Comments (20)
You already have setting "devtools.debugger.remote-enabled" set to false ;)
from user.js.
There's a crypto key exchange before accepting SSL certificates. A long read here.
from user.js.
It's a proposed security implementation, it's there, scroll down to:
3.2.2 Source List
from user.js.
Can someone tell me why this increases security/privacy?
The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.
There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.
Does this answer your question?
from user.js.
I am almost 100% sure that "browser.newtab.url" is deprecated for FF 41 on.
from user.js.
I am wrong, but default for "browser.ssl_override_behavior" is now 2, at least in FF 51.
from user.js.
Deprecated (taken from "linux" list"):
dom.mozTCPSocket.enabled (FF48)
network.seer.enabled (FF32)
network.negotiate-auth.allow-insecure-ntlm-v1-https (FF37)
browser.sessionstore.postdata (FF29)
browser.download.manager.retention (FF28)
browser.newtab.url (FF41)
plugins.hide_infobar_for_outdated_plugin (FF33)
;)
Do a check or remove or strike over on your upper list, then I will go over the updated list again.
If you wish, of course.
from user.js.
All...
but I am not sure its "Linux specific".
I have just noted that this was taken from the list on https://www.wilderssecurity.com/threads/firefox-lockdown.368003/page-10#post-2633173.
I am sure that "browser.newtab.url" if not linux pecific, but it is removed/deprecated over all.
I will try to find some good source for deprecated stuff, if you don't have any already?
from user.js.
Noted... thx for source... will do better next time. :)
from user.js.
@pants, ROFL, even the syntax error pref is now properly sourced, gj! xD
browser.sessionstore.enabled
- Has an effect in Mozilla Firefox 3.0 and below.
Since Firefox 3.5 this preference is superseded with setting browser.sessionstore.max_tabs_undo
and browser.sessionstore.max_windows_undo
to 0.
I disagree about network.IDN_show_punycode
:
https://www.ubuntu.com/usn/usn-3175-1/
"Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)"
-> also noted here: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
---> and the 2 bugzilla's are still Access Denied!
Here are a few more links discussing IDN/punycode exploits:
https://en.wikipedia.org/wiki/IDN_homograph_attack
http://blog.trendmicro.com/trendlabs-security-intelligence/can-idn-use-open-a-can-of-unicode-worms/
https://www.bluecoat.com/security-blog/2014-05-22/bad-guys-using-internationalized-domain-names-idns
browser.formfill.expire_days
- I like this one, it gives users who want to use formfill better control.
-> I'd set it to 1 day and probably comment it out, and add it as 0812a or so.
from user.js.
I have browser.ssl_override_behavior = 2
In that case we need browser.xul.error_pages.enabled = true
(but this is a default now anyway).
Additonally, I have browser.xul.error_pages.expert_bad_cert = true
from user.js.
browser.ssl_override_behavior = 2
This makes the browser get the certificate without having to click on Get Certificate.
from user.js.
@crssi Thank you!! browser.xul.error_pages.expert_bad_cert
is exactly what I wanted to start looking for in DXR, right now. 👍
@Atavic but doesn't the browser have the cert loaded and checked already at that point?
I mean, how can it detect a faulty cert otherwise? It's weird.
Anyway, 1 is definitely better than 2, that's all I need to know atm
from user.js.
browser.xul.error_pages.expert_bad_cert
- as far as I can tell, when changed to true from default false, it opens the advanced explanation by default instead of you having to click it.
False doesn't hide the button - the default value is false.
from user.js.
True, the browser.xul.error_pages.expert_bad_cert = true
just eases my laziness to spare me one more click when I know the site (some internal testing sites) with temporary self-signed cert and where I don't like to end up with a cert store full of a few times only used certs.
from user.js.
@Thorin-Oakenpants The other "my modus operandy": I like to see the error message provided without clicking "advanced" first.
But anything you decide, its fine with me. ;)
from user.js.
Can someone tell me why this increases security/privacy?
The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.
There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.
- do you know why
security.csp.experimentalEnabled
is still disabled by default in FF? - Is this safe to use in your opinion?
I feel like there have to be downsides to this or it would have been enabled by now, right?
from user.js.
For each request, the server generates a unique value at random, and includes it in the Content-Security-Policy header.
3.2.5.17.1
who maintains these hash lists for verification.
Once randomly generated, they stay in the HTML meta Element.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
from user.js.
do you know why security.csp.experimentalEnabled is still disabled by default in FF?
Is this safe to use in your opinion?
Right now, security.csp.experimentalEnabled
only controls a single directive: require-sri-for. It's disabled by default because it's a new feature which hasn't been standardized yet.
I don't think there's a lot of risk in enabling it because it's probably not used very much. For that same reason, there's probably not much point in enabling it either.
from user.js.
For that same reason, there's probably not much point in enabling it either.
Pants, I'd say we disable it again and wait until mozilla enables it by default, if ever.
from user.js.
Related Issues (20)
- ToDo: diffs FF127-FF128 HOT 26
- Question about extensions HOT 1
- Wiki Question: Is the "xxx fingerprint defender" suite of Addons recommended ? HOT 2
- linux: Is it possible to force Firefox use StandardFonts HOT 12
- Firefox HTTP -> HTTPS change in version 129 HOT 1
- confused... HOT 4
- [Question] Implications of disabling `network.dns.native_https_query` HOT 2
- [Question] Can sites outside of my container see the cookies of the website inside the container? HOT 2
- UBO w/ Arkenfox question HOT 1
- [Question] cross-site cookies (third party cookies) exceptions HOT 7
- [Question] More details on `disable partitioning` when adding sites to exception HOT 7
- [Guide] How to get started HOT 2
- changelog v128 HOT 6
- [Q] Can websites track my bookmarks' URLs, favicons, names, etc.? (5010 / 5006 / 0605) [A: no] HOT 2
- ToDo: diffs FF128-FF129 HOT 1
- ToDo: diffs FF129-FF130 HOT 1
- Cleanup script not working HOT 1
- Firefox Labs: possible tracking? HOT 3
- Will Using Firefox Labs with Any Model Ruin My Setup? HOT 3
- Extensions not working properly when navigating between subdomains
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from user.js.