Settings to look into

[pyllyukko]

These settings in about:config might have some security/privacy related affect, but information about them is not that easily available:

• security.ssl.false_start.require-npn
• geo.wifi.uri
• browser.formfill.saveHttpsForms
• breakpad.reportURL (should we set this to ""?)
• extensions.blocklist.level
• network.stricttransportsecurity.preloadlist (quite self-explanatory, but needs reference)

See also:

• Replaced a few TODOs by the variables they were refering to, updated the README #6

[uberspot]

http://thesimplecomputer.info/tscs-firefox-tweak-guide
This has some more settings as well like "clipboard.autocopy -> false" that make sense. They suggest making breakpad.reportURL -> "" as well.

---

I would also suggest the following as a precaution:

user_pref("browser.selfsupport.url", "");
user_pref("browser.send_pings.require_same_host", true); 
user_pref("browser.trackingprotection.gethashURL", ""); 
user_pref("browser.trackingprotection.updateURL", "");  
user_pref("clipboard.autocopy", false);                 
user_pref("dom.w3c_touch_events.expose", false);
user_pref("geo.wifi.logging.enabled", false);           
// If you don't use ipv6, disable it
user_pref("network.dns.disableIPv6", true);             

Also, I would suggest adding a comment in the following options in your user.js that states "These configs break webrtc and/or Firefox Hello":

 user_pref("media.getusermedia.screensharing.enabled",      false);
 user_pref("security.OCSP.require",         true);
 user_pref("media.peerconnection.enabled",          false);

Because it's easier for someone to keep them if they want that functionality.

I would likewise add:

 user_pref("loop.enabled", false);

commented out just in case someone wants to disable firefox hello anyway.

I can submit a pull request for any of these if you want later on when I have more time. :)

[pyllyukko]

http://thesimplecomputer.info/tscs-firefox-tweak-guide
This has some more settings as well like "clipboard.autocopy -> false" that make sense. They suggest making breakpad.reportURL -> "" as well.

clipboard.autocopy in f4efd35.

I would also suggest the following as a precaution:

user_pref("browser.selfsupport.url", "");

-> ca2c759. These are just the types of annoyances we want to disable! :)

user_pref("browser.send_pings.require_same_host", true);
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.updateURL", "");

Does the browser.trackingprotection.* settings relate to this https://wiki.mozilla.org/Polaris#Tracking_protection? Because I think we should really use that to block some trackers.

user_pref("clipboard.autocopy", false);

-> f4efd35

user_pref("dom.w3c_touch_events.expose", false);
user_pref("geo.wifi.logging.enabled", false);

I would really like to find a proper reference to the geo.wifi.logging.enabled setting. Also, it is completely absent in my about:config...?

// If you don't use ipv6, disable it
user_pref("network.dns.disableIPv6", true);

Also, I would suggest adding a comment in the following options in your user.js that states "These configs break webrtc and/or Firefox Hello":

user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("security.OCSP.require", true);

Does OCSP really break FF Hello? Why is that?

user_pref("media.peerconnection.enabled", false);

Because it's easier for someone to keep them if they want that functionality.

I would likewise add:

user_pref("loop.enabled", false);

commented out just in case someone wants to disable firefox hello anyway.

-> 7287cea

I can submit a pull request for any of these if you want later on when I have more time. :)

Thanks for your contribution! I need to check the rest of the settings later. Pull requests are of course also welcome. I just want every setting to have some "official" reference link for further information about the setting in question.

[uberspot]

I'm not sure why, but the OSCP.required = true setting does break the audio/video streams in firefox hello. It manages to connect to the other peer but no audio/video from the peer are accepted. Your audio/video is sent normally to them though. It took me some time switching various settings on/off to find out which was causing the problem.

---

The only reference for the geo.wifi.logging,enabled i can find is here https://bugzilla.mozilla.org/show_bug.cgi?id=1065518 it exists in aurora builds apparently (?) It seems valid though.

---

The tracking protection url settings are related to the polaris feature from what I saw now with a bit of googling so ignore those. I reset them in my config as well. 👍

[pyllyukko]

Also, I would suggest adding a comment in the following options in your user.js that states "These configs break webrtc and/or Firefox Hello":

user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("security.OCSP.require", true);
user_pref("media.peerconnection.enabled", false);

Because it's easier for someone to keep them if they want that functionality.

I added that to the README now -> 1b4c25c

I've been playing around with this idea to have some kind of configurator tool for this, so people can produce different kind of user.js files with different functionality. There are so many settings and different people need/want different functionality from the browser.

[uberspot]

A simple html + js page that produces it would work fine. You could even add it as a github page for this project. With just some checkboxes that, when ticked, produce the corresponding user_pref entries.
This https://www.privacytools.io/ is already sort of community supported from what I understand so it could be added there so that non-savvy users can benefit as well. :)

[pyllyukko]

A simple html + js page that produces it would work fine. You could even add it as a github page for this project. 1 With just some checkboxes that, when ticked, produce the corresponding user_pref entries.

That might do the trick indeed. I'll need to look into that.

This https://www.privacytools.io/ is already sort of community supported from what I understand so it could be added there so that non-savvy users can benefit as well. :)

True that. Although I feel that this user.js thingie with dropping odd files to odd locations might still be too much for the most non-technical folks out there. It should also be quite user friendly and easily understandable, which are just the two things I suck at :D

[pyllyukko]

user_pref("browser.send_pings.require_same_host", true);

-> 096b276

[nodiscc]

It should also be quite user friendly and easily understandable

The RequestPolicy Continued community is considering adding user-friendly switches for some of these settings in the addon preferences: RequestPolicyContinued/requestpolicy#628 (comment) (prefs that are related to data leaks/silent/cross-site requests)

@pyllyukko your input is very welcome

[pyllyukko]

The RequestPolicy Continued community is considering adding user-friendly switches for some of these settings in the addon preferences: RequestPolicyContinued/requestpolicy#628 (comment) (prefs that are related to data leaks/silent/cross-site requests)

@pyllyukko your input is very welcome

I'll look into that. I'm not familiar with this add-on, so I would first need to see what's it all about.

[pyllyukko]

If all is done I'm making a pull request and update this post to the most recent FF version.

@CHEF-KOCH: So are you working on making a pull request on all of the setting in your comment?

[pyllyukko]

No matter if that breaks some sites

In my opinion that's a problem, even though the sites should fix the problems. It's still always a tradeoff and we can't have the most strict settings I'm afraid.

After some talk with Mozilla they told me that this will be fixed in the next FF stable release.

And in the meanwhile we mitigate by disabling cipher suites that use DH (#18).

[pyllyukko]

Tor browser's security slider might contain some stuff we need to have as well.

[pyllyukko]

Yes, it is true that Tor Browser has all kinds of security features that regular Firefox doesn't, but it's still a good source of clues and has provided some settings that we can also use.

I agree with the extensions getting a bit bloated, they should embrace the UNIX philosophy, so that there wouldn't be that much overlap in features.

[pyllyukko]

After some research I'm glad that I found an working solution to handle errors like ssl_error_no_cypher_overlap and such with the strongest TLS settings enabled. And this workaround is even better then lower or not use the strongest settings.

Do you get this error often?

[nodiscc]

I have made sure that all seetings that can be toggled by https://github.com/TheCreeper/PrivacyFox are present in user.js. The only setting that is not present here is geo.wifi.logging.enabled

[nodiscc]

user.js also includes all prefs listed in https://addons.mozilla.org/en-US/firefox/addon/tinfoil/

[nodiscc]

The following settings (from http://www.ghacks.net/overview-firefox-aboutconfig-security-privacy-preferences/) are not set by user.js:

media.video_stats.enabled
Provides web applications with information about video playback statistics such as the framerate.

plugin.scan.plid.all
Scans the Windows Registry key for plugin references. If found, adds them to Firefox.

I don't know whether they are still used

[nodiscc]

We should investigate Icecat default settings and the about:icecat page. Tracked at #58

[pyllyukko]

Thanks @nodiscc for doing this comparison!

[nodiscc]

You're welcome!

What is the status for settings listed above? For example searching toolkit.telemetry.unifiedIsOptIn in user.js returns no matches, what needs to be done?

What settings from this issue/list does user.js already take care of, and which ones should be added?

[pyllyukko]

What is the status for settings listed above? For example searching toolkit.telemetry.unifiedIsOptIn in user.js returns no matches, what needs to be done?

They are all waiting for me to thoroughly review 'em and decide whether to add them to user.js or not :/ If there are some obvious important ones, you can point them out, but otherwise I just need to try to find the time to start digging through them.

[nodiscc]

@CHEF-KOCH Just to be clear, we should make sure the settings used by Icecat have been reviewed and possibly included here. I don't think Icecat brings anything to the table. I wish people would just use a properly configured FF instead.

[pyllyukko]

For example searching toolkit.telemetry.unifiedIsOptIn in user.js returns no matches

For future reference, telemetry was also discussed and handled on #63.

[nodiscc]

See #248. I think this can be closed/archived.