ToDo: compare vs pyllyukko user.js, decide on additions about user.js HOT 20 CLOSED

You already have setting "devtools.debugger.remote-enabled" set to false ;)

from user.js.

There's a crypto key exchange before accepting SSL certificates. A long read here.

from user.js.

It's a proposed security implementation, it's there, scroll down to:
3.2.2 Source List

from user.js.

Can someone tell me why this increases security/privacy?

The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.

There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.

Does this answer your question?

from user.js.

I am almost 100% sure that "browser.newtab.url" is deprecated for FF 41 on.

from user.js.

I am wrong, but default for "browser.ssl_override_behavior" is now 2, at least in FF 51.

from user.js.

Deprecated (taken from "linux" list"):
dom.mozTCPSocket.enabled (FF48)
network.seer.enabled (FF32)
network.negotiate-auth.allow-insecure-ntlm-v1-https (FF37)
browser.sessionstore.postdata (FF29)
browser.download.manager.retention (FF28)
browser.newtab.url (FF41)
plugins.hide_infobar_for_outdated_plugin (FF33)

;)
Do a check or remove or strike over on your upper list, then I will go over the updated list again.
If you wish, of course.

from user.js.

All...
but I am not sure its "Linux specific".
I have just noted that this was taken from the list on https://www.wilderssecurity.com/threads/firefox-lockdown.368003/page-10#post-2633173.

I am sure that "browser.newtab.url" if not linux pecific, but it is removed/deprecated over all.

I will try to find some good source for deprecated stuff, if you don't have any already?

from user.js.

Noted... thx for source... will do better next time. :)

from user.js.

@pants, ROFL, even the syntax error pref is now properly sourced, gj! xD

browser.sessionstore.enabled - Has an effect in Mozilla Firefox 3.0 and below.
Since Firefox 3.5 this preference is superseded with setting browser.sessionstore.max_tabs_undo and browser.sessionstore.max_windows_undo to 0.

I disagree about network.IDN_show_punycode:
https://www.ubuntu.com/usn/usn-3175-1/
"Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)"
-> also noted here: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
---> and the 2 bugzilla's are still Access Denied!
Here are a few more links discussing IDN/punycode exploits:
https://en.wikipedia.org/wiki/IDN_homograph_attack
http://blog.trendmicro.com/trendlabs-security-intelligence/can-idn-use-open-a-can-of-unicode-worms/
https://www.bluecoat.com/security-blog/2014-05-22/bad-guys-using-internationalized-domain-names-idns

browser.formfill.expire_days - I like this one, it gives users who want to use formfill better control.
-> I'd set it to 1 day and probably comment it out, and add it as 0812a or so.

from user.js.

I have browser.ssl_override_behavior = 2
In that case we need browser.xul.error_pages.enabled = true (but this is a default now anyway).
Additonally, I have browser.xul.error_pages.expert_bad_cert = true

from user.js.

browser.ssl_override_behavior = 2
This makes the browser get the certificate without having to click on Get Certificate.

from user.js.

@crssi Thank you!! browser.xul.error_pages.expert_bad_cert is exactly what I wanted to start looking for in DXR, right now. 👍

@Atavic but doesn't the browser have the cert loaded and checked already at that point?
I mean, how can it detect a faulty cert otherwise? It's weird.
Anyway, 1 is definitely better than 2, that's all I need to know atm

from user.js.

browser.xul.error_pages.expert_bad_cert - as far as I can tell, when changed to true from default false, it opens the advanced explanation by default instead of you having to click it.
False doesn't hide the button - the default value is false.

from user.js.

True, the browser.xul.error_pages.expert_bad_cert = true just eases my laziness to spare me one more click when I know the site (some internal testing sites) with temporary self-signed cert and where I don't like to end up with a cert store full of a few times only used certs.

from user.js.

@Thorin-Oakenpants The other "my modus operandy": I like to see the error message provided without clicking "advanced" first.
But anything you decide, its fine with me. ;)

from user.js.

Can someone tell me why this increases security/privacy?

The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.

There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.

@fmarier

• do you know why security.csp.experimentalEnabled is still disabled by default in FF?
• Is this safe to use in your opinion?

I feel like there have to be downsides to this or it would have been enabled by now, right?

from user.js.

For each request, the server generates a unique value at random, and includes it in the Content-Security-Policy header.

3.2.5.17.1

who maintains these hash lists for verification.

Once randomly generated, they stay in the HTML meta Element.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

from user.js.

do you know why security.csp.experimentalEnabled is still disabled by default in FF?
Is this safe to use in your opinion?

Right now, security.csp.experimentalEnabled only controls a single directive: require-sri-for. It's disabled by default because it's a new feature which hasn't been standardized yet.

I don't think there's a lot of risk in enabling it because it's probably not used very much. For that same reason, there's probably not much point in enabling it either.

from user.js.

For that same reason, there's probably not much point in enabling it either.

Pants, I'd say we disable it again and wait until mozilla enables it by default, if ever.

from user.js.