{ /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS) Your cipher and other settings can be used in server side fingerprinting [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html [TEST] https://browserleaks.com/ssl [TEST] https://ja3er.com/ [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ ***/ /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/ /* 1201: require safe negotiation * Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2] * as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be * safe from the attack if it disables renegotiations but the problem is that the browser can't * know that. Setting this pref to true is the only way for the browser to ensure there will be * no unsafe renegotiations on the channel between the browser and the server. * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://tools.ietf.org/html/rfc5746 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 * [4] https://www.ssllabs.com/ssl-pulse/ ***/ "security.ssl.require_safe_negotiation" = true; /* 1202: control TLS versions with min and max * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint. * [1] https://www.ssllabs.com/ssl-pulse/ ***/ # // user_pref("security.tls.version.min", 3); // [DEFAULT: 3] # // user_pref("security.tls.version.max", 4); /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/ "security.tls.version.enable-deprecated" = false; # [DEFAULT: false] /* 1204: disable SSL session tracking [FF36+] * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks) * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001) * and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state) * [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing * tracking via this method does not address IPs, nor handle any sanitizing of current identifiers * [1] https://tools.ietf.org/html/rfc5077 * [2] https://bugzilla.mozilla.org/967977 * [3] https://arxiv.org/abs/1810.07304 ***/ # // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF] /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+] * [1] https://github.com/tlswg/tls13-spec/issues/1001 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ "security.tls.enable_0rtt_data" = false; /** OCSP (Online Certificate Status Protocol) [1] https://scotthelme.co.uk/revocation-is-broken/ [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/ /* 1211: control when to use OCSP fetching (to confirm current validity of certificates) * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) * It's a trade-off between security (checking) and privacy (leaking info to the CA) * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling * [1] https://en.wikipedia.org/wiki/Ocsp ***/ "security.OCSP.enabled" = 1; /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB] * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/ "security.OCSP.require" = true; /** CERTS / HPKP (HTTP Public Key Pinning) ***/ /* 1220: disable or limit SHA-1 certificates * 0=all SHA1 certs are allowed * 1=all SHA1 certs are blocked * 2=deprecated option that now maps to 1 * 3=only allowed for locally-added roots (e.g. anti-virus) * 4=only allowed for locally-added roots or for certs in 2015 and earlier * [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete. * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/ "security.pki.sha1_enforcement_level" = 1; /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS] * 0=disable detecting Family Safety mode and importing the root * 1=only attempt to detect Family Safety mode (don't import the root) * 2=detect Family Safety mode and import the root * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/ "security.family_safety.mode" = 0; /* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART] * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only. * Saved logins and passwords are not available. Reset the pref and restart to return them. * [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/ # // user_pref("security.nocertdb", true); // [HIDDEN PREF] /* 1223: enable strict pinning * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing * by inspecting ALL your web traffic, then leave at current default=1 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/ "security.cert_pinning.enforcement_level" = 2; /* 1224: enable CRLite [FF73+] * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985 * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ "security.remote_settings.crlite_filters.enabled" = true; "security.pki.crlite_mode" = 2; /** MIXED CONTENT ***/ /* 1240: enforce no insecure active content on https pages * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323 ***/ "security.mixed_content.block_active_content" = true; # [DEFAULT: true] /* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/ "security.mixed_content.block_display_content" = true; /* 1244: enable HTTPS-Only mode [FF76+] * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily * [SETTING] Privacy & Security>HTTPS-Only Mode * [TEST] http://example.com [upgrade] * [TEST] http://neverssl.org/ [no upgrade] * [1] https://bugzilla.mozilla.org/1613063 [META] ***/ "dom.security.https_only_mode" = true; # [FF76+] # // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+] /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/ # // user_pref("dom.security.https_only_mode.upgrade_local", true); /* 1246: disable HTTP background requests [FF82+] * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox * sends HTTP requests in order to check if the server supports HTTPS or not. * This is done to avoid waiting for a timeout which takes 90 seconds * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/ "dom.security.https_only_mode_send_http_background_request" = false; /* 1247: treat .onion as a secure context [FF60+] [TOR] * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser * [1] https://bugzilla.mozilla.org/1382359 ***/ # // user_pref("dom.securecontext.whitelist_onions", true); /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] * These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC, * and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128 * [1] https://browserleaks.com/ssl * [2] https://en.wikipedia.org/wiki/Key_size * [3] https://en.wikipedia.org/wiki/Forward_secrecy ***/ /* 1261: disable 3DES (effective key size < 128 and no PFS) * [1] https://en.wikipedia.org/wiki/3des#Security * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/ # // user_pref("security.ssl3.rsa_des_ede3_sha", false); /* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/ # // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); # // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); # // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); # // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false); # // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS # // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS # // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS # // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS /** UI (User Interface) ***/ /* 1270: display warning on the padlock for "broken security" (if 1201 is false) * Bug: warning padlock not indicated for subresources on a secure page! [2] * [1] https://wiki.mozilla.org/Security:Renegotiation * [2] https://bugzilla.mozilla.org/1353705 ***/ "security.ssl.treat_unsafe_negotiation_as_broken" = true; /* 1271: control "Add Security Exception" dialog on SSL warnings * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default) * [1] https://github.com/pyllyukko/user.js/issues/210 ***/ "browser.ssl_override_behavior" = 1; /* 1272: display advanced information on Insecure Connection warning pages * only works when it's possible to add an exception * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/) * [TEST] https://expired.badssl.com/ ***/ "browser.xul.error_pages.expert_bad_cert" = true; /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/ # // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true] "security.insecure_connection_text.enabled" = true; # [FF60+] }