notkshitij/Betterfox
1
0
Fork 0
mirror of https://github.com/yokoffing/Betterfox.git synced 2026-06-12 07:30:47 +05:30
Code Issues Releases Wiki Activity

Updated Optional Hardening (markdown)

Hal
2024-04-25 11:18:42 -04:00
parent 6f977e3983
commit c9f3ffa95e
1 changed files with 46 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Optional-Hardening.md
+46 -14
@@ -58,7 +58,10 @@ user_pref("urlclassifier.features.socialtracking.skipURLs", "");
***
### HTTPS-Only Mode
Betterfox already [blocks](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages and [attempt to upgrade](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) HTTP site navigation to HTTPS.
Betterfox already [blocks](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages and [attempts to upgrade](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) HTTP site navigation to HTTPS.
> [!NOTE]
> HTTPS doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan. — [Scott Hanselman](https://www.hanselman.com/blog/how-do-we-know-if-mobile-apps-are-secure)
#### Option 1: Private windows only
Firefox will get explicit permission from you before connecting to a site insecurely in [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) (Firefox [incognito mode](https://support.mozilla.org/en-US/kb/common-myths-about-private-browsing)).
@@ -80,8 +83,6 @@ user_pref("dom.security.https_only_mode", true);
user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
```
:lock: HTTPS doesn't mean "trust this." It means "this is private." You may be having a private conversation with Satan. — [Scott Hanselman](https://www.hanselman.com/blog/how-do-we-know-if-mobile-apps-are-secure)
***
### Disk Cache
@@ -101,9 +102,11 @@ user_pref("browser.cache.disk.enable", false);
### Public Key Pinning
[Public Key Pinning](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) (PKP) is a tool that boosts the safety of [SSL certificates](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/) by linking a website to its unique security key. This process ensures that the website you're visiting is real and not fake. PKP stops any attempts to trick your computer into connecting with a fraudulent website.
:warning: Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
> [!WARNING]
> Sometimes antivirus software — or some other [source](https://github.com/yokoffing/Betterfox/issues/232#issuecomment-1732346856) — won't let you open websites ([example](https://www.reddit.com/r/firefox/comments/16mlv15/kaspersky_cant_scan_encrypted_connections_with/)).
:bulb: Reset it to `1` if you run into issues.
> [!TIP]
> Reset it to `1` if you run into issues.
```javascript
// PREF: enforce certificate pinning
@@ -119,6 +122,9 @@ user_pref("security.cert_pinning.enforcement_level", 2);
You can allow exceptions if you want to stay logged in to some sites.
* `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
> [!TIP]
> If you have [session restore](https://support.mozilla.org/en-US/kb/how-do-i-restore-my-tabs-last-time#w_restore-the-previous-session-every-time-you-open-firefox) enable, then you will need to use **Option 1** for session restore to work.
#### Option 1: Clear cookies and cache on shutdown
* `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
```javascript
@@ -152,8 +158,6 @@ user_pref("privacy.clearOnShutdown.siteSettings", false);
user_pref("browser.sessionstore.privacy_level", 2);
```
:bulb: If you have [session restore](https://support.mozilla.org/en-US/kb/how-do-i-restore-my-tabs-last-time#w_restore-the-previous-session-every-time-you-open-firefox) enable, then you will need to use **Option 1** for session restore to work.
***
### Secure DNS
@@ -171,7 +175,8 @@ user_pref("network.trr.uri", "https://dns.quad9.net/dns-query");
#### Option 1: Increased Protection
[Increased Protection](https://support.mozilla.org/en-US/kb/dns-over-https#w_protection-levels-explained) will switch back to your local provider if there are any issues.
:bulb: Use this setting if your workplace or university causes issues with alternative DNS.
> [!TIP]
> Use this setting if your workplace or university causes issues with alternative DNS.
```javascript
// PREF: enforce DNS-over-HTTPS (DoH)
@@ -193,13 +198,32 @@ Add sites to the [exceptions list](https://support.mozilla.org/en-US/kb/dns-over
***
### Disable DRM
Privacy-conscious people often dislike Digital Rights Management (DRM) because it restricts what users can do with their devices and limits fair use rights. DRM prevents users from copying, sharing, or changing content they bought, even for their own use. DRM allow browsers to communicate to outside servers to check licenses and rights, which can share data about what users do and watch.
> [!WARNING]
> Disabling DRM will prevent most popular streaming platforms from functioning properly. Spotify, Apple Music, Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV, and other streaming services will not work with DRM disabled.
```javascript
// PREF: disable all DRM content
user_pref("media.eme.enabled", false);
// PREF: hide the setting; this also disables the DRM prompt (optional)
user_pref("browser.eme.ui.enabled", false);
```
You can confirm if DRM is disabled by going [here](https://bitmovin.com/demos/drm).
***
### Require Secure Renegotiation
Block connections to servers that do not support RFC 5746, as they are potentially [vulnerable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555) to man-in-the-middle attacks.
A server without [RFC 5746](https://datatracker.ietf.org/doc/html/rfc5746) can be safe from the attack if it disables renegotiations. However, the browser cannot know that. Setting this pref to `true` is the only way to ensure no unsafe renegotiations occur between the browser and the server.
:warning: Some sites, like `EA.com`, will not let you login due to their weak encryption.
> [!WARNING]
> Some sites, like `EA.com`, will not let you login due to their weak encryption.
```javascript
// PREF: require safe SSL negotiation
@@ -212,9 +236,11 @@ user_pref("security.ssl.require_safe_negotiation", true);
### default-browser-agent
On Windows, Mozilla [collects](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) information on what you've set as your default browser.
:warning: Breaks **Make Default...** button to set Firefox as the default browser on Windows.
> [!WARNING]
> Breaks **Make Default...** button to set Firefox as the default browser on Windows.
:bulb: Add this pref if you do not use this UI or if you have already set Firefox as the default browser.
> [!TIP]
> Add this pref if you do not use this UI or if you have already set Firefox as the default browser.
```javascript
// PREF: disable telemetry of what default browser you use [WINDOWS]
@@ -226,8 +252,14 @@ user_pref("default-browser-agent.enabled", false);
### Fingerprinting
Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup> Please use the [Tor Browser](https://www.torproject.org) if your context calls for **anonymity** and not just reasonable **privacy**.<sup>^[*what's the difference?*](https://thenewoil.org/en/guides/prologue/secprivanon/)</sup>
By default, Firefox blocks [known fingerprinters](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/); and as of v.119, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting).
By default, Firefox blocks [known fingerprinters](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/); and as of v.119, ETP Strict also blocks [suspected fingerprinters](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting). Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting` (RFP). You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3).
Betterfox does not enable [additional protection](https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting) known as `privacy.resistFingerprinting`. You can read why [here](https://old.reddit.com/r/firefox/comments/wuqpgi/are_there_any_aboutconfig_tweaks_to_get_smooth/ile3whx/?context=3).
Most of our security and privacy tweaks come from AF. Just like that project, Betterfox usually focuses on [state](https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning) and other cross-origin linkability mechanisms like navigational tracking. (**State** means client-side data stored on disk or memory, such as the items listed [here](https://privacycg.github.io/storage-partitioning/).)
For more information on our fingerprint protection, see [here](https://github.com/arkenfox/user.js/wiki/1.1-to-arkenfox-or-not#:~:text=Most%20of%20the%20above%20deals%20with) and [here](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting).
We also encourage you to read AF's [explainer](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) on RFP and fingerprinting, some of which we echo here:
* Except for Tor Browser and Mullvad Browser, web browsers can only effectively fool naive fingerprinting scripts.
* However, starting with version 120, Firefox uses FPP (fingerprintingProtection), which subtly randomizes canvas per eTLD+1, session, and window-mode.
* We do not and never have claimed to defeat advanced fingerprinting. Betterfox does not care if a few preferences change any metrics, because [you are already unique](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting).
* Betterfox prioritizes privacy, security, speed, convenience, and minimalism in that order. However, this is always a balancing act.
* Where it makes sense for the average user, Betterfox focuses on mitigating real forms of tracking rather than prioritizing the potential threat of a widespread advanced fingerprinting script.
* We encourage you to use a secondary browser for the occasional site glitch. Sometimes it's because of Betterfox. Other times, it's Firefox itself or ad block filters not getting along with the page.