54 lines
3.4 KiB
Nix
54 lines
3.4 KiB
Nix
{
|
|
/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
|
|
/* 0701: disable IPv6
|
|
* IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even
|
|
* assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4
|
|
* [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6
|
|
* [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
|
|
* OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
|
|
* then this won't make much difference. If you are masking your IP, then it can only help.
|
|
* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
|
|
* [TEST] https://ipleak.org/
|
|
* [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
|
|
"network.dns.disableIPv6" = true;
|
|
/* 0702: disable HTTP2
|
|
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
|
|
* enhance privacy, and opens up a number of server-side fingerprinting opportunities.
|
|
* [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
|
|
* [STATS] ~46% of sites (July 2021) [5]
|
|
* [1] https://http2.github.io/faq/
|
|
* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
|
|
* [3] https://http2.github.io/http2-spec/#rfc.section.10.8
|
|
* [4] https://queue.acm.org/detail.cfm?id=2716278
|
|
* [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/
|
|
# // user_pref("network.http.spdy.enabled", false);
|
|
# // user_pref("network.http.spdy.enabled.deps", false);
|
|
# // user_pref("network.http.spdy.enabled.http2", false);
|
|
# // user_pref("network.http.spdy.websockets", false); // [FF65+]
|
|
/* 0703: disable HTTP Alternative Services [FF37+]
|
|
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
|
|
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
|
|
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
|
|
* [1] https://tools.ietf.org/html/rfc7838#section-9
|
|
* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
|
|
"network.http.altsvc.enabled" = false;
|
|
"network.http.altsvc.oe" = false;
|
|
/* 0704: set the proxy server to do any DNS lookups when using SOCKS
|
|
* e.g. in Tor, this stops your local DNS server from knowing your Tor destination
|
|
* as a remote Tor node will handle the DNS request
|
|
* [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
|
|
"network.proxy.socks_remote_dns" = true;
|
|
/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
|
|
* [SETUP-CHROME] Can break extensions for profiles on network shares
|
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
|
|
"network.file.disable_unc_paths" = true; # [HIDDEN PREF]
|
|
/* 0710: disable GIO as a potential proxy bypass vector
|
|
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
|
|
* gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
|
|
* [1] https://bugzilla.mozilla.org/1433507
|
|
* [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044
|
|
* [3] https://en.wikipedia.org/wiki/GVfs
|
|
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
|
|
"network.gio.supported-protocols" = ""; # [HIDDEN PREF]
|
|
}
|