ToDo: compare vs pyllyukko user.js, decide on additions

[Thorin-Oakenpants]

/******
user.js * date: 18 Feb 2017 vs pyllyukko user.js
what pyllyukko has that we doesn't
******/

• DONE: 4d0e582
  user_pref("network.IDN_show_punycode", true);
• DONE: b73324e
  user_pref("browser.ssl_override_behavior", 1);
• DONE: df1e1e4
  user_pref("security.csp.enable", true);
• DONE: e0e7fc4 (added to deprecated (48+))
  user_pref("dom.mozTCPSocket.enabled", false);
• DONE: de21ffd
  user_pref("security.csp.experimentalEnabled", true);
  ==
• WONTFIX (I am not messing with people's search engines)
  // user_pref("browser.search.defaultenginename", "DuckDuckGo");
• WONTFIX: deprecated approx FF29
  user_pref("browser.sessionstore.postdata", 0);
• WONTFIX: deprecated approx FF32
  user_pref("network.seer.enabled", false);
• WONTFIX: deprecated approx FF33
  user_pref("plugins.hide_infobar_for_outdated_plugin", false);
• WONTFIX: both deprecated, the first approx FF37
  user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
  user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
• WONTFIX: deprecated approx FF41 (note: still two returns in DXR, not used)
  user_pref("browser.newtab.url", "about:blank");
• WONTFIX: deprecated (not sure when)
  user_pref("browser.sessionstore.enabled", false);
• WONTFIX: same as default
  user_pref("devtools.debugger.force-local", true);
• WONTFIX: no longer in DXR
  user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
• WONTFIX: see discussion: redo 0800s location bar etc #32 - this is legacy code and does absolutely nothing
  user_pref("browser.formfill.expire_days", 1);
• WONTFIX: see discussion: redo 0800s location bar etc #32 - this is legacy code and does absolutely nothing
  user_pref("browser.download.manager.retention", 0); // (hidden pref)

---original post--
See: pyllyukko/user.js#205 (comment)

I will compare us to pyllyukko and output

• What we has that pyllyukko doesn't (large list to dump on pastebin, keep our numbering/order/comments to help with dissection and analysis of it)
• What pyllyukko has that we doesn't (small list, I can paste the items here)
  Results given to each party to work through.

Then we can decide what to add/discard

[crssi]

I am almost 100% sure that "browser.newtab.url" is deprecated for FF 41 on.

[crssi]

I am wrong, but default for "browser.ssl_override_behavior" is now 2, at least in FF 51.

[crssi]

You already have setting "devtools.debugger.remote-enabled" set to false ;)

[crssi]

Deprecated (taken from "linux" list"):
dom.mozTCPSocket.enabled (FF48)
network.seer.enabled (FF32)
network.negotiate-auth.allow-insecure-ntlm-v1-https (FF37)
browser.sessionstore.postdata (FF29)
browser.download.manager.retention (FF28)
browser.newtab.url (FF41)
plugins.hide_infobar_for_outdated_plugin (FF33)

;)
Do a check or remove or strike over on your upper list, then I will go over the updated list again.
If you wish, of course.

[crssi]

All...
but I am not sure its "Linux specific".
I have just noted that this was taken from the list on https://www.wilderssecurity.com/threads/firefox-lockdown.368003/page-10#post-2633173.

I am sure that "browser.newtab.url" if not linux pecific, but it is removed/deprecated over all.

I will try to find some good source for deprecated stuff, if you don't have any already?

[crssi]

Noted... thx for source... will do better next time. :)

[earthlng]

@pants, ROFL, even the syntax error pref is now properly sourced, gj! xD

browser.sessionstore.enabled - Has an effect in Mozilla Firefox 3.0 and below.
Since Firefox 3.5 this preference is superseded with setting browser.sessionstore.max_tabs_undo and browser.sessionstore.max_windows_undo to 0.

I disagree about network.IDN_show_punycode:
https://www.ubuntu.com/usn/usn-3175-1/
"Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)"
-> also noted here: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
---> and the 2 bugzilla's are still Access Denied!
Here are a few more links discussing IDN/punycode exploits:
https://en.wikipedia.org/wiki/IDN_homograph_attack
http://blog.trendmicro.com/trendlabs-security-intelligence/can-idn-use-open-a-can-of-unicode-worms/
https://www.bluecoat.com/security-blog/2014-05-22/bad-guys-using-internationalized-domain-names-idns

browser.formfill.expire_days - I like this one, it gives users who want to use formfill better control.
-> I'd set it to 1 day and probably comment it out, and add it as 0812a or so.

[crssi]

I have browser.ssl_override_behavior = 2
In that case we need browser.xul.error_pages.enabled = true (but this is a default now anyway).
Additonally, I have browser.xul.error_pages.expert_bad_cert = true

[Atavic]

browser.ssl_override_behavior = 2
This makes the browser get the certificate without having to click on Get Certificate.

[earthlng]

@crssi Thank you!! browser.xul.error_pages.expert_bad_cert is exactly what I wanted to start looking for in DXR, right now. 👍

@Atavic but doesn't the browser have the cert loaded and checked already at that point?
I mean, how can it detect a faulty cert otherwise? It's weird.
Anyway, 1 is definitely better than 2, that's all I need to know atm

[Atavic]

There's a crypto key exchange before accepting SSL certificates. A long read here.

[earthlng]

browser.xul.error_pages.expert_bad_cert - as far as I can tell, when changed to true from default false, it opens the advanced explanation by default instead of you having to click it.
False doesn't hide the button - the default value is false.

[crssi]

True, the browser.xul.error_pages.expert_bad_cert = true just eases my laziness to spare me one more click when I know the site (some internal testing sites) with temporary self-signed cert and where I don't like to end up with a cert store full of a few times only used certs.

[crssi]

@Thorin-Oakenpants The other "my modus operandy": I like to see the error message provided without clicking "advanced" first.
But anything you decide, its fine with me. ;)

[Atavic]

It's a proposed security implementation, it's there, scroll down to:
3.2.2 Source List

[pyllyukko]

Can someone tell me why this increases security/privacy?

The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.

There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.

Does this answer your question?

[earthlng]

Can someone tell me why this increases security/privacy?

The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any.

There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser.

@fmarier

• do you know why security.csp.experimentalEnabled is still disabled by default in FF?
• Is this safe to use in your opinion?

I feel like there have to be downsides to this or it would have been enabled by now, right?

[Atavic]

For each request, the server generates a unique value at random, and includes it in the Content-Security-Policy header.

3.2.5.17.1

who maintains these hash lists for verification.

Once randomly generated, they stay in the HTML meta Element.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[fmarier]

do you know why security.csp.experimentalEnabled is still disabled by default in FF?
Is this safe to use in your opinion?

Right now, security.csp.experimentalEnabled only controls a single directive: require-sri-for. It's disabled by default because it's a new feature which hasn't been standardized yet.

I don't think there's a lot of risk in enabling it because it's probably not used very much. For that same reason, there's probably not much point in enabling it either.

[earthlng]

For that same reason, there's probably not much point in enabling it either.

Pants, I'd say we disable it again and wait until mozilla enables it by default, if ever.