-
-
Save ddqp/54dd228d77bc8f2543393032d1249cad to your computer and use it in GitHub Desktop.
Revisions
-
Niklas Haas revised this gist
May 12, 2016 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,6 +2,8 @@ Due to the incessant swarm of complete and utter nonsense that has been forcing its way into Firefox over time, I've decided to start collecting my personal list of “must-have” about:config tweaks required to turn Firefox into a functional brower. **NOTE:** Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome. ## WebSockets These can be used for nefarious purposes and to bypass access restrictions. -
haasn revised this gist
Sep 1, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -162,7 +162,7 @@ security.ssl3.rsa_aes_256_sha=false ### Force TLS 1.2 This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. (Note that TLS technically contains a mechanism for preventing protocol degradation attacks, but it requires participation from both the client and the server - which is not a guarantee in practice) ``` security.tls.version.min=3 -
Aug 29, 2015 . 1 changed file with 1 addition and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -142,19 +142,13 @@ security.OCSP.require=true ### Disable unnecessary protocols This disables older protocols that are known to be weak or entirely broken (3DES, RC4 and MD5). ``` security.ssl3.rsa_rc4_128_sha=false security.ssl3.rsa_rc4_128_md5=false security.ssl3.rsa_des_ede3_sha=false security.ssl3.ecdhe_ecdsa_rc4_128_sha=false security.ssl3.ecdhe_rsa_rc4_128_sha=false ``` -
Aug 17, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -178,6 +178,6 @@ security.tls.version.min=3 In addition to the above settings, I personally recommend the usage of at least the following addons: - [HTTPS Everywhere](https://www.eff.org/https-everywhere): Prefer HTTPS over HTTP even for sites that do not force HSTS. - [μBlock₀](https://github.com/gorhill/uBlock): Block access to all known ads, malware domains, badware, and other malicious scripts and domains. - [uMatrix](https://github.com/gorhill/uMatrix) or [NoScript](https://noscript.net/)+[RequestPolicy](https://requestpolicycontinued.github.io/): Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy. -
Aug 17, 2015 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -91,10 +91,17 @@ camera.control.autofocus_moving_callback.enabled=false ## Tracking protection This makes Firefox block known tracking domains by default. ``` privacy.trackingprotection.enabled=true ``` ### DNT Header This makes Firefox include a DNT (“do not track”) header in its request. Theoretically, this would opt-out of tracking services for some services, but unfortunately it makes your fingerprint *much* more trackable, as this header is not too common. Enable if it you want, but it's probably best to leave it off to prevent tracking. ``` privacy.donottrackheader.enabled=true ``` -
Aug 17, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,7 +59,7 @@ geo.wifi.uri="" ## Safe browsing This requires Firefox to communicate with a third party, Google by default, and also sends them metadata about your downloads. ``` browser.safebrowsing.enabled=false -
Aug 16, 2015 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -118,7 +118,7 @@ network.http.speculative-parallel-limit=0 ## Cryptography hardening This disables algorithms that are known to be weak or broken, and prevents most common attack vectors. Be warned that this may break some older websites that are not compatible with modern protocols. ### General settings @@ -153,15 +153,15 @@ security.ssl3.ecdhe_rsa_rc4_128_sha=false ### Perfect forward secrecy If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break *lots* of stuff. ``` security.ssl3.rsa_aes_256_sha=false ``` ### Force TLS 1.2 This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. ``` security.tls.version.min=3 -
Aug 16, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -98,7 +98,7 @@ privacy.trackingprotection.enabled=true privacy.donottrackheader.enabled=true ``` ## Stat tracking / telemetry These are used by Mozilla to spy on you, and are as such a significant risk to privacy. -
Aug 16, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -172,5 +172,5 @@ security.tls.version.min=3 In addition to the above settings, I personally recommend the usage of at least the following addons: - : Prefer HTTPS over HTTP even for sites that do not force HSTS. - [μBlock₀](https://github.com/gorhill/uBlock): Block access to all known ads, malware domains, badware, and other malicious scripts and domains. - [uMatrix](https://github.com/gorhill/uMatrix) or +: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy. -
Aug 16, 2015 . 1 changed file with 13 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -54,6 +54,17 @@ These can be used for tracking and fingerprinting services and are harmful to yo browser.beacen.enabled=false geo.enabled=false geo.wifi.logging.enabled=false geo.wifi.uri="" ``` ## Safe browsing This sends your browsing habits to third party services like Google. ``` browser.safebrowsing.enabled=false browser.safebrowsing.downloads.enabled=false browser.safebrowsing.malware.enabled=false ``` ## Social media integration @@ -62,6 +73,8 @@ This anti-feature lets social media platforms integrate directly into your brows ``` social.directories="" social.whitelist="" social.manifest.facebook="" social.remote-install.enabled=false social.toast-notifications.enabled=false ``` -
Aug 16, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -140,15 +140,15 @@ security.ssl3.ecdhe_rsa_rc4_128_sha=false ### Perfect forward secrecy If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. ``` security.ssl3.rsa_aes_256_sha=false ``` ### Force TLS 1.2 This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. Be warned that not this may break some websites. ``` security.tls.version.min=3 -
Aug 16, 2015 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -130,6 +130,12 @@ security.ssl3.rsa_rc4_128_md5=false security.ssl3.rsa_des_ede3_sha=false security.ssl3.rsa_aes_128_sha=false security.ssl3.dhe_rsa_aes_128_sha=false security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256=false security.ssl3.ecdhe_ecdsa_aes_128_sha=false security.ssl3.ecdhe_ecdsa_rc4_128_sha=false security.ssl3.ecdhe_rsa_aes_128_gcm_sha256=false security.ssl3.ecdhe_rsa_aes_128=false security.ssl3.ecdhe_rsa_rc4_128_sha=false ``` ### Perfect forward secrecy -
Aug 16, 2015 . 1 changed file with 9 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -76,6 +76,15 @@ camera.control.face_detection.enabled=false camera.control.autofocus_moving_callback.enabled=false ``` ## Tracking protection This makes Firefox block known tracking domains by default, and send tracking opt-out headers. ``` privacy.trackingprotection.enabled=true privacy.donottrackheader.enabled=true ``` ## Stat tracking / telemtry These are used by Mozilla to spy on you, and are as such a significant risk to privacy. -
Aug 16, 2015 . 1 changed file with 8 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -131,6 +131,14 @@ If you (additionally) want to force the usage of PFS, the only enabled ciphers s security.ssl3.rsa_aes_256_sha=false ``` ### Force TLS 1.2 This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. Be warned that not many websites support this. ``` security.tls.version.min=3 ``` # Recommended addons (bonus) In addition to the above settings, I personally recommend the usage of at least the following addons: -
Aug 16, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -136,5 +136,5 @@ security.ssl3.rsa_aes_256_sha=false In addition to the above settings, I personally recommend the usage of at least the following addons: - : Prefer HTTPS over HTTP even for sites that do not force HSTS. - [uBlock Origin](https://github.com/gorhill/uBlock): Block access to all known ads, malware domains, badware, and other malicious scripts and domains. - [uMatrix](https://github.com/gorhill/uMatrix) or +: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy. -
Aug 16, 2015 . 1 changed file with 7 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,7 @@ # Firefox bullshit removal Due to the incessant swarm of complete and utter nonsense that has been forcing its way into Firefox over time, I've decided to start collecting my personal list of “must-have” about:config tweaks required to turn Firefox into a functional brower. ## WebSockets These can be used for nefarious purposes and to bypass access restrictions. @@ -111,7 +113,7 @@ security.OCSP.require=true ### Disable unnecessary protocols This disables 128-bit protocols (which may be weaker against potential partial breaks), older protocols (3DES, RC4) and known weak or broken algorithms (MD5). ``` security.ssl3.rsa_rc4_128_sha=false @@ -123,7 +125,7 @@ security.ssl3.dhe_rsa_aes_128_sha=false ### Perfect forward secrecy If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Be warned that not many websites support this. ``` security.ssl3.rsa_aes_256_sha=false @@ -133,6 +135,6 @@ security.ssl3.rsa_aes_256_sha=false In addition to the above settings, I personally recommend the usage of at least the following addons: - : Prefer HTTPS over HTTP even for sites that do not force HSTS. - : Block access to all known ads, malware domains, badware, and other malicious scripts and domains. -  or +: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy. -
Aug 16, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,138 @@ # Firefox bullshit removal ## WebSockets These can be used for nefarious purposes and to bypass access restrictions. ``` network.websocket.enabled=false ``` ## JavaScript spy vectors These can be used for fingerprinting or data collection about the host system. ``` dom.event.clipboardevents.enabled=false dom.battery.enabled=false browser.send_pings=false webgl.disabled=true ``` ## Pocket integration This is a proprietary tie-in service that is a risk to your privacy. 1. Drag the “pocket” icon off your toolbar. This step is important. 2. ```browser.pocket.enabled=false``` ## WebRTC This is an inter-browser communication standard that is a **very significant** risk to your privacy and can be used to break out of VPN tunnels, proxies and unmask local users. ``` media.peerconnection.enabled=false loop.enabled=false ``` ## DRM This is a significant breach of your personal freedom and security. ``` media.eme.enabled=false media.gmp-eme-adobe.enabled=false ``` ## GeoLocation / Beacon These can be used for tracking and fingerprinting services and are harmful to your privacy ``` browser.beacen.enabled=false geo.enabled=false geo.wifi.logging.enabled=false ``` ## Social media integration This anti-feature lets social media platforms integrate directly into your browser ``` social.directories="" social.remote-install.enabled=false social.toast-notifications.enabled=false ``` ## Device tracking/statistics These can be used to fingerprint your system and track you. ``` device.sensors.enabled=false camera.control.face_detection.enabled=false camera.control.autofocus_moving_callback.enabled=false ``` ## Stat tracking / telemtry These are used by Mozilla to spy on you, and are as such a significant risk to privacy. ``` datareporting.healthreport.service.enabled=false datareporting.healthreport.uploadEnabled=false toolkit.telemetry.enabled=false ``` ## Link pre-fetching These will make Firefox connect with *arbitrary* links on a page by the simple act of hovering over them, without your explicit permission. ``` network.http.speculative-parallel-limit=0 ``` ## Cryptography hardening This disables algorithms that are known to be weak or broken, and prevents most common attack vectors. The settings presented here are somewhat conservative, as to avoid breaking the vast majority of the internet. ### General settings ``` security.tls.unrestricted_rc4_fallback=false security.tls.insecure_fallback_hosts.use_static_list=false security.tls.version.min=1 security.ssl.require_safe_negotiation=true security.ssl.treat_unsafe_negotiation_as_broken=true security.ssl3.rsa_seed_sha=true security.OCSP.enabled=1 security.OCSP.require=true ``` ### Disable unnecessary protocols This disables 128-bit protocols (which may be weaker against potential partial breaks), older protocols (3DES, RC4) and known weak or broken algorithms. ``` security.ssl3.rsa_rc4_128_sha=false security.ssl3.rsa_rc4_128_md5=false security.ssl3.rsa_des_ede3_sha=false security.ssl3.rsa_aes_128_sha=false security.ssl3.dhe_rsa_aes_128_sha=false ``` ### Perfect forward secrecy If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe variant. Be warned that not many websites support this. ``` security.ssl3.rsa_aes_256_sha=false ``` # Recommended addons (bonus) In addition to the above settings, I personally recommend the usage of at least the following addons: - HTTPS Everywhere: Prefer HTTPS over HTTP even for sites that do not force HSTS. - uBlock Origin: Block access to all known ads, malware domains, badware, and other malicious scripts and domains. - uMatrix or NoScript+RequestPolicy: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy.
Niklas Haas
revised
this gist