From 0a12722a622465392a9de4c562e0c293bd797fa5 Mon Sep 17 00:00:00 2001 From: HJ <11689349+yokoffing@users.noreply.github.com> Date: Wed, 4 Oct 2023 22:18:13 -0400 Subject: [PATCH] Updated Optional Hardening (markdown) --- Optional-Hardening.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/Optional-Hardening.md b/Optional-Hardening.md index 02f0717..adf9dbc 100644 --- a/Optional-Hardening.md +++ b/Optional-Hardening.md @@ -52,21 +52,6 @@ user_pref("urlclassifier.features.socialtracking.skipURLs", ""); *** -### Public Key Pinning -[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website. - -:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)). - -:bulb: Unless you experience unwanted behavior during setup, we strongly recommend you add this override. Reset it to `0` if you run into issues. - -```javascript -// PREF: enforce certificate pinning -// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE -user_pref("security.cert_pinning.enforcement_level", 2); -``` - -*** - ### HTTPS-Only Mode We already: * [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages, including insecure downloads @@ -109,6 +94,21 @@ user_pref("default-browser-agent.enabled", false); *** +### Public Key Pinning +[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website. + +:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)). + +:bulb: Unless you experience unwanted behavior during setup, we strongly recommend you add this override. Reset it to `0` if you run into issues. + +```javascript +// PREF: enforce certificate pinning +// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE +user_pref("security.cert_pinning.enforcement_level", 2); +``` + +*** + ### Require Safe Negotiation Block connections to servers that don't support [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) as they're potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to a man-in-the-middle attack.