mirror of
https://github.com/yokoffing/Betterfox.git
synced 2026-06-12 07:30:47 +05:30
Updated Optional Hardening (markdown)
HJ
+32
-30
@@ -27,6 +27,21 @@ user_pref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":tr
|
||||
|
||||
***
|
||||
|
||||
### Public Key Pinning
|
||||
[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
|
||||
|
||||
:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
|
||||
|
||||
:bulb: Try browsing with this pref enabled. Unless you experience the aforementioned drawbacks, we recommend you keep this override.
|
||||
|
||||
```javascript
|
||||
// PREF: enforce certificate pinning
|
||||
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
|
||||
user_pref("security.cert_pinning.enforcement_level", 2);
|
||||
```
|
||||
|
||||
***
|
||||
|
||||
### Block embedded social posts on webpages
|
||||
This matches the default behavior of [Strict](https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection) Enhanced Tracking Protection.
|
||||
```javascript
|
||||
@@ -112,15 +127,25 @@ user_pref("default-browser-agent.enabled", false);
|
||||
|
||||
***
|
||||
|
||||
### Public Key Pinning
|
||||
[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
|
||||
|
||||
:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
|
||||
### Secure DNS
|
||||
Setup and enforce DNS-over-HTTPS (DoH).
|
||||
|
||||
#### 1) Provider
|
||||
* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
|
||||
* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
|
||||
```javascript
|
||||
// PREF: enforce certificate pinning
|
||||
// [ERROR] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
|
||||
user_pref("security.cert_pinning.enforcement_level", 2);
|
||||
// PREF: set DoH provider
|
||||
user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
|
||||
```
|
||||
|
||||
#### 2) Mode
|
||||
* `3` has site-exceptions with a nice UI on the error page:
|
||||
* Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
|
||||
* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
|
||||
```javascript
|
||||
// PREF: enforce DNS-over-HTTPS (DoH)
|
||||
user_pref("network.trr.mode", 3);
|
||||
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
|
||||
```
|
||||
|
||||
***
|
||||
@@ -153,29 +178,6 @@ user_pref("network.http.referer.XOriginPolicy", 1);
|
||||
|
||||
***
|
||||
|
||||
### Secure DNS
|
||||
Setup and enforce DNS-over-HTTPS (DoH).
|
||||
|
||||
#### 1) Provider
|
||||
* Use the provider below for better [threat protection](https://quad9.net/service/threat-blocking/).
|
||||
* :star: Create a profile with [NextDNS](https://nextdns.io/?from=xujj63g5) and follow our [configuration guide](https://github.com/yokoffing/NextDNS-Config) for greater protection from ads, trackers, and security threats.
|
||||
```javascript
|
||||
// PREF: set DoH provider
|
||||
user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
|
||||
```
|
||||
|
||||
#### 2) Mode
|
||||
* `3` has site-exceptions with a nice UI on the error page:
|
||||
* Go to `☰` *→ Settings → Privacy & Security → DNS over HTTPS → Manage Exceptions*
|
||||
* :warning: Set to `2` if your workplace or university causes issues with alternative DNS.
|
||||
```javascript
|
||||
// PREF: enforce DNS-over-HTTPS (DoH)
|
||||
user_pref("network.trr.mode", 3);
|
||||
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
|
||||
```
|
||||
|
||||
***
|
||||
|
||||
### Fingerprinting
|
||||
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user