notkshitij/Betterfox
1
0
Fork 0
mirror of https://github.com/yokoffing/Betterfox.git synced 2026-06-12 15:40:48 +05:30
Code Issues Releases Wiki Activity

Updated Optional Hardening (markdown)

yokoffing
2023-10-09 17:48:41 -04:00
parent d95e4357ca
commit 9a8a7e8e69
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Optional-Hardening.md
+16 -16
@@ -111,22 +111,6 @@ user_pref("security.cert_pinning.enforcement_level", 2);
***
### Require Safe Negotiation
Block connections to servers that don't support [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) as they're potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to a man-in-the-middle attack.
A server without RFC 5746 can be safe from the attack if it disables renegotiations. However, the problem is that the browser can't know that. Setting this pref to `true` is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server.
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
```javascript
// PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true);
```
***
### Sanitize on close
#### Option 1: Clear browsing data on shutdown, except browser history
* `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
@@ -186,6 +170,22 @@ user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
***
### Require Safe Negotiation
Block connections to servers that don't support [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) as they're potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to a man-in-the-middle attack.
A server without RFC 5746 can be safe from the attack if it disables renegotiations. However, the problem is that the browser can't know that. Setting this pref to `true` is the only way for the browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server.
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
```javascript
// PREF: require safe SSL negotiation
// [ERROR] SSL_ERROR_UNSAFE_NEGOTIATION
user_pref("security.ssl.require_safe_negotiation", true);
```
***
### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>