FF 66.0.4 and security.nocertdb=true [1549344, 1549249: fixed FF68+]

[Shadymerlin]

Hello.

I think everyone knows about the problem with addons for firefox. Mozilla released version 66.0.4 yesterday that should fix this problem. But I was faced with the fact that even on the new version of Firefox add-ons did not work. I began to find out why. It should be said that I use the hardening version user.js. As it turned out the problem lay with pref security.nocertdb. If a intermediate certificate caching off then addons are not installed even on FF 66.0.4. I always thought that intermediate certificate caching huge fingerprint which raise entropy. I have not experienced any difficulties after disable. Tor Browser also always disables it. How to be now I do not know. I need addons but I don’t want to increase my entropy. What do you think about that?

[aesthicc]

I had the same issue, I have it set to false for now. There will be more updates.

[Shadymerlin]

So far I`m use FF 66.0.4rc1. Addons work fine (except https-everywhere, use old february version) and security.nocertdb "true" too. FF 67b17 have same problem as well as stable.

[Thorin-Oakenpants]

It should be said that I use the hardening version user.js

Just to be super clear: We don't have a hardened user.js. And the pref is inactive in our only user.js template. So I assume you mean you hardened it yourself

[Shadymerlin]

Just to be super clear: We don't have a hardened user.js. And the pref is inactive in our only user.js template. So I assume you mean you hardened it yourself

I know it. :) Just unfortunately every year you become softer and softer, trying to please ALL users. No offence. Therefore, I have long been making for myself user.js based on yours. Change some prefs from "true" to "false" and "false" to "true". Make active pref etc. Add some.

https://bugzilla.mozilla.org/show_bug.cgi?id=1549344

The hotfix added a new "temp" cert, and thus would not persist. I had no expectations about the dot release, but seeing as it's a "temp" cert (I haven't looked at it's expiry date) and that they are looking the whole mechanism and will be making other changes - that the dot release would probably do the same - i.e it is just the hotfix but rolled into an update to cover all those who didn't have Normandy on (which is exactly what they said they would do).

It's affecting Tor Browser (security.nocertdb = true at all slider settings), so I am sure they will. I guess the one loaded into memory wasn't patched? The one that gets created on new profiles? I wonder if that's a bug as well? IDK

That is, there is hope that mozilla will fix this in the next stable version? It's good.

[Shadymerlin]

None taken. But there is nothing "soft" about what I change - there is always a reason. This is still a very hardened setup. Sure it can be further hardened - but that's on the end user

I do not want to flood, but... For example, one of the latest changes regarding the work of Netflix with their DRM video.https://github.com/ghacksuserjs/ghacks-user.js/issues/709 Was it really so necessary? People who need Netflix don't care about security and privacy. But you made concessions. I am sure that three years ago you would never do such a thing. Ah-h, golden years. :)

[Thorin-Oakenpants]

WTF are you talking about? The user.js, as is, does not allow cdm or eme, or the openh264 gmp (because only WebRTC uses it and that's disabled), and AFAICT the only pref I made inactive to do with gmp/cdm/eme i.e. pref 1820, doesn't do anything except hide plugins in about:addons and thereby also hides those plugins' options (such as always/never activate, and updates of them). In effect, there has been no change.

People who need Netflix don't care about security and privacy

Most people have no idea, and just want the web to work. That doesn't mean they don't care about these. And for it is entirely possible to use Netflix with both of those: security risk of the codecs is very low - just using a browser is a security risk. Privacy, their streams are encrypted. But like any service /platform on the internet - they have to decide if they want it and how to use it. I'm not a NF user, but you used to be able to use a VPN, you used to be able to pay with non-traceable methods (prepaid cards, bitcoin? IDK), use a thowaway account. But at the end of the day to say they don't CARE about privacy is a load of hogwash.

I am sure that three years ago you would never do such a thing

Here is a quote "Once is an accident. Twice is a coincidence. Three times is enemy action." Just stop digging that hole... and making assumptions about why I do something.

[aesthicc]

You do a good job @Thorin-Oakenpants , your efforts are appreciated. It all seems like a lot of information and confusing at times, so thanks for being thorough.

[Shadymerlin]

The more unnecessary services running, the wider the vector to attack from the outside. Over the past year you have done a lot of things inactive or removed. To tell the truth, I have already begun to think about the fact that Mozilla has set on lawyers against you. That's why you give up positions one after another. I still can not believe that you enable "safebrowsing". You gave &%$*$ google the right to dispose of which sites the user can enter, and which not. It`s wrong. I do not need to tell tales that it is important for security reason. I know how they work. This is nothing more than a means of control. They have long considered itself the masters of the Internet. And I remind you that safebrowsing has been inactive in ghacks-user.js for a long time before you enable it. Forgive me for being straightforward. Just already boiling.

[aesthicc]

Seems fair @Shadymerlin I think it's more a question of broadening the user-base as much as possible, a lot of people probably don't feel as safe without safebrowsing. I disable it as well, but I also have a good firewall.

[crssi]

@Shadymerlin why do you wait to boiling point? IMHO @Thorin-Oakenpants would never avoid constructive debate and others opinion.

[claustromaniac]

The more unnecessary services running, the wider the vector to attack from the outside.

Prefs are neither services, nor they necessarily enable or disable services. Prefs control specific functionality of the browser, and their names aren't always descriptive or even accurate. Moreover, that statement of yours is nothing more and nothing less than a heuristic. Heuristic approaches usually lead to sub-optimal results. That's not to say they're not useful or that Pants doesn't use them. We all make decisions in our everyday lives based on heuristics without even noticing. But why resort to such decisions when you can, on a case-by-case basis:

• consult the experts, ask for opinions
• analyze the source code yourself to see how things really work
• test stuff yourself to see what changes take place when you toggle a pref on or off

From what I've seen so far, Pants and earthlng avoid making decisions based on heuristics whenever they can.

Over the past year you have done a lot of things inactive or removed.

Again, that is not necessarily a bad thing. There were well-grounded reasons to remove or make inactive all those things. That does not equate to Pants and earthlng becoming softer. If in your books disabling stuff leads to better security and privacy, then all you're doing is leaving everything to heuristics (and making very wrong assumptions about Pants' decisions in the process).

To tell the truth, I have already begun to think about the fact that Mozilla has set on lawyers against you.

...Really? Mozilla spending money on lawyers to accuse a user... of what, exactly? of changing a bunch of settings they made available in the first place? of sharing the info on GitHub? If Mozilla didn't want you to have the freedom to make those choices, they would simply not give you that freedom. It would mean less work for them (and they wouldn't need lawyers for that!)

That's why you give up positions one after another.

Give up positions?... Is Pants not entitled to change his mind? Besides, many of the changes to the user.js only happen because the browser is getting updates all the time, and some of the things that used to make sense no longer make sense (and so on).

As for the rest of the rant: IMHO It's not constructive. The only thing you've done here is voice your distrust of Mozilla, of Google and of Pants. You're free to choose whom to trust, but if you don't even trust Pants, what are you even doing here? Does Pants owe you anything?

Consider this some criticism of my own. And in case you're still boiling, try to remember that all of us here are humans (except me, I'm a cat). We all make mistakes. Let's be civil.

[Thorin-Oakenpants]

https://bugzilla.mozilla.org/show_bug.cgi?id=1549249 ... hard-code new add-on signing intermediate so it's always available

[Thorin-Oakenpants]

I still can not believe that you enable "safebrowsing"

I didn't enable anything, stop lying. It was inactive. I actually removed most of it recently, because of idiotic statements like yours. I'm sorry now I ever provided the info. And lastly, I do actually actively block a part of it. Stop drinking the kool-aid bro! You seem to only look at things in black and white. Learn to see shades of grey.

:small_red_triangle_down: Point 1: The SB contents

Google is the only one capable of providing such a list (Safe Browsing) - or at the very least the best one. Look, call them evil, and they do shitty things .. but they also do good things, especially in the field of security (because they have to: this is not some BS IoT company). They do not fuck around when it comes to security.

Google couldn't fucking care less about what is on that list, unless it has to do with security etc. It's not a mechanism they would use for censorship: they already control that in their search engine - censorship actually goes against their model (they want diversity). And also consider the fallout and backlash if this was used to e.g say block FoxNews. And SB is used by more than just google/chrome, it's not just a google product: it's a global service provided by google. Like any list, false positives can slip in, as can one or two contentious items.

:small_red_triangle_down: Point 2: Default

Consider that the web is crawling with 5billion people (and at least one cat) , of which 4.8billion have NFI. What's more important here: catering to your wild accusations, or as a default, protecting most users.

:small_red_triangle_down: Point 3: There is no privacy risk

I'm sick of pointing this out time and time again. Read the section header, take the link. No F privacy risk with using the local SB lists or updating them.

:small_red_triangle_down: Point 4: Real time binary checks are disabled

enough said

---

And I can defend every single change I have made to the user.js (that doesn't mean I don't make mistakes). You keep saying I have made things "softer": but I actually haven't, or where something actually is (very very rare), e.g HTTP2, there are solid reasons - there is always a trade-off. You just keep looking at things in black and white, and in isolation.

That's twice now you have provided examples of my "softness": cdm/eme and SB, and both times nothing was actually changed with them. Both examples you called me out on, and both time you were wrong. Seriously dude, stop wasting my time.

I appreciate the fact that you brought up this issue, which I was already aware of: that sort of participation is welcome. But leave all your other baggage at the door