From 02ec2643e3d4032b213cff90b47ab424dcfe6b7a Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 14:35:02 +0100 Subject: [PATCH 01/17] add firefox version indication for battery api fixes #197 --- README.md | 2 +- user.js | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 632718f6..aa54c00c 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org * Disable WebRTC entirely * Don't reveal your internal IP when WebRTC is enabled [ [1](https://wiki.mozilla.org/Media/WebRTC/Privacy) [2](https://github.com/beefproject/beef/wiki/Module%3A-Get-Internal-IP-WebRTC) ] * Disable WebRTC getUserMedia, screen sharing, audio capture, video capture [ [1](https://wiki.mozilla.org/Media/getUserMedia) [2](https://blog.mozilla.org/futurereleases/2013/01/12/capture-local-camera-and-microphone-streams-with-getusermedia-now-enabled-in-firefox/) [3](https://developer.mozilla.org/en-US/docs/Web/API/Navigator) ] -* Disable battery API [ [1](https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager) ] +* Disable battery API (<52) [ [1](https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager) [2](https://bugzilla.mozilla.org/show_bug.cgi?id=1313580) ] * Disable telephony API [ [1](https://wiki.mozilla.org/WebAPI/Security/WebTelephony) ] * Disable DOM timing API [ [1](https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI) ] * Disable "beacon" asynchronous HTTP transfers (used for analytics) [ [1](https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon) ] diff --git a/user.js b/user.js index e4a26190..4da7c21e 100644 --- a/user.js +++ b/user.js @@ -68,8 +68,9 @@ user_pref("media.navigator.video.enabled", false); user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.audiocapture.enabled", false); -// PREF: Disable battery API +// PREF: Disable battery API (<52) // https://developer.mozilla.org/en-US/docs/Web/API/BatteryManager +// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580 user_pref("dom.battery.enabled", false); // PREF: Disable telephony API From 621c4e246aaf140ed53e0550719c07c904532fef Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 14:41:07 +0100 Subject: [PATCH 02/17] add commented out prefs for *effective* default search engine choice closes #108 --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 4da7c21e..c20af15d 100644 --- a/user.js +++ b/user.js @@ -158,6 +158,8 @@ user_pref("camera.control.face_detection.enabled", false); // PREF: Set the default search engine to DuckDuckGo (disabled) // https://support.mozilla.org/en-US/questions/948134 //user_pref("browser.search.defaultenginename", "DuckDuckGo"); +//user_pref("browser.search.order.1", "DuckDuckGo"); +//user_pref("keyword.URL", "https://duckduckgo.com/html/?q=!+"); // PREF: Disable GeoIP lookup on your address to set default search engine region // https://trac.torproject.org/projects/tor/ticket/16254 From 1ab3ffd10d821c76874ba46efd538965af8e5233 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 14:47:17 +0100 Subject: [PATCH 03/17] document disabling push notifications Other references: https://github.com/pyllyukko/user.js/pull/111 https://hacks.mozilla.org/2016/01/web-push-arrives-in-firefox-44/ https://developer.mozilla.org/en-US/docs/Archive/Firefox_OS/API/Simple_Push_API https://support.mozilla.org/t5/Firefox/How-to-disable-web-push-notifications-in-Firefox/m-p/1281001 https://en.wikipedia.org/wiki/Push_technology https://trac.torproject.org/projects/tor/ticket/18801 https://support.mozilla.org/t5/Basic-Browsing/Web-Push-notifications-in-Firefox/ta-p/28744 https://support.mozilla.org/t5/Firefox/How-to-stop-the-webpush-notifications/m-p/1292770 https://developer.mozilla.org/en/docs/Web/API/Push_API https://github.com/chrisdavidmills/push-api-demo Closes #111 --- README.md | 2 +- user.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aa54c00c..b7f12507 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ it also makes experimenting with different settings easier. HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org/wiki/Document_Object_Model) related settings. Mozilla is keen to implement every new HTML5 feature, which have had unforeseen security or privacy implications. This section disables many of those new and yet to be proven technologies. * Disable Service Workers [ [1](https://developer.mozilla.org/en-US/docs/Web/API/Worker) [2](https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API) [3](https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers) ] -* Disable web notifications +* Disable web notifications [ [1](https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501) ] * Make sure the User Timing API does not provide a new high resolution timestamp [ [1](https://trac.torproject.org/projects/tor/ticket/16336) ] * Disable Web Audio API [ [1](https://bugzil.la/1288359) ] * Disable Location-Aware Browsing (geolocation) [ [1](https://www.mozilla.org/en-US/firefox/geolocation/) ] diff --git a/user.js b/user.js index c20af15d..c7c86af6 100644 --- a/user.js +++ b/user.js @@ -16,7 +16,7 @@ user_pref("dom.serviceWorkers.enabled", false); // PREF: Disable web notifications -// ?? +// https://support.mozilla.org/t5/Firefox/I-can-t-find-Firefox-menu-I-m-trying-to-opt-out-of-Web-Push-and/m-p/1317495#M1006501 user_pref("dom.webnotifications.enabled", false); // PREF: Make sure the User Timing API does not provide a new high resolution timestamp From 9ad47f9e0f05be33a53f38eb7d21e2899ccc3457 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 15:03:25 +0100 Subject: [PATCH 04/17] Add missing preferences descriptions Fixes #236 --- README.md | 11 +++++------ user.js | 12 ++++++------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index b7f12507..471df3ba 100644 --- a/README.md +++ b/README.md @@ -153,9 +153,9 @@ HTML5 / [APIs](https://wiki.mozilla.org/WebAPI) / [DOM](https://en.wikipedia.org * Disable virtual reality devices [ [1](https://developer.mozilla.org/en-US/Firefox/Releases/36#Interfaces.2FAPIs.2FDOM) ] * Disable webGL [ [1](https://en.wikipedia.org/wiki/WebGL) [2](https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/) ] * When webGL is enabled, use the minimum capability mode -* webgl.disable-extensions [ [1](https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing) ] -* webgl.disable-fail-if-major-performance-caveat [ [1](https://trac.torproject.org/projects/tor/ticket/18603) ] -* webgl.enable-debug-renderer-info [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1171228) [2](https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info) ] +* When webGL is enabled, disable webGL extensions [ [1](https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing) ] +* When webGL is enabled, force enabling it even when layer acceleration is not supported [ [1](https://trac.torproject.org/projects/tor/ticket/18603) ] +* When webGL is enabled, do not expose information about the graphics driver [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1171228) [2](https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info) ] ### Misc @@ -188,7 +188,6 @@ Harden preferences related to external plugins * Flash plugin state - never activate [ [1](http://kb.mozillazine.org/Flash_plugin) ] * Java plugin state - never activate * Disable Gnome Shell Integration -* Disable the bundled OpenH264 video codec [ [1](http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077) ] * Enable plugins click-to-play [ [1](https://wiki.mozilla.org/Firefox/Click_To_Play) [2](https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/) ] * Updates addons automatically [ [1](https://blog.mozilla.org/addons/how-to-turn-off-add-on-updates/) ] * Enable add-on and certificate blocklists (OneCRL) from Mozilla [ [1](https://wiki.mozilla.org/Blocklisting) [2](https://blocked.cdn.mozilla.net/) [3](http://kb.mozillazine.org/Extensions.blocklist.enabled) [4](http://kb.mozillazine.org/Extensions.blocklist.url) [5](https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/) ] @@ -223,9 +222,9 @@ Prevents the browser from [auto-connecting](https://support.mozilla.org/en-US/kb * Disable search suggestions in the search bar [ [1](http://kb.mozillazine.org/Browser.search.suggest.enabled) ] * Disable "Show search suggestions in location bar results" * Disable SSDP [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1111967) ] -* media.gmp- [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities) [2](https://andreasgal.com/2014/10/14/openh264-now-in-firefox/) ] +* Disable automatic downloading of OpenH264 codec [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities) [2](https://andreasgal.com/2014/10/14/openh264-now-in-firefox/) ] * Disable speculative pre-connections [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_speculative-pre-connections) [2](https://bugzil.la/814169) ] -* browser.aboutHomeSnippets.updateUrl [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content) [2](https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service) ] +* Disable downloading homepage snippets/messages from Mozilla [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content) [2](https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service) ] * Never check updates for search engines [ [1](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_auto-update-checking) ] ### HTTP diff --git a/user.js b/user.js index c7c86af6..397cca8a 100644 --- a/user.js +++ b/user.js @@ -135,13 +135,13 @@ user_pref("dom.vr.enabled", false); user_pref("webgl.disabled", true); // PREF: When webGL is enabled, use the minimum capability mode user_pref("webgl.min_capability_mode", true); -// PREF: webgl.disable-extensions +// PREF: When webGL is enabled, disable webGL extensions // https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#WebGL_debugging_and_testing user_pref("webgl.disable-extensions", true); -// PREF: webgl.disable-fail-if-major-performance-caveat +// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported // https://trac.torproject.org/projects/tor/ticket/18603 user_pref("webgl.disable-fail-if-major-performance-caveat", true); -// PREF: webgl.enable-debug-renderer-info +// PREF: When webGL is enabled, do not expose information about the graphics driver // https://bugzilla.mozilla.org/show_bug.cgi?id=1171228 // https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info user_pref("webgl.enable-debug-renderer-info", false); @@ -276,7 +276,7 @@ user_pref("plugin.state.java", 0); // PREF: Disable Gnome Shell Integration user_pref("plugin.state.libgnome-shell-browser-plugin", 0); -// PREF: Disable the bundled OpenH264 video codec +// PREF: Disable the bundled OpenH264 video codec (disabled) // http://forums.mozillazine.org/viewtopic.php?p=13845077&sid=28af2622e8bd8497b9113851676846b1#p13845077 //user_pref("media.gmp-provider.enabled", false); @@ -456,7 +456,7 @@ user_pref("browser.urlbar.suggest.searches", false); // https://bugzilla.mozilla.org/show_bug.cgi?id=1111967 user_pref("browser.casting.enabled", false); -// PREF: media.gmp- +// PREF: Disable automatic downloading of OpenH264 codec // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_media-capabilities // https://andreasgal.com/2014/10/14/openh264-now-in-firefox/ user_pref("media.gmp-gmpopenh264.enabled", false); @@ -467,7 +467,7 @@ user_pref("media.gmp-manager.url", ""); // https://bugzil.la/814169 user_pref("network.http.speculative-parallel-limit", 0); -// PREF: browser.aboutHomeSnippets.updateUrl +// PREF: Disable downloading homepage snippets/messages from Mozilla // https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_mozilla-content // https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service user_pref("browser.aboutHomeSnippets.updateUrl", ""); From 854e5de315b538e9d512979bef189d450446bb03 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 15:14:07 +0100 Subject: [PATCH 05/17] set security.ask_for_password to 2 (lock password storage periodically), set password storage lock timeout to 1 minute fixes #235 --- README.md | 4 ++-- user.js | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 471df3ba..fdcca5a2 100644 --- a/README.md +++ b/README.md @@ -278,8 +278,8 @@ Improve visibility of security-related elements, mitigate shoulder-surfing * Disable CSS :visited selectors [ [1](https://blog.mozilla.org/security/2010/03/31/plugging-the-css-history-leak/) [2](https://dbaron.org/mozilla/visited-privacy) ] * Disable URL bar autocomplete [ [1](http://kb.mozillazine.org/Disabling_autocomplete_-_Firefox#Firefox_3.5) ] * Do not check if Firefox is the default browser -* When password manager is enabled, only ask for the master password once -* When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default: 30) +* When password manager is enabled, lock the password storage periodically +* Lock the password storage every 1 minutes (default: 30) ### Cryptography diff --git a/user.js b/user.js index 397cca8a..525418ed 100644 --- a/user.js +++ b/user.js @@ -710,13 +710,12 @@ user_pref("browser.urlbar.autocomplete.enabled", false); // PREF: Do not check if Firefox is the default browser user_pref("browser.shell.checkDefaultBrowser", false); -// PREF: When password manager is enabled, only ask for the master password once -// NOTICE: this actually lessens security, but is more convenient +// PREF: When password manager is enabled, lock the password storage periodically // CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage -user_pref("security.ask_for_password", 0); +user_pref("security.ask_for_password", 2); -// PREF: When security.ask_for_password is 2 (every n minutes), lock password storage every 5 minutes (default: 30) -user_pref("security.password_lifetime", 5); +// PREF: Lock the password storage every 1 minutes (default: 30) +user_pref("security.password_lifetime", 1); /****************************************************************************** * SECTION: Cryptography * From 0e23e4b97a2ddadd795db917e2e47fbf026206ca Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 15:41:14 +0100 Subject: [PATCH 06/17] start moving some known problems/limitations to user.js, work on #238, add TODOs --- README.md | 13 ++++++------- user.js | 13 +++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fdcca5a2..8afdf6cb 100644 --- a/README.md +++ b/README.md @@ -294,7 +294,8 @@ Improve visibility of security-related elements, mitigate shoulder-surfing * Disable insecure TLS version fallback [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1084025) [2](https://github.com/pyllyukko/user.js/pull/206#issuecomment-280229645) ] * Enfore Public Key Pinning [ [1](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) [2](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) ] * Disallow SHA-1 [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1302140) [2](https://shattered.io/) ] -* Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) [ [1](https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken) ] +* Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) [ [1](https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken) [2](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555) ] +* Disallow connection to servers not supporting safe renegotiation [ [1](https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation) [2](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555) ] * Disable automatic reporting of TLS connection errors [ [1](https://support.mozilla.org/en-US/kb/certificate-pinning-reports) ] * Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog [ [1](http://kb.mozillazine.org/Browser.ssl_override_behavior) [2](https://github.com/pyllyukko/user.js/issues/210) ] @@ -369,13 +370,11 @@ See also: ## Known problems -There are plenty! Hardening your browser will break your interwebs. Here's some examples: +Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: -* If you get "TypeError: localStorage is null", you probably need to enable [local storage][3] (``dom.storage.enabled == true``) -* If you get "sec\_error\_ocsp\_invalid\_signing\_cert", it probably means that you don't have the required CA -* If you get "ssl\_error\_unsafe\_negotiation", it means the server is vulnerable to [CVE-2009-3555](https://www.cvedetails.com/cve/CVE-2009-3555) and you need to disable [security.ssl.require\_safe\_negotiation][2] (not enabled currently) -* If you set browser.frames.enabled to false, probably a whole bunch of websites will break -* Some sites require the [referer](https://en.wikipedia.org/wiki/HTTP_referer) header (usually setting ``network.http.sendRefererHeader == 2`` is enough to overcome this and the referer is still "[spoofed][9]") +TODO: generate this section from `NOTICE:` fields in user.js (#238) + +* If you get "sec\_error\_ocsp\_invalid\_signing\_cert", it probably means that you don't have the required CA (TODO: details/workaround/??) * The [IndexedDB](https://en.wikipedia.org/wiki/Indexed_Database_API) is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox. It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info: * [Issue #8](https://github.com/pyllyukko/user.js/issues/8) * [IndexedDB Security Review](https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review) (this document also states that "IndexedDB is completely disabled in private browsing mode.", but this should still be verified) diff --git a/user.js b/user.js index 525418ed..90916f64 100644 --- a/user.js +++ b/user.js @@ -40,7 +40,7 @@ user_pref("dom.mozTCPSocket.enabled", false); // PREF: Disable DOM storage (disabled) // http://kb.mozillazine.org/Dom.storage.enabled // https://html.spec.whatwg.org/multipage/webstorage.html -// you can also see this with Panopticlick's "DOM localStorage" +// NOTICE: Known to cause`TypeError: localStorage is null` errors //user_pref("dom.storage.enabled", false); // PREF: Whether JS can get information about the network/browser connection @@ -508,6 +508,8 @@ user_pref("security.sri.enable", true); // PREF: Send a referer header with the target URI as the source // https://bugzilla.mozilla.org/show_bug.cgi?id=822869 +// NOTICE: Breaks functionality on websites relying on authentic referer headers +// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs user_pref("network.http.referer.spoofSource", true); // PREF: Accept Only 1st Party Cookies @@ -795,14 +797,13 @@ user_pref("security.pki.sha1_enforcement_level", 1); // PREF: Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken -// see also CVE-2009-3555 +// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); -// PREF: ?? (disabled) +// PREF: Disallow connection to servers not supporting safe renegotiation // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation -// this makes browsing next to impossible=) (13.2.2012) -// update: the world is not ready for this! (6.5.2014) -// see also CVE-2009-3555 +// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 +// NOTICE: Makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` error) //user_pref("security.ssl.require_safe_negotiation", true); // PREF: Disable automatic reporting of TLS connection errors From 17f44ce5bb4c44baa62962ebb11bed424db5d0ba Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:07:12 +0100 Subject: [PATCH 07/17] README: remove TODOs (moved to issues) --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 8afdf6cb..513eb6f8 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,6 @@ There are several parts to all this and they are: ---------------------------------------------- -TODO insert toc ## Download From dd2f73bde884a22fe18f266f246f61088e650401 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:07:39 +0100 Subject: [PATCH 08/17] README: rename 'known problems' to 'known problems and limitations' --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 513eb6f8..8f490071 100644 --- a/README.md +++ b/README.md @@ -367,7 +367,7 @@ See also: * [uBlock](https://addons.mozilla.org/android/addon/ublock-origin/) * [HTTPS Everywhere](https://www.eff.org/https-everywhere) -## Known problems +## Known problems and limitations Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: From bb2bdc54a9869f8946df138d332fce42d5d83426 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:08:14 +0100 Subject: [PATCH 09/17] README: move known problems and limitations to relevant user.js prefs NOTICE: fields, prepapre work on #238 (automate section generation) --- README.md | 24 ++++++------------------ user.js | 21 ++++++++++++++------- 2 files changed, 20 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 8f490071..a70f28ee 100644 --- a/README.md +++ b/README.md @@ -371,24 +371,12 @@ See also: Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: -TODO: generate this section from `NOTICE:` fields in user.js (#238) - -* If you get "sec\_error\_ocsp\_invalid\_signing\_cert", it probably means that you don't have the required CA (TODO: details/workaround/??) -* The [IndexedDB](https://en.wikipedia.org/wiki/Indexed_Database_API) is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox. It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info: - * [Issue #8](https://github.com/pyllyukko/user.js/issues/8) - * [IndexedDB Security Review](https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review) (this document also states that "IndexedDB is completely disabled in private browsing mode.", but this should still be verified) - * [This discussion](http://forums.mozillazine.org/viewtopic.php?p=13842047&sid=041e5edcae225759b7cfffd43fc518d0#p13842047) on mozillaZine Forums - * [IndexedDB page at MDN](https://developer.mozilla.org/en-US/docs/IndexedDB) -* [Firefox Hello](https://www.mozilla.org/en-US/firefox/hello/) requires [WebRTC](https://en.wikipedia.org/wiki/WebRTC), so you'll need to enable ```media.peerconnection.enabled``` & ```media.getusermedia.screensharing.enabled``` [and apparently](https://github.com/pyllyukko/user.js/issues/9#issuecomment-94526204) disable ```security.OCSP.require```. -* [Captive portals](https://en.wikipedia.org/wiki/Captive_portal) might not let OCSP requests through before authentication, so setting ```security.OCSP.require == false``` might be required before internet access is granted -* [DNT](https://en.wikipedia.org/wiki/Do_Not_Track) is not set, so you need to enable it manually if you want (see the discussion in [issue #11](https://github.com/pyllyukko/user.js/issues/11)) -* The ```network.http.referer.spoofSource``` and ```network.http.sendRefererHeader``` settings seems to break the visualization of the 3rd party sites on the [Lightbeam][13] extension -* You can not view or inspect cookies when in private browsing (see https://bugzil.la/823941) -* Installation of ```user.js``` causes saved passwords to be removed from the Firefox (see [#27](https://github.com/pyllyukko/user.js/issues/27)) -* Some payment gateways require third-party cookies to be fully enabled before you can make purchases on sites that use them (`network.cookie.cookieBehavior == 0`). Enabling `network.cookie.thirdparty.sessionOnly` will limit their lifetime to the length of the session no matter what. -* On some Android devices, all the pages might be blank (as seen [here](https://github.com/pyllyukko/user.js/pull/136#issuecomment-206812337)) if the setting ```layers.acceleration.disabled``` is set to ```true```. For more information, see [#136](https://github.com/pyllyukko/user.js/pull/136). - -The [web console](https://developer.mozilla.org/en-US/docs/Tools/Web_Console) is your friend, **when** websites start to break. + + + + + +In addition see the current [issues](https://github.com/pyllyukko/user.js/issues). You can use the [web console](https://developer.mozilla.org/en-US/docs/Tools/Web_Console) to investigate what causes websites to break. ## CAs diff --git a/user.js b/user.js index 90916f64..f85d7d3b 100644 --- a/user.js +++ b/user.js @@ -111,12 +111,13 @@ user_pref("browser.send_pings", false); // http://kb.mozillazine.org/Browser.send_pings.require_same_host user_pref("browser.send_pings.require_same_host", true); -// PREF: ?? (disabled) +// PREF: Disable IndexedDB (disabled) // https://developer.mozilla.org/en-US/docs/IndexedDB +// https://en.wikipedia.org/wiki/Indexed_Database_API // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review -// TODO: find out why html5test still reports this as available -// NOTE: this is enabled for now, as disabling this seems to break some plugins. -// see: http://forums.mozillazine.org/viewtopic.php?p=13842047#p13842047 +// http://forums.mozillazine.org/viewtopic.php?p=13842047 +// https://github.com/pyllyukko/user.js/issues/8 +// NOTICE: Could be used for tracking purposes, but is required for some add-ons to work (notably uBlock) //user_pref("dom.indexedDB.enabled", true); // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications" @@ -381,9 +382,10 @@ user_pref("browser.newtabpage.directory.source", "data:text/plain,{}"); // https://trac.torproject.org/projects/tor/ticket/19047 user_pref("browser.selfsupport.url", ""); -// PREF: Disable Firefox Hello (disabled) +// PREF: Disable Firefox Hello (disabled) (<49) // https://wiki.mozilla.org/Loop -// TODO: deprecated? not in DXR +// https://support.mozilla.org/t5/Chat-and-share/Support-for-Hello-discontinued-in-Firefox-49/ta-p/37946 +// NOTICE: Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. //user_pref("loop.enabled", false); // PREF: Disable Firefox Hello metrics collection @@ -504,17 +506,19 @@ user_pref("security.sri.enable", true); // https://en.wikipedia.org/wiki/Do_not_track_header // https://dnt-dashboard.mozilla.org // https://github.com/pyllyukko/user.js/issues/11 +// NOTICE: DNT must be enabled manually //user_pref("privacy.donottrackheader.enabled", true); // PREF: Send a referer header with the target URI as the source // https://bugzilla.mozilla.org/show_bug.cgi?id=822869 // NOTICE: Breaks functionality on websites relying on authentic referer headers +// NOTICE: Breaks visualisation of 3rd-party sites on the Lightbeam addon // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs user_pref("network.http.referer.spoofSource", true); // PREF: Accept Only 1st Party Cookies // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 -// NOTICE: This breaks a number of payment gateways so you may need to comment it out. +// NOTICE: Breaks a number of payment gateways // CIS 2.5.1 user_pref("network.cookie.cookieBehavior", 1); @@ -536,6 +540,7 @@ user_pref("network.cookie.thirdparty.sessionOnly", true); // PREF: Permanently enable private browsing mode // https://support.mozilla.org/en-US/kb/Private-Browsing // https://wiki.mozilla.org/PrivateBrowsing +// NOTICE: You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 user_pref("browser.privatebrowsing.autostart", true); // PREF: Do not store POST data in saved sessions @@ -553,6 +558,7 @@ user_pref("browser.cache.offline.enable", false); // PREF: Clear history when Firefox closes // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically +// NOTICE: Will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); @@ -762,6 +768,7 @@ user_pref("security.ssl.enable_ocsp_must_staple", true); // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses // NOTICE: Will make the connection fail when the OCSP responder is unavailable +// NOTICE: Known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) user_pref("security.OCSP.require", true); // PREF: Disable TLS Session Tickets From d1e4b6db7fcf7dcb05275ab72ac9a3ae03154b3a Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:09:18 +0100 Subject: [PATCH 10/17] README: improve and reorder FAQ --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a70f28ee..5beab481 100644 --- a/README.md +++ b/README.md @@ -468,20 +468,20 @@ cas.sh -C -P ~/.mozilla/firefox/XXXXXXXX.new_profile -a ## FAQ +> Does this user.js file fix all security problems? + +No. Please read [Known problems and limitations](#known-problems-and-limitations), the project's +[issue](https://github.com/pyllyukko/user.js/issues) tracker, and report new issues there. + > Why are obsolete/deprecated entries included in the user.js file? -In case you want to use an older Firefox version (e.g. for test reasons) and normally it -doesn't hurt your browser if there are old about:config preferences present. +In case you want to use an older Firefox version (e.g. [ESR](https://www.mozilla.org/en-US/firefox/organizations/), +or for test reasons) and normally it doesn't hurt your browser if there are deprecated about:config preferences present. > Installing the user.js file breaks xyz plugin/addon/extension, how can I fix it? See https://github.com/pyllyukko/user.js/issues/100 -> Does this user.js file fix all security problems? - -No. Please report problems on the project's -[issue](https://github.com/pyllyukko/user.js/issues?q=is%3Aissue) tracker. - > Will there be an official addon/an android version/feature xyz? Search the project [issues](https://github.com/pyllyukko/user.js/issues?q=is%3Aissue). From eb45fd778b7cf5ea1a3bcd7e8b2c1acf5b5fab2b Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:10:46 +0100 Subject: [PATCH 11/17] rename LICENSE.txt file to LICENSE, link to it from README --- LICENSE.txt => LICENSE | 0 README.md | 6 ++++++ 2 files changed, 6 insertions(+) rename LICENSE.txt => LICENSE (100%) diff --git a/LICENSE.txt b/LICENSE similarity index 100% rename from LICENSE.txt rename to LICENSE diff --git a/README.md b/README.md index 5beab481..523fa54c 100644 --- a/README.md +++ b/README.md @@ -596,6 +596,12 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl -------------------------------------------------------------------------- +## License + +Files in this repository are licensed under the [MIT](LICENSE) License. + +-------------------------------------------------------------------------- + [1]: http://kb.mozillazine.org/User.js_file [2]: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation [3]: http://kb.mozillazine.org/Dom.storage.enabled From 581309b29b3b6e3ccbf3f89dbb7857432d8d749d Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:16:08 +0100 Subject: [PATCH 12/17] more explicit NOTICE: fields --- user.js | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/user.js b/user.js index f85d7d3b..3d98a743 100644 --- a/user.js +++ b/user.js @@ -40,7 +40,7 @@ user_pref("dom.mozTCPSocket.enabled", false); // PREF: Disable DOM storage (disabled) // http://kb.mozillazine.org/Dom.storage.enabled // https://html.spec.whatwg.org/multipage/webstorage.html -// NOTICE: Known to cause`TypeError: localStorage is null` errors +// NOTICE: Disabling DOM storage is known to cause`TypeError: localStorage is null` errors //user_pref("dom.storage.enabled", false); // PREF: Whether JS can get information about the network/browser connection @@ -117,7 +117,7 @@ user_pref("browser.send_pings.require_same_host", true); // https://wiki.mozilla.org/Security/Reviews/Firefox4/IndexedDB_Security_Review // http://forums.mozillazine.org/viewtopic.php?p=13842047 // https://github.com/pyllyukko/user.js/issues/8 -// NOTICE: Could be used for tracking purposes, but is required for some add-ons to work (notably uBlock) +// NOTICE: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled //user_pref("dom.indexedDB.enabled", true); // TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications" @@ -506,19 +506,19 @@ user_pref("security.sri.enable", true); // https://en.wikipedia.org/wiki/Do_not_track_header // https://dnt-dashboard.mozilla.org // https://github.com/pyllyukko/user.js/issues/11 -// NOTICE: DNT must be enabled manually +// NOTICE: Do No Track must be enabled manually //user_pref("privacy.donottrackheader.enabled", true); // PREF: Send a referer header with the target URI as the source // https://bugzilla.mozilla.org/show_bug.cgi?id=822869 -// NOTICE: Breaks functionality on websites relying on authentic referer headers -// NOTICE: Breaks visualisation of 3rd-party sites on the Lightbeam addon +// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers +// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs user_pref("network.http.referer.spoofSource", true); // PREF: Accept Only 1st Party Cookies // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 -// NOTICE: Breaks a number of payment gateways +// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways // CIS 2.5.1 user_pref("network.cookie.cookieBehavior", 1); @@ -558,7 +558,7 @@ user_pref("browser.cache.offline.enable", false); // PREF: Clear history when Firefox closes // https://support.mozilla.org/en-US/kb/Clear%20Recent%20History#w_how-do-i-make-firefox-clear-my-history-automatically -// NOTICE: Will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) +// NOTICE: Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) user_pref("privacy.sanitize.sanitizeOnShutdown", true); user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); @@ -744,9 +744,9 @@ user_pref("network.stricttransportsecurity.preloadlist", true); // https://wiki.mozilla.org/CA:OCSP-HardFail // https://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.html // https://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html -// NOTICE: Leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host -// NOTICE: Vulnerable to replay attacks when nonce is not configured on the OCSP responder -// NOTICE: Adds latency (performance) +// NOTICE: OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host +// NOTICE: OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder +// NOTICE: OCSP adds latency (performance) // NOTICE: Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) // CIS Version 1.2.0 October 21st, 2011 2.2.4 user_pref("security.OCSP.enabled", 1); @@ -761,14 +761,14 @@ user_pref("security.ssl.enable_ocsp_stapling", true); // https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/ // https://www.entrust.com/ocsp-must-staple/ // https://github.com/schomery/privacy-settings/issues/40 -// NOTICE: Falls back on plain OCSP when must-staple is not configured on the host certificate +// NOTICE: Firefox falls back on plain OCSP when must-staple is not configured on the host certificate user_pref("security.ssl.enable_ocsp_must_staple", true); // PREF: Require a valid OCSP response for OCSP enabled certificates // https://groups.google.com/forum/#!topic/mozilla.dev.security/n1G-N2-HTVA // Disabling this will make OCSP bypassable by MitM attacks suppressing OCSP responses -// NOTICE: Will make the connection fail when the OCSP responder is unavailable -// NOTICE: Known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) +// NOTICE: `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable +// NOTICE: `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) user_pref("security.OCSP.require", true); // PREF: Disable TLS Session Tickets @@ -810,7 +810,7 @@ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); // PREF: Disallow connection to servers not supporting safe renegotiation // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 -// NOTICE: Makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` error) +// TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled //user_pref("security.ssl.require_safe_negotiation", true); // PREF: Disable automatic reporting of TLS connection errors From 930967bf4974cf45c9854159cc6e4f83d467db93 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:22:41 +0100 Subject: [PATCH 13/17] gen-readme.sh: add 'known problems and limitations' section generation --- gen-readme.sh | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/gen-readme.sh b/gen-readme.sh index 217e1407..003b212f 100755 --- a/gen-readme.sh +++ b/gen-readme.sh @@ -98,22 +98,35 @@ function _gen_section_header() { esac } +function _gen_problems() { + grep 'NOTICE:' user.js | sed 's|// NOTICE: |* |g' +} + function _write_readme() { - # write the generated section to README.md (section delimited by html comments BEGIN/END SECTION) + # write generated sections to README.md (section delimited by html comments BEGIN/END SECTION) # https://stackoverflow.com/questions/21876431 echo "$README_SECTION" > whatdoesitdo.tmp.md awk ' - BEGIN {p=1} + BEGIN {p=1} /BEGIN SECTION/ {print;system("cat whatdoesitdo.tmp.md");p=0} /END SECTION/ {p=1} p' README.md > README-new.md mv README-new.md README.md rm whatdoesitdo.tmp.md - #sed --silent "/BEGIN SECTION/{:a;N;/END SECTION/!ba;N;s/.*\n${README_SECTION}\n/};p" README.md + + echo "$PROBLEMS_SECTION" > knownproblems.tmp.md + awk ' + BEGIN {p=1} + /BEGIN PROBLEMS-LIMITATIONS/ {print;system("cat knownproblems.tmp.md");p=0} + /END PROBLEMS-LIMITATIONS/ {p=1} + p' README.md > README-new.md + mv README-new.md README.md + rm knownproblems.tmp.md } ################################### README_SECTION=$(_gen_entries) +PROBLEMS_SECTION=$(_gen_problems) _write_readme From b70f602df143c593e5f258f4fbc71f2f2f9d462f Mon Sep 17 00:00:00 2001 From: nodiscc Date: Tue, 14 Mar 2017 18:24:15 +0100 Subject: [PATCH 14/17] run make, generate 'kwown problems and limitations' readme section Fixes #238 --- README.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 523fa54c..882acb96 100644 --- a/README.md +++ b/README.md @@ -372,8 +372,22 @@ See also: Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: - - +* Disabling DOM storage is known to cause`TypeError: localStorage is null` errors +* IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled +* Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. +* Do No Track must be enabled manually +* Spoofing referers breaks functionality on websites relying on authentic referer headers +* Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon +* Blocking 3rd-party cookies breaks a number of payment gateways +* You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 +* Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) +* OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host +* OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder +* OCSP adds latency (performance) +* Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) +* Firefox falls back on plain OCSP when must-staple is not configured on the host certificate +* `security.OCSP.require` will make the connection fail when the OCSP responder is unavailable +* `security.OCSP.require` is known to break browsing on some [captive portals](https://en.wikipedia.org/wiki/Captive_portal) In addition see the current [issues](https://github.com/pyllyukko/user.js/issues). You can use the [web console](https://developer.mozilla.org/en-US/docs/Tools/Web_Console) to investigate what causes websites to break. From fe7555ae6431e9a6b272e247392154964cb5242f Mon Sep 17 00:00:00 2001 From: nodiscc Date: Wed, 15 Mar 2017 22:36:24 +0100 Subject: [PATCH 15/17] add network.http.referer.XOriginPolicy: 2 in addition to referer spoofing: Users wanting to disable referer spoofing to workaround listed problems will still be protected against disclosing previously visited pages to target domains when clicking on a link --- README.md | 4 +++- user.js | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 882acb96..964818c3 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,8 @@ HTTP protocol related entries. This affects cookies, the user agent, referer and * Enable CSP 1.1 script-nonce directive support [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=855326) ] * Enable Content Security Policy * Enable Subresource Integrity [ [1](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) [2](https://wiki.mozilla.org/Security/Subresource_Integrity) ] -* Send a referer header with the target URI as the source [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=822869) ] +* Send a referer header with the target URI as the source [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=822869) [2](https://github.com/pyllyukko/user.js/issues/227) ] +* Don't send referer headers when following links across different domains [ [1](https://github.com/pyllyukko/user.js/issues/227) ] * Accept Only 1st Party Cookies [ [1](http://kb.mozillazine.org/Network.cookie.cookieBehavior#1) ] * Make sure that third-party cookies (if enabled) never persist beyond the session. [ [1](https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/) [2](http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly) [3](https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly) ] @@ -378,6 +379,7 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced * Do No Track must be enabled manually * Spoofing referers breaks functionality on websites relying on authentic referer headers * Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon +* Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection * Blocking 3rd-party cookies breaks a number of payment gateways * You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 * Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) diff --git a/user.js b/user.js index 3d98a743..5f654d4b 100644 --- a/user.js +++ b/user.js @@ -511,11 +511,17 @@ user_pref("security.sri.enable", true); // PREF: Send a referer header with the target URI as the source // https://bugzilla.mozilla.org/show_bug.cgi?id=822869 +// https://github.com/pyllyukko/user.js/issues/227 // NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers // NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon +// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs user_pref("network.http.referer.spoofSource", true); +// PREF: Don't send referer headers when following links across different domains +// https://github.com/pyllyukko/user.js/issues/227 +user_pref("network.http.referer.XOriginPolicy", 2); + // PREF: Accept Only 1st Party Cookies // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 // NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways From f14e293fd485645876e2ef05180b3a768e1bddb5 Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sat, 18 Mar 2017 14:57:55 +0100 Subject: [PATCH 16/17] disable network.http.referer.XOriginPolicy add missing (disabled) suffix remove license section from readme add notice about serviceworkers breakage --- README.md | 9 +-------- user.js | 7 ++++--- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 964818c3..d619bc57 100644 --- a/README.md +++ b/README.md @@ -234,7 +234,6 @@ HTTP protocol related entries. This affects cookies, the user agent, referer and * Enable Content Security Policy * Enable Subresource Integrity [ [1](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) [2](https://wiki.mozilla.org/Security/Subresource_Integrity) ] * Send a referer header with the target URI as the source [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=822869) [2](https://github.com/pyllyukko/user.js/issues/227) ] -* Don't send referer headers when following links across different domains [ [1](https://github.com/pyllyukko/user.js/issues/227) ] * Accept Only 1st Party Cookies [ [1](http://kb.mozillazine.org/Network.cookie.cookieBehavior#1) ] * Make sure that third-party cookies (if enabled) never persist beyond the session. [ [1](https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/) [2](http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly) [3](https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly) ] @@ -295,7 +294,6 @@ Improve visibility of security-related elements, mitigate shoulder-surfing * Enfore Public Key Pinning [ [1](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) [2](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) ] * Disallow SHA-1 [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1302140) [2](https://shattered.io/) ] * Warn the user when server doesn't support RFC 5746 ("safe" renegotiation) [ [1](https://wiki.mozilla.org/Security:Renegotiation#security.ssl.treat_unsafe_negotiation_as_broken) [2](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555) ] -* Disallow connection to servers not supporting safe renegotiation [ [1](https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation) [2](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555) ] * Disable automatic reporting of TLS connection errors [ [1](https://support.mozilla.org/en-US/kb/certificate-pinning-reports) ] * Pre-populate the current URL but do not pre-fetch the certificate in the "Add Security Exception" dialog [ [1](http://kb.mozillazine.org/Browser.ssl_override_behavior) [2](https://github.com/pyllyukko/user.js/issues/210) ] @@ -373,6 +371,7 @@ See also: Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: +* Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) * Disabling DOM storage is known to cause`TypeError: localStorage is null` errors * IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled * Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. @@ -612,12 +611,6 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl -------------------------------------------------------------------------- -## License - -Files in this repository are licensed under the [MIT](LICENSE) License. - --------------------------------------------------------------------------- - [1]: http://kb.mozillazine.org/User.js_file [2]: https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation [3]: http://kb.mozillazine.org/Dom.storage.enabled diff --git a/user.js b/user.js index 5f654d4b..df2b2a64 100644 --- a/user.js +++ b/user.js @@ -11,6 +11,7 @@ // https://developer.mozilla.org/en-US/docs/Web/API/Worker // https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API // https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers +// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...) // Unknown security implications // CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed) user_pref("dom.serviceWorkers.enabled", false); @@ -518,9 +519,9 @@ user_pref("security.sri.enable", true); // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs user_pref("network.http.referer.spoofSource", true); -// PREF: Don't send referer headers when following links across different domains +// PREF: Don't send referer headers when following links across different domains (disabled) // https://github.com/pyllyukko/user.js/issues/227 -user_pref("network.http.referer.XOriginPolicy", 2); +// user_pref("network.http.referer.XOriginPolicy", 2); // PREF: Accept Only 1st Party Cookies // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 @@ -813,7 +814,7 @@ user_pref("security.pki.sha1_enforcement_level", 1); // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); -// PREF: Disallow connection to servers not supporting safe renegotiation +// PREF: Disallow connection to servers not supporting safe renegotiation (disabled) // https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation // https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 // TODO: `security.ssl.require_safe_negotiation` is more secure but makes browsing next to impossible (2012-2014-... - `ssl_error_unsafe_negotiation` errors), so is left disabled From 4659c95c250baab62ef1bbced5f8f150ed8d2fce Mon Sep 17 00:00:00 2001 From: nodiscc Date: Sun, 19 Mar 2017 04:06:55 +0100 Subject: [PATCH 17/17] tests: add badssl --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d619bc57..d27b8d7f 100644 --- a/README.md +++ b/README.md @@ -556,6 +556,7 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl * [Mixed content tests (Mozilla)](https://people.mozilla.org/~tvyas/mixedcontent.html) * [Mixed content tests (Microsoft)](https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm) * [SSL Checker | Symantec CryptoReport](https://cryptoreport.websecurity.symantec.com/checker/views/sslCheck.jsp) +* [Bad SSL](https://badssl.com/) #### Other tests