From 2fa33f6ae5eafb37b6cb89ee60495685058d00fb Mon Sep 17 00:00:00 2001
From: HJ <11689349+yokoffing@users.noreply.github.com>
Date: Wed, 4 Oct 2023 22:13:05 -0400
Subject: [PATCH] Updated Optional Hardening (markdown)

---
 Optional-Hardening.md | 76 +++++++++++++++++++++++--------------------
 1 file changed, 40 insertions(+), 36 deletions(-)

diff --git a/Optional-Hardening.md b/Optional-Hardening.md
index 78df693..364693c 100644
--- a/Optional-Hardening.md
+++ b/Optional-Hardening.md
@@ -42,6 +42,16 @@ user_pref("extensions.formautofill.creditCards.enabled", false);
 
 ***
 
+### Block embedded social posts on webpages
+This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
+```javascript
+// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
+user_pref("urlclassifier.trackingSkipURLs", "");
+user_pref("urlclassifier.features.socialtracking.skipURLs", "");
+```
+
+***
+
 ### Public Key Pinning
 [Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
 
@@ -57,16 +67,6 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 
 ***
 
-### Block embedded social posts on webpages
-This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
-```javascript
-// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
-user_pref("urlclassifier.trackingSkipURLs", "");
-user_pref("urlclassifier.features.socialtracking.skipURLs", "");
-```
-
-***
-
 ### HTTPS-Only Mode
 We already:
 * [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages, including insecure downloads
@@ -96,6 +96,35 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
 
 ***
 
+### `default-browser-agent` (Windows only)
+On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser.
+
+Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser).
+
+```javascript
+// PREF: disable telemetry of what default browser you use [WINDOWS]
+// [NOTE] Breaks "Make Default..." button in Settings.
+user_pref("default-browser-agent.enabled", false);
+```
+
+***
+
+### Require Safe Negotiation
+
+Block connections to servers that don't support [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) as they're potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to a man-in-the-middle attack.
+
+A server without RFC 5746 can be safe from the attack if it disables renegotiations. However, the problem is that the browser can't know that. Setting this pref to `true` is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server.
+
+:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
+
+```javascript
+// PREF: require safe SSL negotiation
+// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
+user_pref("security.ssl.require_safe_negotiation", true);
+```
+
+***
+
 ### Sanitize on close
 #### Option 1: Clear browsing data on shutdown, except browser history
 * `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
@@ -129,19 +158,6 @@ You can allow exceptions if you want to stay logged in to some sites:
 
 ***
 
-### `default-browser-agent` (Windows only)
-On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser.
-
-Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser).
-
-```javascript
-// PREF: disable telemetry of what default browser you use [WINDOWS]
-// [NOTE] Breaks "Make Default..." button in Settings.
-user_pref("default-browser-agent.enabled", false);
-```
-
-***
-
 ### Secure DNS
 Setup and enforce DNS-over-HTTPS (DoH).
 
@@ -165,21 +181,9 @@ user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 
 ***
 
-### Require Safe Negotiation
-
-:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
-
-```javascript
-// PREF: require safe SSL negotiation
-// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
-user_pref("security.ssl.require_safe_negotiation", true);
-```
-
-***
-
 ### Fingerprinting
 Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
 
-By default, Firefox blocks [known](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/) third-party fingerprinting requests; and as of FF119+, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting).
+By default, Firefox blocks [known fingerprinters](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/); and as of v.119, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting).
 
 Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3).
\ No newline at end of file