Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to disable these newish Firefox features? #820

Closed
Just-me-ghacks opened this issue Oct 25, 2019 · 12 comments
Closed

How to disable these newish Firefox features? #820

Just-me-ghacks opened this issue Oct 25, 2019 · 12 comments

Comments

@Just-me-ghacks
Copy link

Just-me-ghacks commented Oct 25, 2019

Are these prefs enough to completely disable the features that I don't want?

1. How to disable "Show alerts about passwords for breached websites"?
user_pref("signon.management.page.breach-alerts.enabled", false);
user_pref("signon.management.page.breachAlertUrl", "");
user_pref("signon.management.page.enabled", false);

2. How to disable "Suggest and generate strong passwords"?
user_pref("signon.generation.enabled", false);

3. How to disable Tracking Protection - Cryptominers?
user_pref("privacy.trackingprotection.cryptomining.enabled", false);

4. How to disable "What's new" gift icon from toolbar and main menu?
user_pref("browser.messaging-system.whatsNewPanel.enabled", false);

Are these prefs of any interest to us?
user_pref("browser.contentblocking.report.lockwise.enabled", false);
user_pref("browser.contentblocking.report.monitor.enabled", false);
user_pref("media.mediacapabilities.from-database", false);

Thank you in advance!

@rusty-snake
Copy link
Contributor

user_pref("media.mediacapabilities.from-database", false);

#819

@Just-me-ghacks
Copy link
Author

Just-me-ghacks commented Oct 26, 2019

Hey, Pants! I'm quietly following you along the way. Every day...

I don't know how these are implemented, but I don't want Firefox to call home / send visited URLs anywhere / download files from servers, etc.

1. There is no way this is done locally.

2. I like to generate my passwords by myself (KeePass). Do I need this one as well:
user_pref("signon.generation.available", false);

3. I use uBlock Origin & uMatrix with custom filters. Tracking Protection means redundancy, lack of control over the filters and harder troubleshooting when something is broken. I will add this one as well:
user_pref("privacy.trackingprotection.fingerprinting.enabled", false);

4. If it's local and doesn't fetch info from some server, I might leave it alone. Otherwise I will add this one as well:
user_pref("browser.messaging-system.fxatoolbarbadge.enabled", false);

5. I don't want to send any info (including my IP) to any server on certificate error (or any error for that matter). I will add these two:

user_pref("security.certerrors.mitm.priming.enabled", false);
user_pref("security.certerrors.mitm.priming.endpoint", "");

6. fxmonitor sounds like a spyware:
user_pref("extensions.fxmonitor.enabled", false);

7. Is this local or the info is being send to a remote server?
user_pref("browser.fixup.typo.scheme", false);

8. Is this being used to fingerprint users? Rising / lowering entropy?
user_pref("layout.css.text-decoration-skip-ink.enabled", false);

In summary:

user_pref("browser.contentblocking.report.lockwise.enabled", false);
user_pref("browser.contentblocking.report.monitor.enabled", false);
user_pref("browser.fixup.typo.scheme", false);
user_pref("browser.messaging-system.fxatoolbarbadge.enabled", false);
user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
user_pref("extensions.fxmonitor.enabled", false);
user_pref("layout.css.text-decoration-skip-ink.enabled", false);
user_pref("media.mediacapabilities.from-database", false);
user_pref("privacy.trackingprotection.cryptomining.enabled", false);
user_pref("privacy.trackingprotection.fingerprinting.enabled", false);
user_pref("security.certerrors.mitm.priming.enabled", false);
user_pref("security.certerrors.mitm.priming.endpoint", "");
user_pref("signon.generation.available", false);
user_pref("signon.generation.enabled", false);
user_pref("signon.management.page.breach-alerts.enabled", false);
user_pref("signon.management.page.breachAlertUrl", "");
user_pref("signon.management.page.enabled", false);

Is anyone else going to use some of these prefs?

@rusty-snake
Copy link
Contributor

/* 6602: disable firefox's buildin tracking-protection
 * uBlock origin can do this better ***/
user_pref("privacy.trackingprotection.enabled", false);
user_pref("privacy.trackingprotection.pbmode.enabled", false);
user_pref("privacy.trackingprotection.cryptomining.enabled", false);
user_pref("privacy.trackingprotection.socialtracking.enabled", false);
user_pref("privacy.trackingprotection.fingerprinting.enabled", false);
/* 6603: disable updates of the trackingprotection lists ***/
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");

@Just-me-ghacks
Copy link
Author

Just-me-ghacks commented Oct 26, 2019

FF 70 keeps uploading and downloading stuff to 99.86.243.90 upon start and during use. Unlike FF 60.9.0. Any ideas?

99.86.243.68, 99.86.243.71, 99.86.243.73, 99.86.243.90, etc.

I will test the versions between 60 and 70 to narrow down the possibilities.

P.S.:
FF 60.9.0 OK
FF 65.0.2 OK
FF 67.0.4 OK
FF 68.0.2 BAD
FF 68.2.0 BAD
FF 69.0.3 BAD
FF 70.0 BAD

So starting v68 something potentially very bad was introduced...

@rusty-snake
Copy link
Contributor

  1. already killed by not using FFX PW-safe?
  2. removed in FFX70 (the pref)
  3. Looks hardcoded things like htp:// and so on.

user_pref("browser.contentblocking.report.lockwise.enabled", false);
user_pref("browser.contentblocking.report.monitor.enabled", false);

Only disable the suggestions on about:protections.

99.86.243.90 is AWS, look at about:networking for the domain.

@Just-me-ghacks
Copy link
Author

Just-me-ghacks commented Oct 26, 2019

@GitCurious
Copy link

I am also seeing content-signature-2.cdn.mozilla.net - I was under the impression it was something to do with 'certificates' whether checking or updating [?]

They never seem to make it easy to figure out what they're up to.

@JOsamson
Copy link

JOsamson commented Oct 28, 2019

That would be content signature protocol of autograph service.

Prior to FF69, a call to content-signature-2.cdn.mozilla.net would accompany a daily fetch of remote-settings. It would seem to be working incorrectly right now.

Funny how it’s gone unnoticed.

@earthlng
Copy link
Contributor

earthlng commented Oct 28, 2019

There's nothing we can really do about RemoteSettings because that's also how some of the useful features like blocklists, revoked certs etc get their data.

  1. fxmonitor sounds like a spyware

maybe not the best name for a security feature but it's definitely not spyware, last I checked. There may be some telemetry in there but since fxmonitor is now a builtin component, any such telemetry would/should probably be covered by disabling the main telemetry thing.
The necessary data for fxmonitor gets downloaded via RemoteSettings regardless of whether you enable or disable the feature. Based on that, now local data, it can inform users about (recent) server breaches when they visit such sites so that they can change their password if they have an account on that site.
All they need to store locally for that is an up-to-date list of breached domains.
The records in the fxmonitor RS database look like this:

1

You can also sign up to get notified if your email address shows up in any data dumps from such server breaches but that's entirely optional.

Unless someone can show some proof that there's more than the intended functionality outlined above hiding somewhere in fxmonitor and because I don't feel like doing an in-depth code-review every time someone brings up a "suspiciously named" pref, I don't see a reason to disable a security feature that doesn't seem to have any downsides

@Just-me-ghacks
Copy link
Author

Just-me-ghacks commented Oct 28, 2019

Thanks everyone for the help! As far as I understand:

NOT IMPORTANT:

user_pref("browser.contentblocking.report.lockwise.enabled", false);
user_pref("browser.contentblocking.report.monitor.enabled", false);
user_pref("browser.fixup.typo.scheme", false);
user_pref("signon.management.page.enabled", false);

TO CONSIDER:

user_pref("extensions.fxmonitor.enabled", false);
user_pref("media.mediacapabilities.from-database", false);
user_pref("privacy.trackingprotection.cryptomining.enabled", false);
user_pref("privacy.trackingprotection.fingerprinting.enabled", false);
user_pref("privacy.trackingprotection.socialtracking.enabled", false);
user_pref("security.certerrors.mitm.priming.enabled", false);
user_pref("security.certerrors.mitm.priming.endpoint", "");
user_pref("signon.management.page.breach-alerts.enabled", false);
user_pref("signon.management.page.breachAlertUrl", "");

SIMPLY ANNOYING:

user_pref("browser.messaging-system.fxatoolbarbadge.enabled", false);
user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
user_pref("extensions.abuseReport.enabled", false);
user_pref("signon.generation.enabled", false);

TO INVESTIGATE:

@GitCurious
Copy link

I hadn't seen that empty bar before ! (I very rarely type into the address bar)

I fixed it with a CSS rule:

#urlbar-results {display: none !important;}

@theWalkingDuck
Copy link

TO INVESTIGATE: a small empty bar appears when you type (maxRichResults - 0)

get rid of it with userChrome.css

/* remove urlbar drop down */
#urlbar-results {display: none !important;}
.urlbarView {border: none !important;}  

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

7 participants