Closed GlitteringReturn closed 4 months ago
How does your network connection look like? Is there some firewall intercepting TLS connections? Or an AV Software?
Yes thanks @Thorin-Oakenpants, I saw the relevant setting in the user.js file, and this issue is discussed on Reddit. However, the security implications of reverting this pref to its default state are not discussed. I.e., should I revert it to its default state, and will this have implications?
If you want your AV to be a MitM (man-in-the-middle) to all your browsing, then you will need to do something about it - i.e change the setting in your overrides
@Thorin-Oakenpants I am getting Bing Chat (yes, an awful thing) to decipher all this computer science jargon for me, this is what it said:
Some antivirus programs have features that allow them to inspect your web traffic to check for threats. To do this, they act as a “Man-in-the-Middle” (MitM), intercepting and scanning the data being sent between your browser and the server. This is done to protect you from potential threats like malware or phishing attacks that might be present in web content.
However, this can potentially conflict with certain security features of your browser, like the HTTP Public Key Pinning (HPKP) we discussed earlier. If your antivirus is set up to act as a MitM, and you have your browser’s HPKP setting on strict enforcement (security.cert_pinning.enforcement_level set to 2), your browser might block connections to websites, even if they are safe, because it detects the antivirus’s certificates instead of the website’s.
So, the statement is saying that if you want your antivirus to continue acting as a MitM for your web browsing, you might need to adjust your browser’s settings to allow this. In the context of the Firefox settings we discussed, this would mean changing security.cert_pinning.enforcement_level
to 1
, which allows user-defined MitM scenarios.
From my understanding, my antivirus is likely set up to act as a MitM, since I have my browser’s HPKP setting on strict enforcement (security.cert_pinning.enforcement_level
set to 2
), and Bing said that my browser might block connections to websites, even if they are safe, because this pref could be detecting the antivirus’s certificates instead of the website’s. Thus, I assume and probably incorrectly, that setting this pref to 2
by default is weakening security, as it is not allowing my anti-virus to inspect my web traffic to check for threats, by acting as an MitM.
TL;DR: So, wouldn't it be logical to add a [SETUP-SECURITY]
tag to this pref and add it to the common overrides list (because most people are using Windows)?
Edit: I am completely winging this, I study Biology and general science, not computer science, so correct me if I am wrong.
Edit 2: we could all work on making Arkenfox more usable for average computer users, as the wiki, is hard to read for lay people like me. Alternatively, Firefox could implement these f-king settings by default, so we wouldn't have to go through all of this work.
Edit 3: thanks for the help!!!
How does your network connection look like? Is there some firewall intercepting TLS connections? Or an AV Software?
No clue, I am not proficient in computer science, it appears that both might be true, I fixed the issue by setting the security.cert_pinning.enforcement_level pref
to 1
.
Alternatively, Firefox could implement these f-king settings by default, so we wouldn't have to go through all of this work
FF defaults are fine - if they changed any then people would experience a broken web, even if it was only 1% of users, that's still millions of people - so they have to tread a very fine line between what and when to turn the screws
I am completely winging this
That's fine. Here is the thing, but you decide. AV is a reasonable thing to have on an OS - checking files on create, edit/save (or just certain types of files), and doing some heuristics. I personally went without an AV for 10 years on windows. IMO, they're almost all fear-mongering scammy-spammy shitfests (OMG cookies, you have cookies, clean now, buy our special cleaner ....) On windows 11, I am happy to leave windows defender to do it's thing.
The thing with browsers, on desktop, is that they are essentially where you do everything - banking, reading the news, posting shits on extwitter, meme'ing on 4chan, bitwashing your crypto, stalking waldo, answering elmo, and bashing taylor swift as a deep state plant.
Browsers are inherently very secure, they have to be. The already come with "local" safe browsing blocklists (although the effect of these has lessened over the years - you can see google's numbers on it) and uBO will add a lot more blocking for the average person - i.e the attack surface is reduced. 99% of browsing (and email) security is common sense. And nothing in the world is gong to save you if you decide to do "something" - not a browser nor an AV - in the context of browsing that is.
I'm telling you now, you do NOT ever need a shady MiTM selling your data for money as some shady mobster claiming .. "nice browser you have there, shame if something were to happen to it in it" - the AV has no need to ever be in your browser IMO.
Should you download a virus or something dangerous, then the AV can deal with it. AV IMO had zero rights to be fucking with your privacy in what is already a highly secure environment
but you do you
/end mini-rant :)
@Thorin-Oakenpants the more you rant, the more I learn, I am always ranting on about society, science and common sense. I think rants are undervalued in this day and age.
Never used third party AV software, I've always used defender. AVG in the olden days put my dad's data under ransom, Norton would aggressively pop up on my maths teacher's laptop, telling her to scan now, every six seconds, Mcafee was deemed a virus after it would pop-up on computers in my uni unsolicited, it's all bullshit. I sincerely hate bloatware, telemetry, unoptimised operating systems (synonymous with the term 'anti-lightweight'), simplicity is key! Companies are trying to farm our data, most of which is inaccurate and unusable, just because of their immense greed, at the cost of our environment.
'The thing with browsers, on desktop, is that they are essentially where you do everything - banking, reading the news, posting shits on extwitter, meme'ing on 4chan, bitwashing your crypto, stalking waldo, answering elmo, and bashing taylor swift as a deep state plant." I try to avoid computers and the internet, they are a sad substitute for nature.
So, I have finished reading your response, I don't have AV, so I think it's microsoft tbh, what the heck do I do now?
"you do you". Nah, I think people need to start doing the right thing, because what I want to do is not always right.
Thanks for the detailed response.
mini rants are the best .. they're like power naps
I have just realised it's probably AdGuard for Windows filtering my web traffic, an application that I trust. No idea why Google, and its services like YouTube are only affected.
🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting
maywill be closed as invalid🟪 REQUIRED INFO
An error occurred during a connection to google.com. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
Why?