|
|
@@ -516,41 +516,28 @@ user_pref("browser.cache.frecency_experiment", -1);
|
|
|
/* 1012: disable resuming session from crash [SETUP] ***/
|
|
|
user_pref("browser.sessionstore.resume_from_crash", false);
|
|
|
|
|
|
-/*** 1200: HTTPS ( SSL / OCSP / CERTS / ENCRYPTION / HSTS / HPKP )
|
|
|
- Note that your cipher and other settings can be used server side as a fingerprint attack vector:
|
|
|
- see https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
|
|
|
- You can either strengthen your encryption/cipher suite and protocols (security) or keep them
|
|
|
- at default and let Mozilla handle them (dragging their feet for fear of breaking legacy sites) ***/
|
|
|
+/*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )
|
|
|
+ Note that your cipher and other settings can be used server side as a fingerprint attack
|
|
|
+ vector, see [1] (It's quite technical but the first part is easy to understand
|
|
|
+ and you can stop reading when you reach the second section titled "Enter Bro")
|
|
|
+
|
|
|
+ Option 1: Use our settings to tighten up encryption options. It *is* a fingerprinting attack
|
|
|
+ vector, and we certainly do want to reduce any attack surface, but this is not how
|
|
|
+ you *DEFEAT* fingerprinting - to do that you need large numbers to buy into the same
|
|
|
+ enforced browser-wide settings (such as TBB), and/or you use OpSec.
|
|
|
+ Option 2: Use Firefox defaults for the 1260's items (item 1260 default for SHA-1, is local only
|
|
|
+ anyway). There is nothing *weak* about Firefox's defaults, but Mozilla (and other
|
|
|
+ browsers) will always lag for fear of breakage and upset end-users
|
|
|
+
|
|
|
+ [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
|
|
|
+ ***/
|
|
|
user_pref("ghacks_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
|
|
|
-/* 1201: block rc4 fallback (default is now false as of at least FF45) ***/
|
|
|
-user_pref("security.tls.unrestricted_rc4_fallback", false);
|
|
|
-/* 1203: enable OCSP stapling
|
|
|
- * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
|
|
|
-user_pref("security.ssl.enable_ocsp_stapling", true);
|
|
|
-/* 1204: reject communication with servers using old SSL/TLS - vulnerable to a MiTM attack
|
|
|
+/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
|
|
|
+/* 1201: reject communication with servers using old SSL/TLS - vulnerable to a MiTM attack
|
|
|
* [WARNING] tested Feb 2017 - still breaks too many sites
|
|
|
* [1] https://wiki.mozilla.org/Security:Renegotiation ***/
|
|
|
// user_pref("security.ssl.require_safe_negotiation", true);
|
|
|
-/* 1205: display warning (red padlock) for "broken security"
|
|
|
- * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
|
|
|
-user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
|
|
|
-/* 1206: require certificate revocation check through OCSP protocol
|
|
|
- * This leaks information about the sites you visit to the CA (cert authority)
|
|
|
- * It's a trade-off between security (checking) and privacy (leaking info to the CA)
|
|
|
- * [WARNING] Since FF44 the default is false. If set to true, this may/will cause some
|
|
|
- * site breakage. Some users have previously mentioned issues with youtube, microsoft etc ***/
|
|
|
- // user_pref("security.OCSP.require", true);
|
|
|
-/* 1207: query OCSP responder servers to confirm current validity of certificates (default=1)
|
|
|
- * 0=disable, 1=validate only certificates that specify an OCSP service URL
|
|
|
- * 2=enable and use values in security.OCSP.URL and security.OCSP.signing ***/
|
|
|
-user_pref("security.OCSP.enabled", 1);
|
|
|
-/* 1208: enforce strict pinning
|
|
|
- * PKP (public key pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
|
|
|
- * [WARNING] If you rely on an AV (antivirus) to protect your web browsing
|
|
|
- * by inspecting ALL your web traffic, then leave at current default =1
|
|
|
- * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
|
|
|
-user_pref("security.cert_pinning.enforcement_level", 2);
|
|
|
-/* 1209: control TLS versions with min and max
|
|
|
+/* 1202: control TLS versions with min and max
|
|
|
* 1=min version of TLS 1.0, 2-min version of TLS 1.1, 3=min version of TLS 1.2 etc
|
|
|
* [WARNING] FF/chrome currently allow TLS 1.0 by default, so this is your call.
|
|
|
* [1] http://kb.mozillazine.org/Security.tls.version.*
|
|
|
@@ -558,77 +545,109 @@ user_pref("security.cert_pinning.enforcement_level", 2);
|
|
|
// user_pref("security.tls.version.min", 2);
|
|
|
// user_pref("security.tls.version.fallback-limit", 3);
|
|
|
// user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
|
|
|
-/* 1210: disable DHE (Diffie-Hellman Key Exchange)
|
|
|
-* [WARNING] may break obscure sites, but not major sites, which should support ECDH over DHE
|
|
|
-* [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/
|
|
|
- user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
|
|
|
-user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
|
|
|
-/* 1211: disable or limit SHA-1
|
|
|
- * 0 = all SHA1 certs are allowed
|
|
|
- * 1 = all SHA1 certs are blocked (including perfectly valid ones from 2015 and earlier)
|
|
|
- * 2 = deprecated option that now maps to 1
|
|
|
- * 3 = only allowed for locally-added roots (e.g. anti-virus)
|
|
|
- * 4 = only allowed for locally-added roots or for certs in 2015 and earlier
|
|
|
- * [WARNING] when disabled, some man-in-the-middle devices (eg security scanners and antivirus
|
|
|
- * products, are failing to connect to HTTPS sites. SHA-1 will eventually become obsolete.
|
|
|
- * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
|
|
|
- * [2] https://github.com/pyllyukko/user.js/issues/194#issuecomment-256509998 ***/
|
|
|
-user_pref("security.pki.sha1_enforcement_level", 1);
|
|
|
-/* 1212: disable SSL session tracking (FF36+)
|
|
|
- * SSL session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
|
|
|
+/* 1203: disable SSL session tracking (FF36+)
|
|
|
+ * SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
|
|
|
* Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
|
|
|
- * this disables sending SSL3 Session IDs and TLS Session Tickets to prevent session tracking
|
|
|
+ * this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking
|
|
|
* [1] https://tools.ietf.org/html/rfc5077
|
|
|
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=967977 ***/
|
|
|
user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)
|
|
|
-/* 1213: disable 3DES (effective key size < 128)
|
|
|
- * [1] https://en.wikipedia.org/wiki/3des#Security
|
|
|
- * [2] http://en.citizendium.org/wiki/Meet-in-the-middle_attack
|
|
|
- * [3] http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
|
|
|
-user_pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
|
-/* 1214: disable 128 bits ***/
|
|
|
-user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
|
|
|
-user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
|
|
|
-/* 1215: disable Microsoft Family Safety cert (Windows 8.1) (FF50+)
|
|
|
+/** OCSP (Online Certificate Status Protocol) ***/
|
|
|
+/* 1210: enable OCSP Stapling
|
|
|
+ * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
|
|
|
+user_pref("security.ssl.enable_ocsp_stapling", true);
|
|
|
+/* 1211: query OCSP responder servers to confirm current validity of certificates
|
|
|
+ * 0=disable, 1=validate only certificates that specify an OCSP service URL (default)
|
|
|
+ * 2=enable and use values in security.OCSP.URL and security.OCSP.signing.
|
|
|
+ * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
|
|
|
+ * It's a trade-off between security (checking) and privacy (leaking info to the CA)
|
|
|
+ * [1] https://en.wikipedia.org/wiki/Ocsp ***/
|
|
|
+user_pref("security.OCSP.enabled", 1);
|
|
|
+/* 1212: require certificate revocation check through OCSP protocol
|
|
|
+ * [WARNING] Since FF44 the default is false. If set to true, this may/will cause some
|
|
|
+ * site breakage. Some users have previously mentioned issues with youtube, microsoft etc ***/
|
|
|
+ // user_pref("security.OCSP.require", true);
|
|
|
+/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
|
|
|
+/* 1220: disable Microsoft Family Safety cert (Windows 8.1) (FF50+)
|
|
|
* 0 = disable detecting Family Safety mode and importing the root
|
|
|
* 1 = only attempt to detect Family Safety mode (don't import the root)
|
|
|
* 2 = detect Family Safety mode and import the root ***/
|
|
|
user_pref("security.family_safety.mode", 0);
|
|
|
-/* 1216: disable insecure active content on https pages - mixed content ***/
|
|
|
-user_pref("security.mixed_content.block_active_content", true);
|
|
|
-/* 1217: disable insecure passive content (such as images) on https pages - mixed context
|
|
|
- * current default=false, leave it this way as too many sites break visually ***/
|
|
|
- // user_pref("security.mixed_content.block_display_content", true);
|
|
|
-/* 1218: disable HSTS Priming (FF51+)
|
|
|
- * We disable it because formerly blocked mixed-content may load, may cause noticeable delays
|
|
|
- * eg requests time out, requests may not be handled well by servers, possible fingerprinting
|
|
|
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145 ***/
|
|
|
-user_pref("security.mixed_content.send_hsts_priming", false);
|
|
|
-user_pref("security.mixed_content.use_hsts", false);
|
|
|
-/* 1219: enforce HSTS preload list (default is true)
|
|
|
- * The list is compiled into Firefox and is used to always use HTTPS for the domains on that list
|
|
|
- * [1] https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
|
|
|
- * [2] https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List ***/
|
|
|
-user_pref("network.stricttransportsecurity.preloadlist", true);
|
|
|
-/* 1220: disable intermediate certificate caching (fingerprinting attack vector)
|
|
|
+/* 1221: disable intermediate certificate caching (fingerprinting attack vector)
|
|
|
* [NOTE] This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
|
|
|
* [WARNING] This affects login/cert/key dbs. The effect is all credentials are session-only.
|
|
|
* Saved logins and passwords are not available. Reset the pref and restart to return them.
|
|
|
+ * [TEST] https://fiprinca.0x90.eu/poc/
|
|
|
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1334485 - related bug
|
|
|
* [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1216882 - related bug (see comment 9) ***/
|
|
|
// user_pref("security.nocertdb", true); // (hidden pref)
|
|
|
-/* 1221: control "Add Security Exception" dialog on SSL warnings
|
|
|
+/* 1222: enforce strict pinning
|
|
|
+ ** PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
|
|
|
+ * [WARNING] If you rely on an AV (antivirus) to protect your web browsing
|
|
|
+ * by inspecting ALL your web traffic, then leave at current default=1
|
|
|
+ * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
|
|
|
+user_pref("security.cert_pinning.enforcement_level", 2);
|
|
|
+/* 1223: enforce HSTS preload list (default is true)
|
|
|
+ * The list is compiled into Firefox and used to always load those domains over HTTPS
|
|
|
+ * [1] https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
|
|
|
+ * [2] https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List ***/
|
|
|
+user_pref("network.stricttransportsecurity.preloadlist", true);
|
|
|
+/** MIXED CONTENT ***/
|
|
|
+/* 1240: disable insecure active content on https pages - mixed content ***/
|
|
|
+user_pref("security.mixed_content.block_active_content", true);
|
|
|
+/* 1241: disable insecure passive content (such as images) on https pages - mixed context
|
|
|
+ * [WARNING] when set to true, this will visually break many sites (March 2017) ***/
|
|
|
+ // user_pref("security.mixed_content.block_display_content", true);
|
|
|
+/* 1242: disable HSTS Priming (FF51+)
|
|
|
+ * Allowing HSTS Priming may load formerly blocked mixed-content, but it does so by
|
|
|
+ * sending additional priming requests which may cause noticeable delays eg requests time
|
|
|
+ * out or are not handled well by servers, and there are possible fingerprinting issues
|
|
|
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145 ***/
|
|
|
+ // user_pref("security.mixed_content.send_hsts_priming", false);
|
|
|
+ // user_pref("security.mixed_content.use_hsts", false);
|
|
|
+/** CIPHERS [see the section 1200 intro] ***/
|
|
|
+/* 1260: disable or limit SHA-1
|
|
|
+ * 0 = all SHA1 certs are allowed
|
|
|
+ * 1 = all SHA1 certs are blocked (including perfectly valid ones from 2015 and earlier)
|
|
|
+ * 2 = deprecated option that now maps to 1
|
|
|
+ * 3 = only allowed for locally-added roots (e.g. anti-virus)
|
|
|
+ * 4 = only allowed for locally-added roots or for certs in 2015 and earlier
|
|
|
+ * [WARNING] when disabled, some man-in-the-middle devices (eg security scanners and
|
|
|
+ * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
|
|
|
+ * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
|
|
|
+user_pref("security.pki.sha1_enforcement_level", 1);
|
|
|
+/* 1261: disable 3DES (effective key size < 128)
|
|
|
+ * [1] https://en.wikipedia.org/wiki/3des#Security
|
|
|
+ * [2] http://en.citizendium.org/wiki/Meet-in-the-middle_attack
|
|
|
+ * [3] http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
|
|
|
+user_pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
|
+/* 1262: disable 128 bits ***/
|
|
|
+user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
|
|
|
+user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
|
|
|
+/* 1263: disable DHE (Diffie-Hellman Key Exchange)
|
|
|
+ * [WARNING] may break obscure sites, but not major sites, which should support ECDH over DHE
|
|
|
+ * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/
|
|
|
+user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
|
|
|
+user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
|
|
|
+/* 1264: disable the remaining non-modern cipher suites as of FF52
|
|
|
+ * [NOTE] commented out because it still breaks too many sites ***/
|
|
|
+ // user_pref("security.ssl3.rsa_aes_128_sha", false);
|
|
|
+ // user_pref("security.ssl3.rsa_aes_256_sha", false);
|
|
|
+/* 1265: block rc4 fallback (will be deprecated in 53) ***/
|
|
|
+user_pref("security.tls.unrestricted_rc4_fallback", false);
|
|
|
+/** UI (User Interface) ***/
|
|
|
+/* 1270: display warning (red padlock) for "broken security"
|
|
|
+ * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
|
|
|
+user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
|
|
|
+/* 1271: control "Add Security Exception" dialog on SSL warnings
|
|
|
* 0=do neither 1=pre-populate url 2+pre-populate url + pre-fetch cert (default)
|
|
|
* [1] https://github.com/pyllyukko/user.js/issues/210 ***/
|
|
|
user_pref("browser.ssl_override_behavior", 1);
|
|
|
-/* 1223: display advanced information on Insecure Connection warning pages (thanks crssi)
|
|
|
- * only works when it's possible to add an exception, i.e doesn't work for HSTS (https://subdomain.preloaded-hsts.badssl.com/)
|
|
|
+/* 1272: display advanced information on Insecure Connection warning pages
|
|
|
+ * only works when it's possible to add an exception
|
|
|
+ * i.e doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
|
|
|
* [TEST] https://expired.badssl.com/ ***/
|
|
|
user_pref("browser.xul.error_pages.expert_bad_cert", true);
|
|
|
-/* 1224: disable the remaining non-modern cipher suites as of FF52
|
|
|
- * [NOTE] commented out because it still breaks too many sites ***/
|
|
|
- // user_pref("security.ssl3.rsa_aes_128_sha", false);
|
|
|
- // user_pref("security.ssl3.rsa_aes_256_sha", false);
|
|
|
|
|
|
/*** 1400: FONTS ***/
|
|
|
user_pref("ghacks_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
|
Thorin-Oakenpants