blog

1.Disable the 3DES cipher – This setting allows the 3DES cipher, which has multiple known security weaknesses. It needs to be disabled. **security.ssl3.rsa_des_ede3_sha >> false** -------------------- 2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used. **security.ssl.require_safe_negotiation >> true** -------------------- 3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy. **security.tls.enable_0rtt_data >> false** ------------------- 4.Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately. **plugin.scan.plid.all >> false** ------------------- 5.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources. **network.dns.disableprefetch >> true** -------------------- source : [PIA Blog](https://www.privateinternetaccess.com/blog/2018/09/firefox-hardening-guide/)

👍 1

beerisgood commented

2019-04-02 18:12:54 +00:00

(Migrated from github.com)

Or just use ghacks user.js ...

Thorin-Oakenpants commented

2019-05-10 19:51:22 +00:00

(Migrated from github.com)

My 5 cents

security.ssl3.rsa_des_ede3_sha - do not meddle with FF ciphers, all you do is change your cipher fingerprint. I'm sure you can pull this info from Mozilla's telemetry (I do this to look at stats like IPv4 and IPv6 info, or TLS version requests), and I'm sure you will find the threat is zero to none in the wild.
plugin.scan.plid.all - no need to add this, Flash is the only plugin allowed since FF52, and it is already default click to play. Why put up another barrier for an end user to try and overcome breakage (e.g flash games). RFP also effectively disables Flash as sites cannot detect it (for those that use RFP)

FYI: the ghacks-user.js sets these

security.ssl.require_safe_negotiation - true
network.dns.disableprefetch - true
security.tls.enable_0rtt_data - false

PS: for the love of [insert deity here], can you please

remove the battery pref - It hasn't been allowed in non-privileged content since FF52 - see 1313580. Seriously, I thought you guys removed this.
stop telling people to disable Safe Browsing. The two prefs you recommend don't do anything for privacy, and put people at risk. Local lists are still updated and downloaded from google (using SBv4 with no cookies, and everyone updates, 100's of millions of FF users), and Firefox also makes sure to strip out any identifying parameters. And if required, a full URL is never sent, it's a part hash of the prefix only, mixed with other real part-hashes. These two prefs being on the list are irresponsible IMO.
browser.sessionstore.max_tabs_undo - this is practically a useless pref. It has an edge case, but that's it. For starters, data is still written to the session restore files, so all you're really doing is removing something that is hidden behind a menu. If you do not use Session Restore (SR), the session restore files are destroyed at the end of each session. And if you do use SR, then it's just another thing for an end-user to work out how to unbreak something.
- browser.sessionstore.privacy_level you already have, and that DOES do something for privacy.
- If you do keep max tabs undo, then at least put the two prefs next to each other
geo.enabled is not needed. Geo is behind a prompt by default, so it does nothing extra for privacy - no location data will leak unless the end user allows it in the per domain prompt. So all you are doing is putting up yet another block for users e.g. those who want to use location services
- Instead you could promote permissions.default.geo (0=always ask (default), 1=allow, 2=block) as 2 which then allows the user to set a site override for sites they want it, and this will get rid of any prompt fatigue (if it exists), but be aware that this setting can be detected by JS and will raise entropy (if any fingerprinting script ever uses it: very low risk)
network.cookie.lifetimePolicy
- the option 1 = Prompt for each cookie was removed a long time ago (so long ago I do not know offhand the bugzilla to show you)
- the option 3 = Accept for N days was removed in FF63 (so maybe add that), and in FF62 and under, that N days is 90 days, and unless you tell the end user how to set the number of days, I think it's totally useless as an option - I would just remove it
referer prefs: the three prefs you have set as 2, are all set to the hardest value they can be = lots of breakage. I think you are better off with more mild settings as a recommendation, along with a big fat message, that if you want to have ANY control over referers, you need to use an extension: e.g. Smart Referer - this is the one I would recommend, as it just focuses on Referers and allows Source<->Destination complexity. uMatrix can also cover this on a per domain scope where it just spoofs as same domain

That'll do for now. The rest looks OK, but the TP is a bit "naff"

If you would like me to present a cleaner neater version for your perusal (based on your list, I won;t add anything), just let me know. You can always just reject it if you don;t like it, or may take something from it (like the order and grouping etc)

My 5 cents - `security.ssl3.rsa_des_ede3_sha` - do not meddle with FF ciphers, all you do is change your cipher fingerprint. I'm sure you can pull this info from [Mozilla's telemetry](https://telemetry.mozilla.org/) (I do this to look at stats like IPv4 and IPv6 info, or TLS version requests), and I'm sure you will find the threat is zero to none in the wild. - `plugin.scan.plid.all` - no need to add this, Flash is the only plugin allowed since FF52, and it is already default click to play. Why put up another barrier for an end user to try and overcome breakage (e.g flash games). RFP also effectively disables Flash as sites cannot detect it (for those that use RFP) --- FYI: the ghacks-user.js sets these - `security.ssl.require_safe_negotiation` - `true` - `network.dns.disableprefetch` - `true` - `security.tls.enable_0rtt_data` - `false` --- PS: for the love of [insert deity here], can you please - remove the battery pref - It hasn't been allowed in non-privileged content since FF52 - see [1313580](https://bugzilla.mozilla.org/1313580). Seriously, I thought you guys removed this. - stop telling people to disable Safe Browsing. The two prefs you recommend don't do anything for privacy, and put people at risk. Local lists are still updated and downloaded from google (using SBv4 with no cookies, and everyone updates, 100's of millions of FF users), and Firefox also makes sure to strip out any identifying parameters. And **if** required, a full URL is never sent, it's a part hash of the prefix only, mixed with other real part-hashes. These two prefs being on the list are irresponsible IMO. - `browser.sessionstore.max_tabs_undo` - this is practically a useless pref. It has an edge case, but that's it. For starters, **data is still written to the session restore files**, so all you're really doing is removing something that is hidden behind a menu. If you do not use Session Restore (SR), the session restore files are destroyed at the end of each session. And if you do use SR, then it's just another thing for an end-user to work out how to unbreak something. * `browser.sessionstore.privacy_level` you already have, and that DOES do something for privacy. * If you do keep max tabs undo, then at least put the two prefs next to each other - `geo.enabled` is not needed. Geo is behind a prompt by default, so it does nothing extra for privacy - no location data will leak unless the end user allows it in the per domain prompt. So all you are doing is putting up yet another block for users e.g. those who want to use location services * Instead you could promote `permissions.default.geo` (0=always ask (default), 1=allow, 2=block) as `2` which then allows the user to set a site override for sites they want it, and this will get rid of any prompt fatigue (if it exists), but be aware that this setting can be detected by JS and will raise entropy (if any fingerprinting script ever uses it: very low risk) - `network.cookie.lifetimePolicy` * the option `1 = Prompt for each cookie` was removed a **long** time ago (so long ago I do not know offhand the bugzilla to show you) * the option `3 = Accept for N days` was removed in FF63 (so maybe add that), and in FF62 and under, that `N days` is 90 days, and unless you tell the end user how to set the number of days, I think it's totally useless as an option - I would just remove it - `referer` prefs: the three prefs you have set as `2`, are all set to the hardest value they can be = lots of breakage. I think you are better off with more mild settings as a recommendation, along with a big fat message, that if you want to have ANY control over referers, you need to use an extension: e.g. Smart Referer - this is the one I would recommend, as it just focuses on Referers and allows Source<->Destination complexity. uMatrix can also cover this on a per domain scope where it just spoofs as same domain That'll do for now. The rest looks OK, but the TP is a bit "naff" If you would like me to present a cleaner neater version for your perusal (based on your list, I won;t add anything), just let me know. You can always just reject it if you don;t like it, or may take something from it (like the order and grouping etc)

👍 4

0xRustlang commented

2019-05-11 15:17:31 +00:00

(Migrated from github.com)

I agree with @Thorin-Oakenpants comment, I think the geo prefs should not get touched by us even their default choice setting, because that will greatly can get used for fingerprinting without much improvement to privacy as @Thorin-Oakenpants said, the browser will prompt for it.

Although i think putting some security related configs like require_safe_negotiation and 0rtt data will be good as most of people don't have time to read ghacks-user.js

I agree with @Thorin-Oakenpants comment, I think the geo prefs should not get touched by us even their default choice setting, because that will greatly can get used for fingerprinting without much improvement to privacy as @Thorin-Oakenpants said, the browser will prompt for it. Although i think putting some security related configs like require_safe_negotiation and 0rtt data will be good as most of people don't have time to read ghacks-user.js

Mikaela commented

2019-08-26 20:18:50 +00:00

(Migrated from github.com)

@Thorin-Oakenpants Sorry, I am not very up-to-date on our situation with about:config and the different options. Is there something here that should be addressed or could this be closed in favour of https://github.com/privacytoolsIO/privacytools.io/issues/1212 ?

Thorin-Oakenpants commented

2019-08-27 02:11:54 +00:00

(Migrated from github.com)

@Mikaela . well #1212 says to remove the section but could be re-purposed as a clean-up of the section, but then doesn't really discuss the prefs much - as long as I don't have to type out https://github.com/privacytoolsIO/privacytools.io/issues/815#issuecomment-491410317 again

blacklight447 commented

2019-08-27 13:21:45 +00:00

(Migrated from github.com)

We could edit the title and make us just review each pref again.

Mikaela commented

2019-08-27 17:41:39 +00:00

(Migrated from github.com)

Assigning to me so I will hopefully remember and check this at a better time due to it appearing at https://github.com/issues/assigned .

Please feel free to self-assign or PR regardless though.

Assigning to me so I will hopefully remember and check this at a better time due to it appearing at https://github.com/issues/assigned . Please feel free to self-assign or PR regardless though.

Thorin-Oakenpants commented

2019-09-03 06:16:09 +00:00

(Migrated from github.com)

feel free to close this: it's all being handled under #1212

This repo is archived. You cannot comment on issues.