nix-config/home/browsers/firefox/arkenfox/0700.nix

{
  /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
  /* 0701: disable IPv6
   * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even
   * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4
   * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6
   * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
   * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
   * then this won't make much difference. If you are masking your IP, then it can only help.
   * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
   * [TEST] https://ipleak.org/
   * [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
  "network.dns.disableIPv6" = true;
  /* 0702: disable HTTP2
   * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
   * enhance privacy, and opens up a number of server-side fingerprinting opportunities.
   * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
   * [STATS] ~46% of sites (July 2021) [5]
   * [1] https://http2.github.io/faq/
   * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
   * [3] https://http2.github.io/http2-spec/#rfc.section.10.8
   * [4] https://queue.acm.org/detail.cfm?id=2716278
   * [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/
  #   // user_pref("network.http.spdy.enabled", false);
  #   // user_pref("network.http.spdy.enabled.deps", false);
  #   // user_pref("network.http.spdy.enabled.http2", false);
  #   // user_pref("network.http.spdy.websockets", false); // [FF65+]
  /* 0703: disable HTTP Alternative Services [FF37+]
   * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
   * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
   * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
   * [1] https://tools.ietf.org/html/rfc7838#section-9
   * [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
  "network.http.altsvc.enabled" = false;
  "network.http.altsvc.oe" = false;
  /* 0704: set the proxy server to do any DNS lookups when using SOCKS
   * e.g. in Tor, this stops your local DNS server from knowing your Tor destination
   * as a remote Tor node will handle the DNS request
   * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
  "network.proxy.socks_remote_dns" = true;
  /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
   * [SETUP-CHROME] Can break extensions for profiles on network shares
   * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
  "network.file.disable_unc_paths" = true;  # [HIDDEN PREF]
  /* 0710: disable GIO as a potential proxy bypass vector
   * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
   * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
   * [1] https://bugzilla.mozilla.org/1433507
   * [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044
   * [3] https://en.wikipedia.org/wiki/GVfs
   * [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
  "network.gio.supported-protocols" = "";  # [HIDDEN PREF]
}
initial commit 2022-01-18 09:32:55 +01:00			`{`
			`/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/`
			`/* 0701: disable IPv6`
			`* IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even`
			`* assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4`
			`* [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6`
			`* [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an`
			`* OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,`
			`* then this won't make much difference. If you are masking your IP, then it can only help.`
			`* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"`
			`* [TEST] https://ipleak.org/`
			`* [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/`
			`"network.dns.disableIPv6" = true;`
			`/* 0702: disable HTTP2`
			`* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to`
			`* enhance privacy, and opens up a number of server-side fingerprinting opportunities.`
			`* [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites`
			`* [STATS] ~46% of sites (July 2021) [5]`
			`* [1] https://http2.github.io/faq/`
			`* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html`
			`* [3] https://http2.github.io/http2-spec/#rfc.section.10.8`
			`* [4] https://queue.acm.org/detail.cfm?id=2716278`
			`* [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/`
			`# // user_pref("network.http.spdy.enabled", false);`
			`# // user_pref("network.http.spdy.enabled.deps", false);`
			`# // user_pref("network.http.spdy.enabled.http2", false);`
			`# // user_pref("network.http.spdy.websockets", false); // [FF65+]`
			`/* 0703: disable HTTP Alternative Services [FF37+]`
			`* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) AND you understand the`
			`* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,`
			`* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.`
			`* [1] https://tools.ietf.org/html/rfc7838#section-9`
			`* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/`
			`"network.http.altsvc.enabled" = false;`
			`"network.http.altsvc.oe" = false;`
			`/* 0704: set the proxy server to do any DNS lookups when using SOCKS`
			`* e.g. in Tor, this stops your local DNS server from knowing your Tor destination`
			`* as a remote Tor node will handle the DNS request`
			`* [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/`
			`"network.proxy.socks_remote_dns" = true;`
			`/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]`
			`* [SETUP-CHROME] Can break extensions for profiles on network shares`
			`* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/`
			`"network.file.disable_unc_paths" = true; # [HIDDEN PREF]`
			`/* 0710: disable GIO as a potential proxy bypass vector`
			`* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,`
			`* gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)`
			`* [1] https://bugzilla.mozilla.org/1433507`
			`* [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044`
			`* [3] https://en.wikipedia.org/wiki/GVfs`
			`* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/`
			`"network.gio.supported-protocols" = ""; # [HIDDEN PREF]`
			`}`