rusty-snake
commented
5 years ago Tested with Firefox 68 under Fedora: security.enterprise_roots.enabled = false.
Closed earthlng closed 5 years ago
rusty-snake
commented
5 years ago Tested with Firefox 68 under Fedora: security.enterprise_roots.enabled = false.
Thorin-Oakenpants
commented
5 years ago ^^ AFAIK its default false on all platforms, and only gets (permanently?) flipped to true when FF detects a MitM error (and the mitigation fixed the problem)
I'm leaning towards just ignoring these two prefs. those who don't use an AV, or don't let AV meddle with HTTPS traffic: then it's a non-issue (I think). Otherwise the end-user probably needs to allow it (and if they want an AV snooping on all their traffic: that's their problem)
PS: one last time: I do not care about enterprise: enterprise users can get their Enterprise IT people to sort it out if we break anything
earthlng
commented
5 years ago IMO we should add security.enterprise_roots.enabled=true inactive and security.certerrors.mitm.priming.enabled=false as active.
People who have a broken AV or other SW that MITMs their connections would have radical breakage anyway on pretty much every HTTPS request presumably. security.certerrors.mitm.auto_enable_enterprise_roots is a helper for those few people but the real solution is to either import the missing AV cert manually or set security.enterprise_roots.enabled to true.
For everyone who has setup their MITM software correctly and everyone without any MITM SW, security.certerrors.mitm.priming.enabled=false disables a mostly useless feature that makes connections to a mozilla server whenever you encounter a SEC_ERROR_UNKNOWN_ISSUER error.
You can test that here: https://mitm-software.badssl.com/
... to see the request, open the browser console and enable XHR logging.
If we do that, we can ignore security.certerrors.mitm.auto_enable_enterprise_roots because it's never used when the MITM priming thing is disabled.
Even without this priming feature, FF still has a separate MITM detection that works without making additional requests and runs on every update request and blocklist update.
Thorin-Oakenpants
commented
5 years ago Thorin-Oakenpants
commented
5 years ago OK, I have some time free ... lets get this finished
trailhead: ignore it because it only runs on first startup. I have to admit I did not follow (read) this, and as I already mentioned earlier ("Trailhead: I never saw any trailhead about welcome"), what exactly is the threat here?
super-early draft
/* 1224: fuck enterprise/AV certs and stop Firefox automatically enabling them
* [1] https://blog.mozilla.org/security/2019/07/01/fixing-antivirus-errors/ ***/
user_pref("security.enterprise_roots.enabled", false);
user_pref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
"have I got this the right way round?"
/* 2705: make extensions respect cookie settings
* [1] https://bugzilla.mozilla.org/1525917 ***/
// user_pref("extensions.cookiesBehavior.overrideOnTopLevel", false); // [DEFAULT: false]side-note: https://bugzilla.mozilla.org/show_bug.cgi?id=1525917#c9
The reason for this behavior is that customizing the cookieBehavior was resulting in broken extension behaviors (in particular by breaking the access to the storage webAPIs, like IndexedDB and localStorage).
Hmmm, I wonder if this has any bearing on my extensions kinda going a bit mental: seeing as I block all cookies by default. Not sure it does, as filters, rules, assets were still working, getting updated. IDK. Am so over this release. Can't wait for site permissions to be OA'ed (fun times!) - wonder how that works with temp containers
earthlng
commented
5 years ago @Thorin-Oakenpants
"Trailhead: I never saw any trailhead about welcome"
probably because you activated some or all of the WELCOME & WHAT's NEW NOTICES prefs in 5000?
@LegitLlama
The disable value is unclear, because ActivityStream is an alien in the codebase
FYI the disable value is trailhead.firstrun.branches="nofirstrun"
I went with banning
about:welcomefrom popping up on new profiles by changingstartup.homepage_welcome_urlthrough group policy
You could instead set browser.startup.homepage_override.mstone="ignore" which effectively disables startup.homepage_welcome_url + startup.homepage_welcome_url.additional + startup.homepage_override_url
@Thorin-Oakenpants
I think we can ignore extensions.cookiesBehavior.overrideOnTopLevel because it's just a temporary pref and they already have 1537753 to remove it again:
[the pref] allows to restore the old behavior (intended to be used only in case we notice a regression that we have to fix before we can allow the changes from
Bug 1525917to reach a release version).The goal of this issue is to remove the above preference as soon as we have released the new behavior and we don't need to restore the old behavior anymore.
Thorin-Oakenpants
commented
5 years ago I think we can ignore extensions.cookiesBehavior.overrideOnTopLevel because....
Cool. Will amend OP
probably because you activated some...
The opposite in fact. I do not override any of those whats new/welcome/url things in section 5000, I also don't have any AS (isn't that what triggers it?) ... (my start/home page is an extension)... I guess it just never gets to trigger in my setup (for now)
I still do not understand the threat here. So a one off about page loads? Is that it?
Thorin-Oakenpants
commented
5 years ago No one has commented on my super early draft
/* 1224: fuck enterprise/AV certs and stop Firefox automatically enabling them
* [1] https://blog.mozilla.org/security/2019/07/01/fixing-antivirus-errors/ ***/
user_pref("security.enterprise_roots.enabled", false);
user_pref("security.certerrors.mitm.auto_enable_enterprise_roots", false);Trailhead - no-one has shown me that there is an actual threat, and only hinted at possible future vagueness. AFAIK, it's a one-off page. I'm not keen on adding this for that reason. If you don't trust Mozilla by now, then go use some other browser. They're not monetizing you, they're not collecting your PII, etc. Your browser connects to Mozilla to check for updates, revoked certs, update extensions - hell, just looking at your extensions will contact AMO and I'd rather stop that, than worry about a one-off.
That said, I do get that some users want a "quiet" FF. I just don't see a one-off fitting this. I'd rather have less stuff in the user.js (and I also do not want to feed assholes like spyware.neocities.org any data to feed their BS machine and look all mighty)
So AFAIConcerned, there are two options
Speak now, or never mention it again (unless how trailhead is used changes). If i got something wrong about this, then let me know: because I'm just going to ignore it, despite asking numerous times what the actual threat is (to privacy, security, tracking, FP'ing, anonymity: I can't see any threat TBH).
Also: give me the heads up on the enterprise_roots. I don't really care if we do nothing TBH.
If I don't get any replies, then I'll just ignore the whole lot and close this issue. Thanks
FF68 is scheduled for release July 9th
FF68 release notes [when ready] FF68 for developers FF68 compatibility FF68 security advisories
237 diffs ( 133 new, 76 gone, 28 different )
new in v68.0:
240345024502removed, renamed or hidden in v68.0:
ALL DONE- https://github.com/ghacksuserjs/ghacks-user.js/commit/9aa8e27ef4d77f1de07e7d765b75fa075eb320d90105b- 15409390105b- 15461900307- 1525762 (part 3b)2682- 1386214changed in v68.0:
2212- https://github.com/ghacksuserjs/ghacks-user.js/commit/42281a9e52211b4eab6b1fae8d7b0af3b9bb2910auxclick2662input.mozilla.org2612https://input.mozilla.orgignore
click me for details
==NEW ```js pref("app.update.BITS.enabled", true); pref("apz.fixed-margin-override.bottom", 0); pref("apz.fixed-margin-override.enabled", false); pref("apz.fixed-margin-override.top", 0); pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior4,cm,fp"); pref("browser.contentblocking.maxIntroCount", 5); pref("browser.in-content.dark-mode", false); pref("browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa", "{\"id\":\"cfr-fxa\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"cfr-fxa\",\"frequency\":{\"custom\":[{\"period\":\"daily\",\"cap\":1}]}}"); pref("browser.safebrowsing.prefixset_max_array_size", 524288); pref("corroborator.enabled", false); pref("devtools.aboutdebugging.local-tab-debugging", false); pref("devtools.aboutdebugging.process-debugging", true); pref("devtools.aboutdebugging.showHiddenAddons", false); pref("devtools.browserconsole.contentMessages", false); pref("devtools.browserconsole.filterContentMessages", false); pref("devtools.debugger.log-actions", false); pref("devtools.inspector.inactive.css.enabled", false); pref("devtools.netmonitor.requestBodyLimit", 1048576); pref("devtools.webconsole.input.autocomplete", true); pref("dom.file.createInChild", false); pref("dom.ipc.cancel_content_js_when_navigating", false); pref("dom.keyboardevent.keypress.hack.dispatch_non_printable_keys.addl", ""); pref("dom.keyboardevent.keypress.hack.use_legacy_keycode_and_charcode.addl", ""); pref("dom.largeAllocation.forceEnable", false); pref("dom.link.disabled_attribute.enabled", true); pref("dom.metaElement.setCookie.allowed", false); pref("dom.mouseevent.click.hack.use_legacy_non-primary_dispatch", ""); pref("dom.presentation.testing.simulate-receiver", false); pref("dom.storage.snapshot_gradual_prefill", 4096); pref("dom.vr.process.enabled", true); pref("dom.window.open.noreferrer.enabled", true); pref("extensions.abuseReport.enabled", true); pref("extensions.abuseReport.url", "https://addons.mozilla.org/api/v4/abuse/report/addon/"); pref("extensions.cookiesBehavior.overrideOnTopLevel", false); pref("extensions.htmlaboutaddons.inline-options.enabled", true); pref("extensions.recommendations.privacyPolicyUrl", "https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=privacy-policy-link#addons"); pref("extensions.recommendations.themeRecommendationUrl", "https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-footer-link"); pref("fission.autostart", false); pref("fission.preserve_browsing_contexts", false); pref("fission.rebuild_frameloaders_on_remoteness_change", false); pref("font.size.monospace.ar", 13); pref("font.size.monospace.el", 13); pref("font.size.monospace.he", 13); pref("font.size.monospace.ja", 16); pref("font.size.monospace.ko", 16); pref("font.size.monospace.th", 13); pref("font.size.monospace.x-armn", 13); pref("font.size.monospace.x-beng", 13); pref("font.size.monospace.x-cans", 13); pref("font.size.monospace.x-cyrillic", 13); pref("font.size.monospace.x-devanagari", 13); pref("font.size.monospace.x-ethi", 13); pref("font.size.monospace.x-geor", 13); pref("font.size.monospace.x-gujr", 13); pref("font.size.monospace.x-guru", 13); pref("font.size.monospace.x-khmr", 13); pref("font.size.monospace.x-knda", 13); pref("font.size.monospace.x-math", 13); pref("font.size.monospace.x-mlym", 13); pref("font.size.monospace.x-orya", 13); pref("font.size.monospace.x-sinh", 13); pref("font.size.monospace.x-tamil", 13); pref("font.size.monospace.x-telu", 13); pref("font.size.monospace.x-tibt", 13); pref("font.size.monospace.x-unicode", 13); pref("font.size.monospace.x-western", 13); pref("font.size.monospace.zh-CN", 16); pref("font.size.monospace.zh-HK", 16); pref("font.size.monospace.zh-TW", 16); pref("gfx.direct3d11.use-double-buffering", false); pref("gfx.logging.slow-frames.enabled", false); pref("gfx.webrender.split-render-roots", false); pref("intl.hyphenate-capitalized.de-1901", true); pref("intl.hyphenate-capitalized.de-1996", true); pref("intl.hyphenate-capitalized.de-CH", true); pref("javascript.options.experimental.await_fix", false); pref("javascript.options.mem.nursery.min_kb", 256); pref("layout.css.line-height-moz-block-height.content.enabled", false); pref("layout.css.resizeobserver.enabled", false); pref("layout.css.shared-memory-ua-sheets.enabled", false); pref("layout.css.simple-moz-gradient.enabled", true); pref("layout.css.webkit-line-clamp.enabled", true); pref("media.audiograph.single_thread.enabled", false); pref("media.cache_readahead_limit.cellular", 30); pref("media.cache_resume_threshold.cellular", 10); pref("media.cache_size.cellular", 32768); pref("media.devices.insecure.enabled", true); pref("media.getusermedia.insecure.enabled", false); pref("media.videocontrols.picture-in-picture.enabled", false); pref("media.videocontrols.picture-in-picture.video-toggle.enabled", false); pref("media.videocontrols.picture-in-picture.video-toggle.flyout-enabled", false); pref("media.videocontrols.picture-in-picture.video-toggle.flyout-wait-ms", 5000); pref("network.cookie.staleThreshold", 60); pref("network.delay.tracking.load", 0); pref("network.dns.resolver_shutdown_timeout_ms", 2000); pref("network.http.enforce-framing.strict_chunked_encoding", true); pref("network.protocol-handler.external.ie.http", false); pref("network.protocol-handler.external.iehistory", false); pref("network.protocol-handler.external.ierss", false); pref("network.ssl_tokens_cache_capacity", 2048); pref("network.ssl_tokens_cache_enabled", false); pref("network.traffic_analyzer.enabled", true); pref("network.trr.excluded-domains", "localhost,local"); pref("network.trr.resolvers", "[{ \"name\": \"Cloudflare\", \"url\": \"https://mozilla.cloudflare-dns.com/dns-query\" }]"); pref("privacy.annotate_channels.strict_list.enabled", false); pref("privacy.file_unique_origin", true); pref("privacy.storagePrincipal.enabledForTrackers", false); pref("privacy.trackingprotection.origin_telemetry.enabled", false); pref("remote.enabled", false); pref("remote.force-local", true); pref("remote.log.level", "Info"); pref("security.tls.enable_post_handshake_auth", false); pref("services.settings.security.onecrl.bucket", "security-state"); pref("services.settings.security.onecrl.checked", 0); pref("services.settings.security.onecrl.collection", "onecrl"); pref("services.settings.security.onecrl.signer", "onecrl.content-signature.mozilla.org"); pref("services.sync.prefs.dangerously_allow_arbitrary", false); pref("services.sync.prefs.sync.browser.contentblocking.features.strict", true); pref("signon.management.page.enabled", false); pref("signon.showAutoCompleteOrigins", false); pref("telemetry.origin_telemetry_test_mode.enabled", false); pref("toolkit.content-background-hang-monitor.disabled", false); pref("toolkit.telemetry.ecosystemtelemetry.enabled", false); pref("ui.android.mouse_as_touch", 1); pref("xul.panel-animations.enabled", true); ``` ==REMOVED or HIDDEN ```js pref("browser.newtabpage.activity-stream.darkModeMessage", false); pref("browser.newtabpage.activity-stream.discoverystream.optOut.0", false); pref("browser.security.newcerterrorpage.enabled", true); pref("devtools.aboutdebugging.network", false); pref("devtools.aboutdebugging.showSystemAddons", false); pref("devtools.aboutdebugging.wifi", false); pref("devtools.inspector.flexboxHighlighter.combine", false); pref("devtools.recordreplay.timeline.enabled", false); pref("extensions.webextensions.themes.icons.buttons", "back,forward,reload,stop,bookmark_star,bookmark_menu,downloads,home,app_menu,cut,copy,paste,new_window,new_private_window,save_page,print,history,full_screen,find,options,addons,developer,synced_tabs,open_file,sidebars,share_page,subscribe,text_encoding,email_link,forget,pocket"); pref("extensions.webextensions.themes.icons.enabled", false); pref("features.normandy-remote-settings.enabled", false); pref("font.size.fixed.ar", 13); pref("font.size.fixed.el", 13); pref("font.size.fixed.he", 13); pref("font.size.fixed.ja", 16); pref("font.size.fixed.ko", 16); pref("font.size.fixed.th", 13); pref("font.size.fixed.x-armn", 13); pref("font.size.fixed.x-beng", 13); pref("font.size.fixed.x-cans", 13); pref("font.size.fixed.x-cyrillic", 13); pref("font.size.fixed.x-devanagari", 13); pref("font.size.fixed.x-ethi", 13); pref("font.size.fixed.x-geor", 13); pref("font.size.fixed.x-gujr", 13); pref("font.size.fixed.x-guru", 13); pref("font.size.fixed.x-khmr", 13); pref("font.size.fixed.x-knda", 13); pref("font.size.fixed.x-math", 13); pref("font.size.fixed.x-mlym", 13); pref("font.size.fixed.x-orya", 13); pref("font.size.fixed.x-sinh", 13); pref("font.size.fixed.x-tamil", 13); pref("font.size.fixed.x-telu", 13); pref("font.size.fixed.x-tibt", 13); pref("font.size.fixed.x-unicode", 13); pref("font.size.fixed.x-western", 13); pref("font.size.fixed.zh-CN", 16); pref("font.size.fixed.zh-HK", 16); pref("font.size.fixed.zh-TW", 16); pref("gfx.webrender.debug.texture-cache.disable-shrink", false); pref("gfx.webrender.program-binary", true); pref("image.animated.generate-full-frames", true); pref("layout.css.prefixes.gradients", true); pref("lightweightThemes.recommendedThemes", "[{\"id\":\"recommended-1\",\"homepageURL\":\"https://addons.mozilla.org/firefox/addon/a-web-browser-renaissance/\",\"headerURL\":\"resource:///chrome/browser/content/browser/defaultthemes/1.header.jpg\",\"textcolor\":\"#000000\",\"accentcolor\":\"#834d29\",\"iconURL\":\"resource:///chrome/browser/content/browser/defaultthemes/1.icon.jpg\",\"previewURL\":\"resource:///chrome/browser/content/browser/defaultthemes/1.preview.jpg\",\"author\":\"Sean.Martell\",\"version\":\"0\"},{\"id\":\"recommended-2\",\"homepageURL\":\"https://addons.mozilla.org/firefox/addon/space-fantasy/\",\"headerURL\":\"resource:///chrome/browser/content/browser/defaultthemes/2.header.jpg\",\"textcolor\":\"#ffffff\",\"accentcolor\":\"#d9d9d9\",\"iconURL\":\"resource:///chrome/browser/content/browser/defaultthemes/2.icon.jpg\",\"previewURL\":\"resource:///chrome/browser/content/browser/defaultthemes/2.preview.jpg\",\"author\":\"fx5800p\",\"version\":\"1.0\"},{\"id\":\"recommended-4\",\"homepageURL\":\"https://addons.mozilla.org/firefox/addon/pastel-gradient/\",\"headerURL\":\"resource:///chrome/browser/content/browser/defaultthemes/4.header.png\",\"textcolor\":\"#000000\",\"accentcolor\":\"#000000\",\"iconURL\":\"resource:///chrome/browser/content/browser/defaultthemes/4.icon.png\",\"previewURL\":\"resource:///chrome/browser/content/browser/defaultthemes/4.preview.png\",\"author\":\"darrinhenein\",\"version\":\"1.0\"}]"); pref("lightweightThemes.selectedThemeID", "default-theme@mozilla.org"); pref("media.peerconnection.capture_delay", 50); pref("network.cookie.same-site.enabled", true); pref("performance.adjust_to_machine", false); pref("performance.low_end_machine", false); pref("prio.enabled", false); pref("security.signed_content.CSP.default", "script-src 'self'; style-src 'self'"); pref("services.blocklist.onecrl.checked", 0); pref("services.blocklist.onecrl.collection", "certificates"); pref("services.blocklist.onecrl.signer", "onecrl.content-signature.mozilla.org"); pref("services.settings.changes.path", "/buckets/monitor/collections/changes/records"); pref("services.settings.default_signer", "remote-settings.content-signature.mozilla.org"); pref("services.sync.prefs.sync.browser.safebrowsing.downloads.enabled", true); pref("services.sync.prefs.sync.browser.safebrowsing.malware.enabled", true); pref("services.sync.prefs.sync.browser.safebrowsing.passwords.enabled", true); pref("services.sync.prefs.sync.browser.safebrowsing.phishing.enabled", true); pref("services.sync.prefs.sync.extensions.personas.current", true); pref("services.sync.prefs.sync.lightweightThemes.selectedThemeID", true); pref("services.sync.prefs.sync.lightweightThemes.usedThemes", true); pref("services.sync.prefs.sync.pref.advanced.images.disable_button.view_image", true); pref("services.sync.prefs.sync.pref.advanced.javascript.disable_button.advanced", true); pref("services.sync.prefs.sync.security.OCSP.enabled", true); pref("services.sync.prefs.sync.security.OCSP.require", true); pref("services.sync.prefs.sync.security.tls.version.max", true); pref("services.sync.prefs.sync.security.tls.version.min", true); pref("services.sync.prefs.sync.xpinstall.whitelist.required", true); pref("webgl.bypass-shader-validation", false); ``` ==CHANGED ```js pref("browser.history.maxStateObjectSize", 2097152); // prev: 655360 pref("browser.newtabpage.activity-stream.asrouter.providers.cfr", "{\"id\":\"cfr\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"cfr\",\"frequency\":{\"custom\":[{\"period\":\"daily\",\"cap\":1}]},\"categories\":[\"cfrAddons\",\"cfrFeatures\"],\"updateCycleInMs\":3600000}"); // prev: "{\"id\":\"cfr\",\"enabled\":true,\"type\":\"local\",\"localProvider\":\"CFRMessageProvider\",\"frequency\":{\"custom\":[{\"period\":\"daily\",\"cap\":1}]},\"categories\":[\"cfrAddons\",\"cfrFeatures\"]}" pref("browser.newtabpage.activity-stream.discoverystream.config", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"collapsible\":true,\"enabled\":false,\"show_spocs\":false,\"hardcoded_layout\":true,\"personalized\":false,\"layout_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic\"}"); // prev: "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"enabled\":false,\"show_spocs\":false,\"layout_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic\"}" pref("browser.newtabpage.activity-stream.telemetry.structuredIngestion", true); // prev: false pref("browser.tabs.unloadOnLowMemory", false); // prev: true pref("browser.urlbar.quantumbar", true); // prev: false pref("devtools.debugger.prefs-schema-version", "1.0.9"); // prev: "1.0.0" pref("devtools.netmonitor.har.defaultFileName", "%hostname_Archive [%date]"); // prev: "Archive %date" pref("dom.vr.external.enabled", true); // prev: false pref("dom.vr.openvr.action_input", true); // prev: false pref("dom.xhr.standard_content_type_normalization", true); // prev: false pref("extensions.htmlaboutaddons.enabled", true); // prev: false pref("extensions.webextensions.performanceCountersMaxAge", 5000); // prev: 1000 pref("extensions.webextensions.userScripts.enabled", true); // prev: false pref("javascript.options.bigint", true); // prev: false pref("layout.css.scroll-snap-v1.enabled", true); // prev: false pref("layout.css.scroll-snap.enabled", false); // prev: true pref("layout.scroll.root-frame-containers", false); // prev: 0 pref("network.trr.wait-for-portal", false); // prev: true pref("privacy.trackingprotection.cryptomining.annotate.enabled", true); // prev: false pref("privacy.trackingprotection.fingerprinting.annotate.enabled", true); // prev: false pref("prompts.authentication_dialog_abuse_limit", 2); // prev: 3 pref("urlclassifier.trackingAnnotationTable", "test-track-simple,ads-track-digest256,social-track-digest256,analytics-track-digest256,content-track-digest256"); // prev: "test-track-simple,base-track-digest256" ```