intika / Librefox

Librefox: Firefox with privacy enhancements
https://librefox.org
Mozilla Public License 2.0
1.72k stars 89 forks source link

Adapting & fixing core settings #53

Open intika opened 5 years ago

intika commented 5 years ago

Following https://github.com/intika/Librefox/issues/34 many settings have to be defaulted to a different value while leaving the choice for the user... Here are some pro developer feedback for Librefox

Eloston

What do you think made ungoogled-chromium successful ?

"Success" is a pretty broad term. I will assume you define "success" based on the number of users, what users say about the project, and the kinds of bug reports this project receives. In that case, there are several points I can note (in no particular order of importance):

Also one thing, a lot of people asked me about mozilla trademark (Firefox) while i was disturbing a patched version it's curious that uc did not face this problem, i guess google folks are more permissive.

This project is not widely known, and people aren't confusing it with the trademarked Chrome and Chromium. If it becomes an issue, then I'll be fine with changing it.

Do you have any advice/comments regarding the direction of my project ?

I don't know much about Firefox, so I can't give you any specific advice. Hopefully my comments on what made this project successful will help you too. Regardless, I am glad that my project has inspired you to create Librefox. I wish you luck with it!

Moonchild

Pants

Also, already looked at, but need to re review for new version

/* ALREADY COVERED: by master pref extensions.pocket.enabled ***/
    extensions.pocket.api                                                ""
    extensions.pocket.oAuthConsumerKey                                   ""
    extensions.pocket.site                                               ""
/* INFO URLS ETC: require user interaction (e.g Help>Submit Feedback) ***/
    app.feedback.baseURL                                                 ""
    app.releaseNotesURL                                                  ""
    browser.contentblocking.reportBreakage.url                           ""
    datareporting.healthreport.infoURL                                   ""
    toolkit.crashreporter.infoURL                                        ""
    toolkit.telemetry.infoURL                                            ""
    privacy.trackingprotection.introURL                                  ""
/* DEFAULT IS SAME
   this is generally a bad idea: if FF disables something due to a security concern, the
   end user who doesn't keep up to date with changes 
   (IF you do them) is now fucked over) ***/
    browser.offline-apps.notify                                          true
    browser.safebrowsing.passwords.enabled                               false
    html5.offmainthread                                                  true
    security.sri.enable                                                  true
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256                         true
    security.ssl3.ecdhe_ecdsa_aes_256_sha                                true
    security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256                   true
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256                           true
    security.ssl3.ecdhe_rsa_aes_256_sha                                  true
    security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256                     true
/* NOT PRIVACY etc related ***/
[i] browser.download.animateNotifications                                false
    browser.tabs.closeTabByDblclick                                      true
/* covered by dom.enable_performance (& also RFP) ***/
    dom.enable_performance_navigation_timing                             false
/* is only exposed to chrome 
   ( https://trac.torproject.org/projects/tor/ticket/27268#comment:2 ) ***/
    dom.mozTCPSocket.enabled                                             false
/* only used in a single test ***/
    browser.formfill.expire_days                                         0
/* specifically removed because people don't understand it 
   (and we don't want to encourage Tor over FF) ***/
[i] network.dns.blockDotOnion                                            true
Thorin-Oakenpants commented 5 years ago

There was a lot more, but I stopped. It'll be up to you guys to sort it out. And I agree with most of what Moonchild says. I've been over most of these several times before, including rejecting many of them or proposed values when suggested (the prefs as well as some of moonchlld's observations).

But also Moonchild is coming from a perspective that things shouldn't break. The ghacks user.js he probably thinks as well is an "insane configuration". But this is a niche product (and you better TELL people that and WARN them and provide a CHECKLIST etc because IMO some of these prefs and settings are insane). Ours is also a niche, but more gentle, product - with tags built in to flip things, an updater, a full on wiki, recommended and tested extensions, and four plus years of knowledge and testing and code digging etc. You're welcome to drawn on that and keep in contact.

That's it really. Decide your target market, make it clear to users who that is, warn them of all the dangers and breakage - every single one (e.g extensions are not updated), and provide the support for users to make changes and understand wtf just happened

Good luck :)

elypter commented 5 years ago

That's it really. Decide your target market, make it clear to users who that is.

it's important to know what the audience is and what audience the browser is targeted at. and it is important to communicate the priorities. something like whether it is: security>privacy>usability>maintainability or maintainability>privacy>security>usability this makes the project consistent and avoids confusion what later seeds conflicts in larger projects. this all said, it should also be avoided to artificially constrain the project by the prime objective but only if a compromise is unavoidable.

wolfbeast commented 5 years ago

@Thorin-Oakenpants I actually only lifted out the ones that are severely breaking - I didn't comment on any that would be a good choice for this product with some breakage, but as you said yourself it breaks left right and center, as well as a number of things that aren't directly exposed to the user but do break under the hood (e.g. OCSP and blocklisting). I don't think most of what is done is insane, but some things that are done are clearly wrong either out of ignorance or because things haven't really been thought through before changing the settings. Some things should simply not be forced differently because all they do is break stuff with no benefit.

@intika : I understand you want to prevent calling home as much as possible, so from my own experience and the same desire for Pale Moon, here are some things to consider to improve without adding more exposure to mozilla:

Other things are entirely at your discretion and a balance between functionality and privacy. It'll be up to you to determine where you want Librefox to stand in that case.

Thorin-Oakenpants commented 5 years ago

@wolfbeast

I understand you want to prevent calling home as much as possible

since the post was @ me, I just want to clarify that this is not what I or the ghacks user.js aims for. If it doesn't impact security or privacy then I leave it alone (but may provide options). Some people don't understand what privacy actually means

Thorin-Oakenpants commented 5 years ago

Enable Windows jumplists

you (librefox) need to distinguish between different threat levels. There's shoulder surfers vs persistent local storage (you would need to be compromised locally) vs external etc

I actually only lifted out the ones that are severely breaking

I know. There's way more. One of my initial quick checks revealed a load of deprecated prefs (this is FF60+base) and overall, as intika has said to me elsewhere, it was more of a personal project with his settings .. but enough on that .. I think everyone can agree that the ship needs a little steering :)

Thorin-Oakenpants commented 5 years ago

an example

Enable IPv6

After 3.5 years of NOT disabling ip6 .. I did (in the ghacks user.js). I did this after user feedback. I also including setup tags, etc ... and we weighed up the pros and cons - it doesn't break anything AFAIK, and most people worldwide can;t even use it ... and it something that should be handled on a network level ...

but it is a privacy/tracking risk, and it can compromise VPNs (when not set up correctly), etyc .. but that information is in our single point of reference .. the user.js itself .. knowledge is power

so we flipped it, after *really** thinking about it, after consulting users, and built in fallbacks for end users

^^ this is what the llibrefox project faces. Its not easy throwing 200 or 300 changes to prefs (a lot are enforcing defaults) ... I have about 90 odd (out of 450+ in FF60+) that break something - whether that be UI behavior or web sites or performance ... and the permutations of 90 items is astronomical .. which is why its so important to outlay expectations, provide info and an easy way to get to it and decipher it, etc

I'll stop now .. time for something else

wolfbeast commented 5 years ago

@Thorin-Oakenpants Apologies for not being clear. only the first paragraph was directed at you, the rest was directed at the Librefox project maintainer(s).

elypter commented 5 years ago

so one question that has to be answered is "what priority does local privacy have?" imo it's on a whole other level. once an intruder already has control over the system he can do basically anything. there are endless threat models and every counter measure can theoretically be reversed by an adversary. once an attacker is in the system there is no such thing as real scurity. al you can do is make low hanging fruits less low hanging. protecting against this is a sisyphus task. so i personally think it should have lower priority and it's mostly other softwares job anyway.