❌ Software Removal | pyllyukko/user.js

[Thorin-Oakenpants]

Remove pyllyukko/user.js from the Firefox user.js Templates section

• https://www.privacytools.io/browsers/#about_config (at the end)

edit disclosure: For those who do not know, I started and maintain the ghacks user.js. I also actively participated in the past in pyllyukko's repo. I have never actively sort ghacks-user.js promotion: and it was only recently added to PTIO, after four+ years, when someone else asked for that. This is not a competition, I always try to be subjective. end edit

🔷 foreword

• GH = ghacks user.js repo
• PK = pyllyukko's user.js repo
• active = pref is not commented out, inactive = commented out
• this is a subjective analysis and nothing personal
  • I only care that information is available and correct for all users to make informed decisions
  • it's also not self-serving: never gone out of my way to promote GH
• I'm also a human (well, a dwarf to be exact), and I could be wrong about something
  • please correct me if I am

---

🔷 proposal

Simply put: remove PK's repo from the site.

• I cannot find pyllyukko's comment where he discussed removing deprecated prefs but it went something like "if it's applicable to the current ESR, allowing time for packages to deploy on Linux distros, then we leave it in". But nothing really ever gets cleaned up. It contains a large percentage of deprecated prefs (soon to be more when ESR60 reaches EOL). Deprecated prefs don't do any harm, except give a false sense of security/privacy. The percentage of deprecated prefs is mind-boggling!
• It is not maintained to a high enough degree: prefs are added that a few releases later get replaced, but the new pref is never added <-- false sense of privacy
• Very little activity: a lot of new relevant prefs are simply not being introduced: and all this over a period where changes in FF prefs has been bigger than in the past due to the large number of changes due to Quantum, and that now engineers can implement changes far more quickly than in the past with legacy extensions and XUL etc. I can show you stats from FF version diffs if you want.
• It also introduces unnecessary risk to the end user (through enforcing default values: this should be done very selectively)
• PK's primary goal seems to be about "hardening" (security): at least that's what I read from the readme, and from his pref choices. This often compromises privacy for what I believe to be almost zero gain (browsers are already highly secure and highly vetted). This does not fit with PTIO's primary goal in my opinion

---

🔷 activity analysis

Note: Don't take "same as GH" too literally

• I'm just saying that GH also has this pref/info
• I've checked that we're currently the same (both value and state: commented out or not), but may have missed something
• I'm not implying PK did the same as GH (i.e copying). I don't care who did what first

🔻 Summary

Read the proposal. PK is simply not maintained enough. See in the details, how new prefs which replace deprecated ones are not added. I know we're all human (or dwarves) and make mistakes and/or lack time, but some items are not researched enough: see super old prefs getting added, see incorrect values being set and not corrected (even when informed).

For all intents and purposes, PK is essentially abandoned: that's my view, but I'll provide some stats. This is no reflection on pyllyukko and contributors et al: we all have lives outside of the internet.

🔻 Details

the last 12 months

8 changes total: 5 active changes. And nothing for the last 6 months!

2019

Feb 09: browser.discovery.enabled -> added: same as GH
Feb 06: browser.newtabpage.activity-stream.asrouter.userprefs.cfr -> added: same as GH
   - deprecated in FF67, but still applicable to ESR60 users
   - replaced by two new prefs which haven't been added to PK, but are in GH
Jan 15: network.trr.mode -> added commented out: same as GH

2018

Nov 13: dom.workers.enabled -> removed: same as GH [deprecated in FF60]
Oct 12: toolkit.telemetry.archive.enabled -> added: same as GH
Oct 03: svg.disabled -> commented out: same as GH
Sep 23: extensions.systemAddon.update.enabled -> added: same as GH
Sep 06: javascript.options.wasm -> added: same as GH

the last 12 months prior to that

effectively just a very small handful of useful prefs added

2018-continued

Jun 17: network.http.keep-alive.timeout -> added but not a threat IMO
Jun 16: removed three prefs which GH never had since they don't work and/or cause issues
May 05: intl.accept_languages -> reverted the value (case) to same as GH
   - ^^ this went on a whole year despite me letting them know it screwed their FP and wasn't the solution to a perceived (minor) problem
Feb 19: privacy.firstparty.isolate -> added: same as GH
Jan 23: network.captive-portal-service.enabled -> added: same as GH
Jan 06: signon.formlessCapture.enabled -> added: same as GH

2017

Nov 22: browser.newtabpage.activity-stream.enabled -> added: same as GH [deprecated in FF60]
Nov 22: browser.newtabpage.activity-stream.feeds.section.topstories -> added: same as GH
Oct 07: dom.network.enabled - added but useless
  - this was **deprecated in FF32**. In Oct 2017 ESR was 52.4 and stable was 56!
Oct 07: browser.startup.homepage_override.buildID -> added but not a threat IMO
Oct 07: `dom.maxHardwareConcurrency` -> added: same as GH but redundant with RFP
Oct 07: added two shield study prefs same as GH, one of which was removed in FF60
Sep 22: general.useragent.locale - removed: same as GH [deprecated in FF59]

---

🔷 preferences analysis

🔻 Summary

• 310 total prefs
• 64 (20%) -> deprecated since at least ESR/FF60 (that I know about)
• 21 -> enforcing the default value since at least ESR/FF60
  • can carry serious risk e.g. if Mozilla need to flip a pref for security, privacy reasons
  • perfect examples are the ciphers and TLS pref in the details below
• 7 -> redundant, pointless, or no threat (IMO)
• 17 -> deprecated when ESR60 reaches EOL in approx 2 months
  • I do not envisage these being cleaned out: see the previous 64 deprecated prefs
• 25 -> left
  • 5 I can't be bothered checking (at least 2 are redundant), and 22 are overkill (protocol handler blocking and then a heap of whitelisting)
  • note: I am ignoring prefs (not values or state) both PK and GH have in common

🔻 Conclusion

• 92 (30%) prefs do nothing for the end user right now
• 109 (35%) prefs will do nothing for the end user in approx two months
• At best, PK gives a false sense of security/privacy. At worst it introduces unnecessary risk: in fact right now it causes risk (see TLS)
• There is nothing in PK that GH doesn't have
  • the exception being the 25 remaining prefs - debatable

details

---
sources
- https://github.com/ghacksuserjs/ghacks-user.js/issues/123
- a couple of others are provided below in the details: I specially looked them up for this post

  27 prefs: A: deprecated in ESR/FF60 + lower [with sources]
  37 prefs: B: deprecated in ESR/FF60 + lower [no sources]
  21 prefs: C: default value since at least FF60
   7 prefs: D: redundant, no threat, or pointless
  17 prefs: E: deprecated with EOL for ESR60 [with sources]
  25 prefs: F: left

A: deprecated ESR/FF60 + lower [with sources]

browser.casting.enabled
browser.newtabpage.activity-stream.enabled
browser.newtabpage.directory.ping
browser.newtabpage.directory.source
browser.newtabpage.enhanced
browser.pocket.enabled
browser.safebrowsing.enabled
browser.selfsupport.url
camera.control.face_detection.enabled
datareporting.healthreport.service.enabled
devtools.webide.autoinstallFxdtAdapters
dom.archivereader.enabled
dom.enable_user_timing
dom.flyweb.enabled
dom.network.enabled
dom.telephony.enabled
extensions.shield-recipe-client.enabled
intl.locale.matchOS
loop.enabled
loop.logDomains
plugins.update.notifyUser
security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha
security.tls.unrestricted_rc4_fallback
security.xpconnect.plugin.unrestricted

B: deprecated ESR/FF60 + lower [no sources]

- these ciphers do not exist anymore and haven't for a VERY long time
- just rechecked ESR60 today
- checked in the past, and been deep diving into Firefox prefs for 5+ years

security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.dhe_dss_des_ede3_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_aes_128_sha
security.ssl3.ecdh_ecdsa_aes_256_sha
security.ssl3.ecdh_ecdsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_null_sha
security.ssl3.ecdh_ecdsa_rc4_128_sha
security.ssl3.ecdh_rsa_aes_128_sha
security.ssl3.ecdh_rsa_aes_256_sha
security.ssl3.ecdh_rsa_des_ede3_sha
security.ssl3.ecdh_rsa_null_sha
security.ssl3.ecdh_rsa_rc4_128_sha
security.ssl3.ecdhe_ecdsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_null_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.ecdhe_rsa_null_sha
security.ssl3.rsa_1024_rc4_56_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.rsa_camellia_256_sha
security.ssl3.rsa_fips_des_ede3_sha
security.ssl3.rsa_null_md5
security.ssl3.rsa_null_sha
security.ssl3.rsa_rc2_40_md5
security.ssl3.rsa_rc4_40_md5
security.ssl3.rsa_seed_sha
---

- these six are not in ESR/FF60+: not found on DXR
- checked in the past, and been deep diving into Firefox prefs for 5+ years

browser.download.manager.retention
browser.newtab.url
network.negotiate-auth.allow-insecure-ntlm-v1
network.negotiate-auth.allow-insecure-ntlm-v1-https
plugin.state.libgnome-shell-browser-plugin
shumway.disabled

C: default value since at least FF60

- note: the six ciphers below are enforcing default true. If Mozilla needed to
        flip one (or more) for security reasons, you wouldn't be protected

browser.offline-apps.notify
browser.safebrowsing.blockedURIs.enabled
browser.safebrowsing.malware.enabled
browser.safebrowsing.phishing.enabled
browser.urlbar.filter.javascript
media.webspeech.recognition.enable
network.stricttransportsecurity.preloadlist
privacy.trackingprotection.pbmode.enabled
security.fileuri.strict_origin_policy
security.insecure_field_warning.contextual.enabled
security.insecure_password.ui.enabled
security.sri.enable
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256
security.ssl.enable_ocsp_must_staple
signon.autofillForms.http
signon.storeWhenAutocompleteOff
   - ^^ inactive: thus defacto not changing default: added it to this list: or things get too messy
   - ^^ I don't agree with the changing from default true to false anyway

D: redundant (but I do get the defense in depth argument), no threat, or pointless

browser.formfill.expire_days
   - ^^ already cleared by privacy.clearOnShutdown.formdata
media.navigator.video.enabled
   - ^^ covered by media.navigator.enabled
dom.mozTCPSocket.enabled
   - ^^ only exposed in chrome contexts
network.dns.blockDotOnion
   - ^^ only useful over Tor: people should use Tor Browser
   - ^^ name is be ambiguous: s/be true when using Tor but I've seen
   - ^^ many users think it has to be false so onion services are not blocked
- security.tls.version.fallback-limit
  - ^^ set as 3: this is at odds with stable (at 4) vs ESR
  - ^^ a classic example of trying to enforce defaults that create risk
browser.startup.homepage_override.buildID
   - ^^ I do not see any threat here
network.http.keep-alive.timeout
   - ^^ I do not see any threat here

E: deprecated with EOL for ESR60 [with sources]

app.update.enabled
browser.aboutHomeSnippets.updateUrl
browser.fixup.hide_user_pass
browser.newtabpage.activity-stream.asrouter.userprefs.cfr
browser.search.countryCode
browser.urlbar.autocomplete.enabled
devtools.webide.autoinstallADBHelper
experiments.enabled
experiments.manifest.uri
experiments.supported
lightweightThemes.update.enabled
network.allow-experiments
network.jar.open-unsafe-types
plugin.state.java
security.csp.experimentalEnabled
browser.urlbar.autoFill.typed - bugzilla 1239708
services.blocklist.update_enabled - bugzilla 1458917

F: left: debatable: I stopped checking

- misc
devtools.debugger.force-local
media.gmp-gmpopenh264.enabled
   - redundant: see ghacks
media.gmp-manager.url
   - ^^ redundant: see previous pref
pdfjs.enableWebGL
privacy.trackingprotection.enabled
   - ^^ this is good

- overkill
network.protocol-handler.expose-all
network.protocol-handler.expose.about
network.protocol-handler.expose.blob
network.protocol-handler.expose.chrome
network.protocol-handler.expose.data
network.protocol-handler.expose.file
network.protocol-handler.expose.ftp
network.protocol-handler.expose.http
network.protocol-handler.expose.https
network.protocol-handler.expose.javascript
network.protocol-handler.expose.moz-extension
network.protocol-handler.external.about
network.protocol-handler.external.blob
network.protocol-handler.external.chrome
network.protocol-handler.external.data
network.protocol-handler.external.file
network.protocol-handler.external.ftp
network.protocol-handler.external.http
network.protocol-handler.external.https
network.protocol-handler.external.javascript
network.protocol-handler.external.moz-extension
network.protocol-handler.warn-external-default

[blacklight447]

I would agree with the removal.