diff --git a/librewolf.cfg/controversial.js b/librewolf.cfg/controversial.js deleted file mode 100644 index 3795d59..0000000 --- a/librewolf.cfg/controversial.js +++ /dev/null @@ -1,5 +0,0 @@ -//lockPref("dom.indexedDB.logging.details", false); -//lockPref("dom.indexedDB.logging.enabled", false); -//lockPref("network.http.spdy.enabled", false); -//lockPref("network.http.spdy.enabled.deps", false); -//lockPref("network.http.spdy.enabled.http2", false); diff --git a/librewolf.cfg/controversial.json b/librewolf.cfg/controversial.json index 2596e1a..948c845 100644 --- a/librewolf.cfg/controversial.json +++ b/librewolf.cfg/controversial.json @@ -7,10 +7,50 @@ "value": true }, + { + "enabled": false, + "comments": "", + "type": "lockPref", + "key": "dom.indexedDB.logging.details", + "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "lockPref", + "key": "dom.indexedDB.logging.enabled", + "value": false + }, + { "comments": "", "type": "lockPref", "key": "dom.w3c_pointer_events.enabled", "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "lockPref", + "key": "network.http.spdy.enabled", + "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "lockPref", + "key": "network.http.spdy.enabled.deps", + "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "lockPref", + "key": "network.http.spdy.enabled.http2", + "value": false } ] diff --git a/librewolf.cfg/defaulting.js b/librewolf.cfg/defaulting.js deleted file mode 100644 index 759d6a7..0000000 --- a/librewolf.cfg/defaulting.js +++ /dev/null @@ -1,4 +0,0 @@ -//defaultPref("intl.accept_languages", "en-US, en"); //This make lang windows unusable -//defaultPref("network.http.sendRefererHeader", 1); -//defaultPref("extensions.ui.dictionary.hidden", false); -//defaultPref("extensions.ui.locale.hidden", false); diff --git a/librewolf.cfg/defaulting.json b/librewolf.cfg/defaulting.json index 2c38e54..c58643b 100644 --- a/librewolf.cfg/defaulting.json +++ b/librewolf.cfg/defaulting.json @@ -7,6 +7,15 @@ "value": 2 }, + { + "enabled": false, + "comments": "", + "notes": "This makes lang windows unusable", + "type": "defaultPref", + "key": "intl.accept_languages", + "value": "en-US, en" + }, + { "comments": "", "type": "defaultPref", @@ -84,6 +93,14 @@ "value": false }, + { + "enabled": false, + "comments": "", + "type": "defaultPref", + "key": "network.http.sendRefererHeader", + "value": 1 + }, + { "comments": "", "type": "defaultPref", @@ -173,5 +190,21 @@ "type": "defaultPref", "key": "extensions.ui.experiment.hidden", "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "defaultPref", + "key": "extensions.ui.dictionary.hidden", + "value": false + }, + + { + "enabled": false, + "comments": "", + "type": "defaultPref", + "key": "extensions.ui.locale.hidden", + "value": false } ] diff --git a/librewolf.cfg/performance.js b/librewolf.cfg/performance.js deleted file mode 100644 index 064c722..0000000 --- a/librewolf.cfg/performance.js +++ /dev/null @@ -1,128 +0,0 @@ -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Performance 1/5 -// Defaulting settings - HW Settings can be checked under about:support -// Bench Diff : +650/5000 -// >>>>>>>>>>>>>>>>>>>>>> - -// Bench Diff : +100/5000 -// Pref : Increases animation speed. May mitigate choppy scrolling. -defaultPref("layout.frame_rate.precise", true); - -// Bench Diff : +500/5000 -// Pref : Enable Hardware Acceleration and Off Main Thread Compositing (OMTC). -// It's likely your browser is already set to use these features. -// May introduce instability on some hardware. -// Tor compatibility - have inverted values in tor. -defaultPref("webgl.force-enabled", true); -defaultPref("layers.acceleration.force-enabled", true); - -// Pref : 2508: disable hardware acceleration to reduce graphics fingerprinting -// [SETTING] General>Performance>Custom>Use hardware acceleration when available -// [SETUP-PERF] Affects text rendering (fonts will look different) and impacts video performance. -// Parts of Quantum that utilize the GPU will also be affected as they are rolled out -// [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration -// Resolved by extension -defaultPref("gfx.direct2d.disabled", false); // [WINDOWS] -defaultPref("layers.acceleration.disabled", false); - -// Bench Diff : 0/5000 -// Pref : -defaultPref("html5.offmainthread", true); //default true -defaultPref("layers.offmainthreadcomposition.enabled", true); -defaultPref("layers.offmainthreadcomposition.async-animations", true); -defaultPref("layers.async-video.enabled", true); - -// Bench Diff : +50/5000 -// Pref : Deprecated Active -defaultPref("browser.tabs.animate", false); - -// Pref : The impact for this one is negligible -//defaultPref("browser.download.animateNotifications", false); - -// Bench Diff : -80/5000 -// Pref : Spoof CPU Core Def 16 -// Default settings seems to be the best -//defaultPref("dom.maxHardwareConcurrency", 8); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Performance 2/5 -// Bench Diff : -800/5000 -// >>>>>>>>>>>>>>>>>>>>>> - -// Bench Diff : -500/5000 -// Pref : Tell garbage collector to start running when javascript is using xx MB of memory. -// Garbage collection releases memory back to the system. -// Default settings seems to be the best -//lockPref("javascript.options.mem.high_water_mark", 96); - -// Bench Diff : -200/5000 -// Pref : Disable WebAssembly -// https://webassembly.org/ -// https://en.wikipedia.org/wiki/WebAssembly -// https://trac.torproject.org/projects/tor/ticket/21549 -// Solved by extension disabled here for performance -//lockPref("javascript.options.wasm", false); - -// Bench Diff : -100/5000 -// Pref : Prevent font fingerprinting -// https://browserleaks.com/fonts -// https://github.com/pyllyukko/user.js/issues/120 -// Solved by extension disabled here for performance -//lockPref("browser.display.use_document_fonts", 0); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Performance 3/5 -// Bench Diff : -1720/5000 -// >>>>>>>>>>>>>>>>>>>>>>> - -// Bench Diff : -220/5000 -// Pref : Disable webGL I/II -// WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware) -defaultPref("webgl.disabled", false); // Tor have it false but the rest is the same (webgl) -// This does not leak -lockPref("webgl.enable-webgl2", false); -lockPref("webgl.min_capability_mode", true); - -// Bench Diff : 0/5000 -// Pref : Disable webGL II/II -// WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware) -lockPref("pdfjs.enableWebGL", false); -lockPref("webgl.disable-extensions", true); -lockPref("webgl.disable-fail-if-major-performance-caveat", true); -lockPref("webgl.enable-debug-renderer-info", false); //Deprecated Active - -// Bench Diff : -1500/5000 -// Pref : Disable asm.js -// http://asmjs.org/ -// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ -// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ -// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 -// Solved by extension disabled here for performance -// Tor enforce this -//lockPref("javascript.options.asmjs", false); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Performance 4/5 -// Bench Diff : -200/5000 -// >>>>>>>>>>>>>>>>>>>>>> - -// Bench Diff : -200/5000 -// Pref : JS Shared Memory - Default false -// https://github.com/MrAlex94/Waterfox/issues/356 -lockPref("javascript.options.shared_memory", false); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Performance 5/5 -// Bench Diff : -50/5000 -// >>>>>>>>>>>>>>>>>>>>> - -// Bench Diff : -50/5000 -// Pref : 2302 : disable service workers -// Service workers essentially act as proxy servers that sit between web apps, and the browser -// and network. They are event-driven, and can control the web page/site it is associated with, -// intercepting and modifying navigation and resource requests, and caching resources. -// SW may decrease performance depending on the script that is running in background. -// So overall, disabling SW should enhance performance because it blocks SW Scripts. -// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode. -// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. -lockPref("dom.serviceWorkers.enabled", false); diff --git a/librewolf.cfg/performance.json b/librewolf.cfg/performance.json index 84641cd..fc56596 100644 --- a/librewolf.cfg/performance.json +++ b/librewolf.cfg/performance.json @@ -1,38 +1,49 @@ [ { - "comments": "", + "comments": "Increases animation speed", + "notes": "May mitigate choppy scrolling", "type": "defaultPref", "key": "layout.frame_rate.precise", "value": true }, { - "comments": "", + "comments": "Enable Hardware Acceleration and Off Main Thread Compositing (OMTC)", + "notes": "It's likely your browser is already set to use these features. May introduce instability on some hardware. Tor compatibility - have inverted values in tor.", "type": "defaultPref", "key": "webgl.force-enabled", "value": true }, { - "comments": "", + "comments": "Enable Hardware Acceleration and Off Main Thread Compositing (OMTC)", + "notes": "It's likely your browser is already set to use these features. May introduce instability on some hardware. Tor compatibility - have inverted values in tor.", "type": "defaultPref", "key": "layers.acceleration.force-enabled", "value": true }, { - "comments": "", + "comments": "Disable hardware acceleration to reduce graphics fingerprinting", + "notes": "[WINDOWS]\nAffects text rendering (fonts will look different) and impacts video performance. Parts of Quantum that utilize the GPU will also be affected as they are rolled out\nGeneral>Performance>Custom>Use hardware acceleration when available", "type": "defaultPref", "key": "gfx.direct2d.disabled", - "value": false + "value": false, + "references": [ + "https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration" + ] }, { - "comments": "", + "comments": "Disable hardware acceleration to reduce graphics fingerprinting", + "notes": "Affects text rendering (fonts will look different) and impacts video performance. Parts of Quantum that utilize the GPU will also be affected as they are rolled out\nGeneral>Performance>Custom>Use hardware acceleration when available", "type": "defaultPref", "key": "layers.acceleration.disabled", - "value": false + "value": false, + "references": [ + "https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration" + ] }, { @@ -65,27 +76,83 @@ { "comments": "", + "notes": "Deprecated Active", "type": "defaultPref", "key": "browser.tabs.animate", "value": false }, { + "enabled": false, "comments": "", + "notes": "The impact for this one is negligible", + "type": "defaultPref", + "key": "browser.download.animateNotifications", + "value": false + }, + + { + "enabled": false, + "comments": "Spoof CPU Core Def 16", + "notes": "Default settings seems to be the best", + "type": "defaultPref", + "key": "dom.maxHardwareConcurrency", + "value": 8 + }, + + { + "enabled": false, + "comments": "Tell garbage collector to start running when javascript is using xx MB of memory.", + "notes": "Garbage collection releases memory back to the system. Default settings seems to be the best", + "type": "lockPref", + "key": "javascript.options.mem.high_water_mark", + "value": 96 + }, + + { + "enabled": false, + "comments": "Disable WebAssembly", + "notes": "Solved by extension disabled here for performance", + "type": "lockPref", + "key": "javascript.options.wasm", + "value": false, + "references": [ + "https://webassembly.org/", + "https://en.wikipedia.org/wiki/WebAssembly", + "https://trac.torproject.org/projects/tor/ticket/21549" + ] + }, + + { + "enabled": false, + "comments": "Prevent font fingerprinting", + "notes": "Solved by extension disabled here for performance", + "type": "lockPref", + "key": "browser.display.use_document_fonts", + "value": 0, + "references": [ + "https://browserleaks.com/fonts", + "https://github.com/pyllyukko/user.js/issues/120" + ] + }, + + { + "comments": "", + "notes": "WebGL introduces high fingerprinting (WebGL is a js API for directly accessing hardware). Tor has it as `false` but the rest is the same.", "type": "defaultPref", "key": "webgl.disabled", "value": false }, { - "comments": "", + "comments": "This prevents WebGL data leaks", "type": "lockPref", "key": "webgl.enable-webgl2", "value": false }, { - "comments": "", + "comments": "This prevents WebGL data leaks", "type": "lockPref", "key": "webgl.min_capability_mode", "value": true @@ -114,20 +181,40 @@ { "comments": "", + "notes": "Deprecated Active", "type": "lockPref", "key": "webgl.enable-debug-renderer-info", "value": false }, { - "comments": "", + "enabled": false, + "comments": "Disable asm.js", + "notes": "Solved by extension disabled here for performance. Tor enforces this.", "type": "lockPref", - "key": "javascript.options.shared_memory", - "value": false + "key": "javascript.options.asmjs", + "value": false, + "references": [ + "http://asmjs.org/", + "https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/", + "https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712" + ] }, { - "comments": "", + "comments": "JS Shared Memory", + "type": "lockPref", + "key": "javascript.options.shared_memory", + "value": false, + "references": [ + "https://github.com/MrAlex94/Waterfox/issues/356" + ] + }, + + { + "comments": "Disable service workers", + "notes": "Service workers essentially act as proxy servers that sit between web apps, and the browser and network. They are event-driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources. SW may decrease performance depending on the script that is running in background. So overall, disabling SW should enhance performance because it blocks SW Scripts.\nService worker APIs are hidden (in Firefox) and cannot be used when in PB mode.\nService workers only run over HTTPS. Service Workers have no DOM access.", "type": "lockPref", "key": "dom.serviceWorkers.enabled", "value": false diff --git a/librewolf.cfg/security.js b/librewolf.cfg/security.js deleted file mode 100644 index 4662e1d..0000000 --- a/librewolf.cfg/security.js +++ /dev/null @@ -1,129 +0,0 @@ -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Security 1/3 -// Bench Diff : +0/5000 -// >>>>>>>>>>>>>>>>>>>> - -// Pref : Enable insecure password warnings (login forms in non-HTTPS pages) -// https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/ -// https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 -lockPref("security.insecure_password.ui.enabled", true); - -// Pref : Show in-content login form warning UI for insecure login fields -// https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317 -lockPref("security.insecure_field_warning.contextual.enabled", true); - -// Pref : Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla) -// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ -// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List -// https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -lockPref("network.stricttransportsecurity.preloadlist", false); - -// Pref : Disable TLS Session Tickets -// https://www.blackhat.com/us-13/briefings.html#NextGen -// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf -// https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf -// https://bugzilla.mozilla.org/show_bug.cgi?id=917049 -// https://bugzilla.mozilla.org/show_bug.cgi?id=967977 -// SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs. -// Since the ID is unique, web servers can (and do) use it for tracking. If set to true, -// this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking -lockPref("security.ssl.disable_session_identifiers", true); - -// Pref : Blocking GD Parking Scam Site -// TODO: do we still need this? librefox.com isn't relevant anymore and this pretty much -// only tells LibreWolf to look for librefox.com locally -defaultPref("network.dns.localDomains", "librefox.com"); - -// Pref : Disable insecure TLS version fallback -// https://bugzilla.mozilla.org/show_bug.cgi?id=1084025 -// https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645 -lockPref("security.tls.version.fallback-limit", 3); - -// Pref : Only allow TLS 1.[0-3] -// http://kb.mozillazine.org/Security.tls.version.* -lockPref("security.tls.version.min", 2); - -// Pref : Enfore Public Key Pinning -// https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning -// https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning -// "2. Strict. Pinning is always enforced." -lockPref("security.cert_pinning.enforcement_level", 2); - -// Pref : Disallow SHA-1 -// https://bugzilla.mozilla.org/show_bug.cgi?id=1302140 -// https://shattered.io/ -lockPref("security.pki.sha1_enforcement_level", 1); - -// Pref : Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) -// https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 -lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true); - -// Pref : Pre-populate the current URL but do not pre-fetch the certificate in the -// "Add Security Exception" dialog -// http://kb.mozillazine.org/Browser.ssl_override_behavior -// https://github.com/pyllyukko/user.js/issues/210 -lockPref("browser.ssl_override_behavior", 1); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Security 2/3 -// Bench Diff : +0/5000 -// >>>>>>>>>>>>>>>>>>>> - -// Pref : -lockPref("security.ssl.errorReporting.automatic", false); -lockPref("security.ssl.errorReporting.url", ""); - -// Pref : Check disabled section -// OCSP leaks the visited sites. Exactly same issue as with safebrowsing. -// Stapling forces the site to prove that its certificate is good -// through the CA, so apparently nothing is leaked in this case. -// [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -lockPref("security.OCSP.enabled", 0); -lockPref("security.OCSP.require", false); -lockPref("security.ssl.enable_ocsp_stapling", true); - -// Pref : -lockPref("security.ssl.errorReporting.enabled", false); - -// Pref : Manage certificates button -//lockPref("security.disable_button.openCertManager", false); -// Disabled because of a bug that disables the button regardless of its value - -// Pref : Manage security devices button -//lockPref("security.disable_button.openDeviceManager", false); -// Disabled because of a bug that disables the button regardless of its value - -// Pref : -lockPref("security.mixed_content.upgrade_display_content", true); -lockPref("security.mixed_content.block_object_subrequest", true); -lockPref("security.mixed_content.block_display_content", true); -lockPref("security.mixed_content.block_active_content", true); - -// Pref : -lockPref("security.insecure_connection_icon.enabled", true); -lockPref("security.insecure_connection_icon.pbmode.enabled", true); -lockPref("security.insecure_connection_text.enabled", true); - -// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -// Section : Security 3/3 (Cipher) -// Bench Diff : +0/5000 -// >>>>>>>>>>>>>>>>>>>> - -// Pref : -lockPref("security.ssl3.rsa_des_ede3_sha", false); -lockPref("security.ssl3.rsa_aes_256_sha", false); -lockPref("security.ssl3.rsa_aes_128_sha", false); - -// Pref : Disable RC4 -// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security -// https://bugzilla.mozilla.org/show_bug.cgi?id=1138882 -// https://rc4.io/ -// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566 -lockPref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); -lockPref("security.ssl3.ecdh_rsa_rc4_128_sha", false); - -// Pref : Disable SEED cipher -// https://en.wikipedia.org/wiki/SEED -lockPref("security.ssl3.rsa_seed_sha", false); diff --git a/librewolf.cfg/security.json b/librewolf.cfg/security.json index 09f7fa4..d768a01 100644 --- a/librewolf.cfg/security.json +++ b/librewolf.cfg/security.json @@ -1,80 +1,126 @@ [ { - "comments": "", + "comments": "Enable insecure password warnings (login forms in non-HTTPS pages)", "type": "lockPref", "key": "security.insecure_password.ui.enabled", - "value": true + "value": true, + "references": [ + "https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1319119", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1217156" + ] }, { - "comments": "", + "comments": "Show in-content login form warning UI for insecure login fields", "type": "lockPref", "key": "security.insecure_field_warning.contextual.enabled", - "value": true + "value": true, + "references": [ + "https://hg.mozilla.org/integration/mozilla-inbound/rev/f0d146fe7317" + ] }, { - "comments": "", + "comments": "Disable HSTS preload list (pre-set HSTS sites list provided by Mozilla)", "type": "lockPref", "key": "network.stricttransportsecurity.preloadlist", - "value": false + "value": false, + "references": [ + "https://blog.mozilla.org/security/2012/11/01/preloading-hsts/", + "https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List", + "https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security" + ] }, { - "comments": "", + "comments": "Disable TLS Session Tickets", + "notes": "SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs. Since the ID is unique, web servers can (and do) use it for tracking. If set to true, this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking", "type": "lockPref", "key": "security.ssl.disable_session_identifiers", - "value": true + "value": true, + "references": [ + "https://www.blackhat.com/us-13/briefings.html#NextGen", + "https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf", + "https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf", + "https://bugzilla.mozilla.org/show_bug.cgi?id=917049", + "https://bugzilla.mozilla.org/show_bug.cgi?id=967977" + ] }, { - "comments": "", + "comments": "Blocking GD Parking Scam Site", + "notes": "TODO: do we still need this? librefox.com isn't relevant anymore and this pretty much only tells LibreWolf to look for librefox.com locally", "type": "defaultPref", "key": "network.dns.localDomains", "value": "librefox.com" }, { - "comments": "", + "comments": "Disable insecure TLS version fallback", "type": "lockPref", "key": "security.tls.version.fallback-limit", - "value": 3 + "value": 3, + "references": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1084025", + "https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645" + ] }, { - "comments": "", + "comments": "Only allow TLS 1.[0-3]", "type": "lockPref", "key": "security.tls.version.min", - "value": 2 + "value": 2, + "references": [ + "http://kb.mozillazine.org/Security.tls.version.*" + ] }, { - "comments": "", + "comments": "Enfore Public Key Pinning", + "notes": "2. Strict. Pinning is always enforced.", "type": "lockPref", "key": "security.cert_pinning.enforcement_level", - "value": 2 + "value": 2, + "references": [ + "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning", + "https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning" + ] }, { - "comments": "", + "comments": "Disallow SHA-1", "type": "lockPref", "key": "security.pki.sha1_enforcement_level", - "value": 1 + "value": 1, + "references": [ + "https://bugzilla.mozilla.org/show_bug.cgi?id=1302140", + "https://shattered.io/" + ] }, { - "comments": "", + "comments": "Warn the user when server doesn't support RFC 5746 ('safe' renegotiation)", "type": "lockPref", "key": "security.ssl.treat_unsafe_negotiation_as_broken", - "value": true + "value": true, + "references": [ + "https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken", + "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555" + ] }, { - "comments": "", + "comments": "Pre-populate the current URL but do not pre-fetch the certificate in the 'Add Security Exception' dialog", "type": "lockPref", "key": "browser.ssl_override_behavior", - "value": 1 + "value": 1, + "references": [ + "http://kb.mozillazine.org/Browser.ssl_override_behavior", + "https://github.com/pyllyukko/user.js/issues/210" + ] }, { @@ -93,6 +139,7 @@ { "comments": "", + "notes": "OCSP leaks the visited sites. Exactly same issue as with safebrowsing.", "type": "lockPref", "key": "security.OCSP.enabled", "value": 0 @@ -107,9 +154,13 @@ { "comments": "", + "notes": "Stapling forces the site to prove that its certificate is good through the CA, so apparently nothing is leaked in this case.", "type": "lockPref", "key": "security.ssl.enable_ocsp_stapling", - "value": true + "value": true, + "references": [ + "https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/" + ] }, { @@ -119,6 +170,24 @@ "value": false }, + { + "enabled": false, + "comments": "Manage certificates button", + "notes": "Disabled because of a bug that disables the button regardless of its value", + "type": "lockPref", + "key": "security.disable_button.openCertManager", + "value": false + }, + + { + "enabled": false, + "comments": "Manage security devices button", + "notes": "Disabled because of a bug that disables the button regardless of its value", + "type": "lockPref", + "key": "security.disable_button.openDeviceManager", + "value": false + }, + { "comments": "", "type": "lockPref", @@ -190,23 +259,38 @@ }, { - "comments": "", + "comments": "Disable RC4", "type": "lockPref", "key": "security.ssl3.ecdh_ecdsa_rc4_128_sha", - "value": false + "value": false, + "references": [ + "https://developer.mozilla.org/en-US/Firefox/Releases/38#Security", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1138882", + "https://rc4.io/", + "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566" + ] }, { - "comments": "", + "comments": "Disable RC4", "type": "lockPref", "key": "security.ssl3.ecdh_rsa_rc4_128_sha", - "value": false + "value": false, + "references": [ + "https://developer.mozilla.org/en-US/Firefox/Releases/38#Security", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1138882", + "https://rc4.io/", + "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566" + ] }, { - "comments": "", + "comments": "Disable SEED cipher", "type": "lockPref", "key": "security.ssl3.rsa_seed_sha", - "value": false + "value": false, + "references": [ + "https://en.wikipedia.org/wiki/SEED" + ] } ]