169 lines
11 KiB
Nix
169 lines
11 KiB
Nix
{
|
|
/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
|
|
Your cipher and other settings can be used in server side fingerprinting
|
|
[TEST] https://www.ssllabs.com/ssltest/viewMyClient.html
|
|
[TEST] https://browserleaks.com/ssl
|
|
[TEST] https://ja3er.com/
|
|
[1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
|
|
***/
|
|
/** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
|
|
/* 1201: require safe negotiation
|
|
* Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2]
|
|
* as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be
|
|
* safe from the attack if it disables renegotiations but the problem is that the browser can't
|
|
* know that. Setting this pref to true is the only way for the browser to ensure there will be
|
|
* no unsafe renegotiations on the channel between the browser and the server.
|
|
* [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4]
|
|
* [1] https://wiki.mozilla.org/Security:Renegotiation
|
|
* [2] https://tools.ietf.org/html/rfc5746
|
|
* [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
|
|
* [4] https://www.ssllabs.com/ssl-pulse/ ***/
|
|
"security.ssl.require_safe_negotiation" = true;
|
|
/* 1202: control TLS versions with min and max
|
|
* 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
|
|
* [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
|
|
* [1] https://www.ssllabs.com/ssl-pulse/ ***/
|
|
# // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
|
|
# // user_pref("security.tls.version.max", 4);
|
|
/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/
|
|
"security.tls.version.enable-deprecated" = false; # [DEFAULT: false]
|
|
/* 1204: disable SSL session tracking [FF36+]
|
|
* SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks)
|
|
* [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001)
|
|
* and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state)
|
|
* [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing
|
|
* tracking via this method does not address IPs, nor handle any sanitizing of current identifiers
|
|
* [1] https://tools.ietf.org/html/rfc5077
|
|
* [2] https://bugzilla.mozilla.org/967977
|
|
* [3] https://arxiv.org/abs/1810.07304 ***/
|
|
# // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
|
|
/* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
|
|
* [1] https://github.com/tlswg/tls13-spec/issues/1001
|
|
* [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
|
|
"security.tls.enable_0rtt_data" = false;
|
|
|
|
/** OCSP (Online Certificate Status Protocol)
|
|
[1] https://scotthelme.co.uk/revocation-is-broken/
|
|
[2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
***/
|
|
/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
|
|
* 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
|
|
* OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
|
|
* It's a trade-off between security (checking) and privacy (leaking info to the CA)
|
|
* [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
|
|
* [1] https://en.wikipedia.org/wiki/Ocsp ***/
|
|
"security.OCSP.enabled" = 1;
|
|
/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail [SETUP-WEB]
|
|
* When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
|
|
* Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
|
|
* It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
|
|
* could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
|
|
* [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
|
* [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
|
|
"security.OCSP.require" = true;
|
|
|
|
/** CERTS / HPKP (HTTP Public Key Pinning) ***/
|
|
/* 1220: disable or limit SHA-1 certificates
|
|
* 0=all SHA1 certs are allowed
|
|
* 1=all SHA1 certs are blocked
|
|
* 2=deprecated option that now maps to 1
|
|
* 3=only allowed for locally-added roots (e.g. anti-virus)
|
|
* 4=only allowed for locally-added roots or for certs in 2015 and earlier
|
|
* [SETUP-CHROME] When disabled, some man-in-the-middle devices (e.g. security scanners and
|
|
* antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
|
|
* [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
|
|
"security.pki.sha1_enforcement_level" = 1;
|
|
/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
|
|
* 0=disable detecting Family Safety mode and importing the root
|
|
* 1=only attempt to detect Family Safety mode (don't import the root)
|
|
* 2=detect Family Safety mode and import the root
|
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
|
|
"security.family_safety.mode" = 0;
|
|
/* 1222: disable intermediate certificate caching (fingerprinting attack vector) [FF41+] [RESTART]
|
|
* [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
|
|
* Saved logins and passwords are not available. Reset the pref and restart to return them.
|
|
* [1] https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/ ***/
|
|
# // user_pref("security.nocertdb", true); // [HIDDEN PREF]
|
|
/* 1223: enable strict pinning
|
|
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
|
|
* [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
|
|
* by inspecting ALL your web traffic, then leave at current default=1
|
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/
|
|
"security.cert_pinning.enforcement_level" = 2;
|
|
/* 1224: enable CRLite [FF73+]
|
|
* In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP
|
|
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985
|
|
* [2] https://blog.mozilla.org/security/tag/crlite/ ***/
|
|
"security.remote_settings.crlite_filters.enabled" = true;
|
|
"security.pki.crlite_mode" = 2;
|
|
|
|
/** MIXED CONTENT ***/
|
|
/* 1240: enforce no insecure active content on https pages
|
|
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323 ***/
|
|
"security.mixed_content.block_active_content" = true; # [DEFAULT: true]
|
|
/* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/
|
|
"security.mixed_content.block_display_content" = true;
|
|
/* 1244: enable HTTPS-Only mode [FF76+]
|
|
* When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored
|
|
* [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily
|
|
* [SETTING] Privacy & Security>HTTPS-Only Mode
|
|
* [TEST] http://example.com [upgrade]
|
|
* [TEST] http://neverssl.org/ [no upgrade]
|
|
* [1] https://bugzilla.mozilla.org/1613063 [META] ***/
|
|
"dom.security.https_only_mode" = true; # [FF76+]
|
|
# // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
|
|
/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
|
|
# // user_pref("dom.security.https_only_mode.upgrade_local", true);
|
|
/* 1246: disable HTTP background requests [FF82+]
|
|
* When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox
|
|
* sends HTTP requests in order to check if the server supports HTTPS or not.
|
|
* This is done to avoid waiting for a timeout which takes 90 seconds
|
|
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
|
|
"dom.security.https_only_mode_send_http_background_request" = false;
|
|
/* 1247: treat .onion as a secure context [FF60+] [TOR]
|
|
* [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser
|
|
* [1] https://bugzilla.mozilla.org/1382359 ***/
|
|
# // user_pref("dom.securecontext.whitelist_onions", true);
|
|
|
|
/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro]
|
|
* These are the ciphers listed under "Cipher Suites" [1] that are either still using SHA-1 and CBC,
|
|
* and/or are missing Perfect Forward Secrecy [3] and/or have other weaknesses like key sizes of 128
|
|
* [1] https://browserleaks.com/ssl
|
|
* [2] https://en.wikipedia.org/wiki/Key_size
|
|
* [3] https://en.wikipedia.org/wiki/Forward_secrecy
|
|
***/
|
|
/* 1261: disable 3DES (effective key size < 128 and no PFS)
|
|
* [1] https://en.wikipedia.org/wiki/3des#Security
|
|
* [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
|
|
* [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
|
|
# // user_pref("security.ssl3.rsa_des_ede3_sha", false);
|
|
/* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/
|
|
# // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
|
|
# // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
|
|
# // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
|
|
# // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
|
|
# // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
|
|
# // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
|
|
# // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
|
|
# // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
|
|
|
|
/** UI (User Interface) ***/
|
|
/* 1270: display warning on the padlock for "broken security" (if 1201 is false)
|
|
* Bug: warning padlock not indicated for subresources on a secure page! [2]
|
|
* [1] https://wiki.mozilla.org/Security:Renegotiation
|
|
* [2] https://bugzilla.mozilla.org/1353705 ***/
|
|
"security.ssl.treat_unsafe_negotiation_as_broken" = true;
|
|
/* 1271: control "Add Security Exception" dialog on SSL warnings
|
|
* 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
|
|
* [1] https://github.com/pyllyukko/user.js/issues/210 ***/
|
|
"browser.ssl_override_behavior" = 1;
|
|
/* 1272: display advanced information on Insecure Connection warning pages
|
|
* only works when it's possible to add an exception
|
|
* i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
|
|
* [TEST] https://expired.badssl.com/ ***/
|
|
"browser.xul.error_pages.expert_bad_cert" = true;
|
|
/* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
|
|
# // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true]
|
|
"security.insecure_connection_text.enabled" = true; # [FF60+]
|
|
}
|