From 76c2679545efa5f03479cfd443b368e1581442d3 Mon Sep 17 00:00:00 2001 From: André Fabian Silva Delgado Date: Tue, 20 Oct 2015 14:49:07 -0300 Subject: iceweasel: add more privacy settings and crypto hardening --- libre/iceweasel/PKGBUILD | 2 +- libre/iceweasel/vendor.js | 142 +++++++++++++++++++++++++++++++--------------- 2 files changed, 98 insertions(+), 46 deletions(-) (limited to 'libre/iceweasel') diff --git a/libre/iceweasel/PKGBUILD b/libre/iceweasel/PKGBUILD index 5db8dd1b4..10b92eda7 100644 --- a/libre/iceweasel/PKGBUILD +++ b/libre/iceweasel/PKGBUILD @@ -61,7 +61,7 @@ sha256sums=('707d44ac9a73868c5f2fe1832945ae66b297a8b7eaee3d45a43ab767fe9447cc' '56eba484179c7f498076f8dc603d8795e99dce8c6ea1da9736318c59d666bff6' '2257dc69886bd0b72c48675a27c3a88b9cf6b598252c9e9f1c99763180684fc3' '3aea6676f1e53a09673b6ae219d281fc28054beb6002b09973611c02f827651d' - 'af4e91893aa01d5f1cbd16f48ed118b344b86bedf5d1d52e68ff19ffec03e1d6' + '481781aa1b4da21e58cbe88df2ca992250bf7a7cf7c79022393e4ba974fecaca' '68e3a5b47c6d175cc95b98b069a15205f027cab83af9e075818d38610feb6213') prepare() { diff --git a/libre/iceweasel/vendor.js b/libre/iceweasel/vendor.js index a32721594..b9386b559 100644 --- a/libre/iceweasel/vendor.js +++ b/libre/iceweasel/vendor.js @@ -11,41 +11,12 @@ pref("extensions.shownSelectionUI", true); // Disable "alt" as a shortcut key to open full menu bar. Conflicts with "alt" as a modifier pref("ui.key.menuAccessKeyFocuses", false); -// Make sure that Firefox Social stuff are empty -pref("social.whitelist", ""); -pref("social.directories", ""); -pref("social.shareDirectory", ""); - // Disable the GeoLocation API for content pref("geo.enabled", false); // Make sure that the request URL of the GeoLocation backend is empty pref("geo.wifi.uri", ""); -// Disable the least secure encryption protocols -pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); -pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); -pref("security.ssl3.rsa_rc4_128_md5", false); -pref("security.ssl3.rsa_rc4_128_sha", false); - -// Disable Sponsored Tiles -pref("browser.newtabpage.directory.source", "data:application/json,{}"); -pref("browser.newtabpage.directory.ping", ""); - -// Disable Firefox Hello and make sure that the request URLs of the Firefox Hello are empty -pref("loop.enabled", false); -pref("loop.feedback.baseUrl", ""); -pref("loop.gettingStarted.url", ""); -pref("loop.learnMoreUrl", ""); -pref("loop.legal.ToS_url", ""); -pref("loop.legal.privacy_url", ""); -pref("loop.oauth.google.redirect_uri", ""); -pref("loop.oauth.google.scope", ""); -pref("loop.server", ""); -pref("loop.soft_start_hostname", ""); -pref("loop.support_url", ""); -pref("loop.throttled2", false); - // Disable Pocket and make sure that the request URLs of the Pocket are empty pref("browser.pocket.enabled", false); pref("browser.pocket.api", ""); @@ -54,33 +25,29 @@ pref("browser.pocket.oAuthConsumerKey", ""); pref("browser.pocket.useLocaleList", false); pref("browser.pocket.enabledLocales", ""); -// Make sure that the request URL of the Discover Apps is empty -pref("browser.apps.URL", ""); - // Disable Freedom Violating DRM Feature pref("browser.eme.ui.enabled", false); pref("media.eme.enabled", false); pref("media.eme.apiVisible", false); -// Avoid openh264 being downloaded. -pref("media.gmp-manager.url.override", "data:text/plain,"); - -// Disable openh264. -pref("media.gmp-provider.enabled", false); -pref("media.gmp-gmpopenh264.provider.enabled", false); - // Default to classic view for about:newtab pref("browser.newtabpage.enhanced", false); // Poodle attack pref("security.tls.version.min", 1); +// Don't call home for blacklisting +pref("extensions.blocklist.enabled", false); + // Disable plugin installer pref("plugins.hide_infobar_for_missing_plugin", true); pref("plugins.hide_infobar_for_outdated_plugin", true); pref("plugins.notifyMissingFlash", false); -// Speeding it up +//https://developer.mozilla.org/en-US/docs/Web/API/MediaSource +//pref("media.mediasource.enabled",true); + +//Speeding it up pref("network.http.pipelining", true); pref("network.http.proxy.pipelining", true); pref("network.http.pipelining.maxrequests", 10); @@ -89,7 +56,10 @@ pref("nglayout.initialpaint.delay", 0); // Disable third party cookies pref("network.cookie.cookieBehavior", 1); -// Disable app updater URL +// Prevent EULA dialog to popup on first run +pref("browser.EULA.override", true); + +// disable app updater url pref("app.update.url", "http://127.0.0.1/");" // Set useragent to Firefox compatible @@ -144,11 +114,47 @@ pref("plugin.state.flash", 1); pref("browser.search.update", false); // Warn when the page tries to redirect or refresh //pref("accessibility.blockautorefresh", true); +pref("dom.battery.enabled", false); +pref("device.sensors.enabled", false); +pref("camera.control.face_detection.enabled", false); +pref("camera.control.autofocus_moving_callback.enabled", false); +pref("network.http.speculative-parallel-limit", 0); + +// Crypto hardening +// https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 +//General settings +pref("security.tls.unrestricted_rc4_fallback", false); +pref("security.tls.insecure_fallback_hosts.use_static_list", false); +pref("security.tls.version.min", 1); +pref("security.ssl.require_safe_negotiation", true); +pref("security.ssl.treat_unsafe_negotiation_as_broken", true); +pref("security.ssl3.rsa_seed_sha", true); +pref("security.OCSP.enabled", 1); +pref("security.OCSP.require", true); +//Disable unnecessary protocols +pref("security.ssl3.rsa_rc4_128_sha", false); +pref("security.ssl3.rsa_rc4_128_md5", false); +pref("security.ssl3.rsa_des_ede3_sha", false); +pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); +pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); +// https://directory.fsf.org/wiki/Disable_DHE +// Avoid logjam attack +pref("security.ssl3.dhe_rsa_aes_128_sha", false); +pref("security.ssl3.dhe_rsa_aes_256_sha", false); +pref("security.ssl3.dhe_dss_aes_128_sha", false); +pref("security.ssl3.dhe_rsa_des_ede3_sha", false); +//Optional +//Perfect forward secrecy +// pref("security.ssl3.rsa_aes_256_sha", false); +//Force TLS 1.2 +// pref("security.tls.version.min", 3); // Disable channel updates pref("app.update.enabled", false); pref("app.update.auto", false); +pref("font.default.x-western", "sans-serif"); + // Preferences for the Get Add-ons panel pref ("extensions.webservice.discoverURL", "https://directory.fsf.org/wiki/GNU_IceCat"); pref ("extensions.getAddons.search.url", "https://directory.fsf.org/wiki/GNU_IceCat"); @@ -166,10 +172,56 @@ pref("browser.webapps.checkForUpdates", 0); pref("browser.webapps.updateCheckUrl", "http://127.0.0.1/"); pref("app.faqURL", "http://libreplanet.org/wiki/Group:IceCat/FAQ"); -// PFS URL +// PFS url pref("pfs.datasource.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%"); pref("pfs.filehint.url", "http://gnuzilla.gnu.org/plugins/PluginFinderService.php?mimetype=%PLUGIN_MIMETYPE%"); -// https://directory.fsf.org/wiki/Disable_DHE -pref("security.ssl3.dhe_rsa_aes_128_sha", false); -pref("security.ssl3.dhe_rsa_aes_256_sha", false); +// Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins +pref("media.gmp-manager.url", "http://127.0.0.1/"); +pref("media.gmp-manager.url.override", "data:text/plain,"); +pref("media.gmp-provider.enabled", false); +// Don't install openh264 codec +pref("media.gmp-gmpopenh264.enabled", false); + +//Disable heartbeat +pref("browser.selfsupport.url", ""); + +//Disable Link to FireFox Marketplace, currently loaded with non-free "apps" +pref("browser.apps.URL", ""); + +//Disable Firefox Hello +pref("loop.enabled",false); +pref("loop.feedback.baseUrl", ""); +pref("loop.gettingStarted.url", ""); +pref("loop.learnMoreUrl", ""); +pref("loop.legal.ToS_url", ""); +pref("loop.legal.privacy_url", ""); +pref("loop.oauth.google.redirect_uri", ""); +pref("loop.oauth.google.scope", ""); +pref("loop.server", ""); +pref("loop.soft_start_hostname", ""); +pref("loop.support_url", ""); +pref("loop.throttled2",false); + +// Use old style preferences, that allow javascript to be disabled +pref("browser.preferences.inContent",false); + +// Don't download ads for the newtab page +pref("browser.newtabpage.directory.source", ""); +pref("browser.newtabpage.directory.ping", ""); +pref("browser.newtabpage.introShown", true); + +// Disable home snippets +pref("browser.aboutHomeSnippets.updateUrl", "data:text/html"); + +// Disable hardware acceleration and WebGL +//pref("layers.acceleration.disabled", false); +pref("webgl.disabled", false); + +// Disable SSDP +pref("browser.casting.enabled", false); + +//Disable directory service +pref("social.directories", ""); +pref("social.whitelist", ""); +pref("social.shareDirectory", ""); -- cgit v1.2.3