notkshitij/Betterfox
1
0
Fork 0
mirror of https://github.com/yokoffing/Betterfox.git synced 2026-06-12 15:40:48 +05:30
Code Issues Releases Wiki Activity

Updated Optional Hardening (markdown)

HJ
2023-10-04 22:13:05 -04:00
parent d20fe83084
commit 2fa33f6ae5
1 changed files with 40 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Optional-Hardening.md
+40 -36
@@ -42,6 +42,16 @@ user_pref("extensions.formautofill.creditCards.enabled", false);
*** ***
### Block embedded social posts on webpages
This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
```javascript
// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", "");
```
***
### Public Key Pinning ### Public Key Pinning
[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website. [Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
@@ -57,16 +67,6 @@ user_pref("security.cert_pinning.enforcement_level", 2);
*** ***
### Block embedded social posts on webpages
This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
```javascript
// PREF: do not allow embedded tweets, Instagram, Reddit, and Tiktok posts
user_pref("urlclassifier.trackingSkipURLs", "");
user_pref("urlclassifier.features.socialtracking.skipURLs", "");
```
***
### HTTPS-Only Mode ### HTTPS-Only Mode
We already: We already:
* [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages, including insecure downloads * [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages, including insecure downloads
@@ -96,6 +96,35 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
*** ***
### `default-browser-agent` (Windows only)
On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser.
Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser).
```javascript
// PREF: disable telemetry of what default browser you use [WINDOWS]
// [NOTE] Breaks "Make Default..." button in Settings.
user_pref("default-browser-agent.enabled", false);
```
***
### Require Safe Negotiation
Block connections to servers that don't support [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) as they're potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to a man-in-the-middle attack.
A server without RFC 5746 can be safe from the attack if it disables renegotiations. However, the problem is that the browser can't know that. Setting this pref to `true` is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server.
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
```javascript
// PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true);
```
***
### Sanitize on close ### Sanitize on close
#### Option 1: Clear browsing data on shutdown, except browser history #### Option 1: Clear browsing data on shutdown, except browser history
* `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed* * `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
@@ -129,19 +158,6 @@ You can allow exceptions if you want to stay logged in to some sites:
*** ***
### `default-browser-agent` (Windows only)
On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser.
Add it to your overrides if you do not use this part of the UI (or already have Firefox set as the default browser).
```javascript
// PREF: disable telemetry of what default browser you use [WINDOWS]
// [NOTE] Breaks "Make Default..." button in Settings.
user_pref("default-browser-agent.enabled", false);
```
***
### Secure DNS ### Secure DNS
Setup and enforce DNS-over-HTTPS (DoH). Setup and enforce DNS-over-HTTPS (DoH).
@@ -165,21 +181,9 @@ user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
*** ***
### Require Safe Negotiation
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
```javascript
// PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true);
```
***
### Fingerprinting ### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup> Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
By default, Firefox blocks [known](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/) third-party fingerprinting requests; and as of FF119+, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting). By default, Firefox blocks [known fingerprinters](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/); and as of v.119, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting).
Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3). Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3).