Newer FF versions come with two plugins that are automatically installed. OpenH264 Video Codec provided by Cisco Systems Inc Prime-time Content Decryption Module provided by Adobe Systems, Incorporated I looked into both plugins and do understand their basic function, but am not clear on how vital (or not) they are for browser function and more importantly whether or not they pose any security risks? #1's purpose is "to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec." Since I keep WebRTC disabled by default can I disable it this plugin? #2 "allows you to watch DRM content on FF" and is an Adobe plugin. Do I need to treat it like risky Adobe flash and block it by default until I need it? Thanks!
#1 Is this really only used for WebRTC? I thought it would be used to play all h264 content. Maybe it's just an encoder (for broadcasting video), not a decoder (for receiving), in which case you could disable it fine. #2 I would imagine this is the plugin required to play content such as Netflix within Firefox without the need of Silverlight, Chrome has a similar plugin. You can probably disable it safely if you just do basic browsing. Personally I would recommend you just use click to play.
I don't have either plugin, and as far as I can tell, I don't miss them for anything that I do with Firefox. Bo
1. It is something like proprietary cisco codec. It is only being used for video chat stuff. It has nothing to do with video decoding. It downloads blob when browser starts. You can disable it. On Debian it is disabled. 2. It is DRM. It downloads necessary blobs to play videos. It is disabled on Debian. You should disable that too. And yes. They are security risk.
If you don't know what it is, just don't bother responding instead of spreading misinformation. Reading further, the source code is freely available, so it's not proprietary at all. It is your own choice to use a binary in which case you won't pay license fees, but the code is freely viewable. It is also only required for video streams, so you can disable it It downloads decryption keys, not "binary blobs". Right now, I'd wager it's only required for Netflix, but that will probably grow in future. That depends on your definition of security risk. Technically every addon/plugin/extension you add will increase your attack surface, thus being a "security risk". But if you're using this term to compare it to the likes of Java or Flash plugins, then I would not classify it as a "security risk".
Thanks for the feedback. That's strange you doing have those plugins by default. Are you using an older version of FF?
I am using Firefox 44.0.2. I avoid plugins that I don't have any use for. So, I got rid of them by changing the preference below to false: media.gmp-provider.enabled Bo
Well thanks for setting the record straight @elapsed. Video streaming seems to work just fine without the OpenH plugin, so I wonder whats its benfit it
Cool that's a good "about:config" tweak to know. Adding it to my list! Do you tweak many other about:configs? I ask bec for the longest time I only altered the 10 very common ones which increase privacy, but have recently come across some extended about:config tweak lists which I experimented with and got mixed results.
I think when they state "video streams" they are referring to WebRTC video streams, not generic videos streams from YouTube etc. However, the streams you were watching may be encoded in VP9 and not h264. The former wouldn't require that plugin.
* WebRTC is not a plugin it's a protocol, you can disable it within the option [ensure you installed latest FF Final Version] * OpenH264 is an Cisco plugin which is open source and isolated running according to the papers. * As always there is no security risk, it's depending which pages you visit and depending on other things, like javascript/html5.... If you not like one of them just install the ESR Firefox versions.
If you don't want the H264 plug-in, put this in your user.js file: Code: pref("media.gmp-gmpopenh264.enabled", false); A few more tweaks, if you want to check them out: Code: f// Use LANG environment variable to choose locale pref("intl.locale.matchOS", true); // Disable default browser checking. pref("browser.shell.checkDefaultBrowser", false); // Don't disable our bundled extensions in the application directory pref("extensions.autoDisableScopes", 11); pref("extensions.shownSelectionUI", true); // Disable "alt" as a shortcut key to open full menu bar. Conflicts with "alt" as a modifier pref("ui.key.menuAccessKeyFocuses", false); // Disable the GeoLocation API for content pref("geo.enabled", false); // Make sure that the request URL of the GeoLocation backend is empty pref("geo.wifi.uri", ""); // Disable Pocket and make sure that the request URLs of the Pocket are empty pref("browser.pocket.enabled", false); pref("browser.pocket.api", ""); pref("browser.pocket.site", ""); pref("browser.pocket.oAuthConsumerKey", ""); pref("browser.pocket.useLocaleList", false); pref("browser.pocket.enabledLocales", ""); // Disable Freedom Violating DRM Feature pref("browser.eme.ui.enabled", false); pref("media.eme.enabled", false); pref("media.eme.apiVisible", false); // Default to classic view for about:newtab pref("browser.newtabpage.enhanced", false); // Override add-on signing pref("xpinstall.signatures.required", false); // Poodle attack pref("security.tls.version.min", 1); // Don't call home for blacklisting pref("extensions.blocklist.enabled", false); // Disable plugin installer pref("plugins.hide_infobar_for_missing_plugin", true); pref("plugins.hide_infobar_for_outdated_plugin", true); pref("plugins.notifyMissingFlash", false); //https://developer.mozilla.org/en-US/docs/Web/API/MediaSource //pref("media.mediasource.enabled",true); //Speeding it up pref("network.http.pipelining", true); pref("network.http.proxy.pipelining", true); pref("network.http.pipelining.maxrequests", 10); pref("nglayout.initialpaint.delay", 0); // Disable third party cookies pref("network.cookie.cookieBehavior", 1); // Prevent EULA dialog to popup on first run pref("browser.EULA.override", true); // disable app updater url pref("app.update.url", "http://127.0.0.1/");" // Set useragent to Firefox compatible //pref("general.useragent.compatMode.firefox", true); // Spoof the useragent to a generic one pref("general.useragent.compatMode.firefox", true); // Spoof the useragent to a generic one pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0"); pref("general.appname.override", "Netscape"); pref("general.appversion.override", "44.0"); pref("general.buildID.override", "Gecko/20100101"); pref("general.oscpu.override", "Windows NT 6.1"); pref("general.platform.override", "Win32"); // Privacy & Freedom Issues // https://webdevelopmentaid.wordpress.com/2013/10/21/customize-privacy-settings-in-mozilla-firefox-part-1-aboutconfig/ // https://panopticlick.eff.org // http://ip-check.info // http://browserspy.dk // https://wiki.mozilla.org/Fingerprinting // http://www.browserleaks.com // http://fingerprint.pet-portal.eu pref("privacy.donottrackheader.enabled", true); pref("privacy.donottrackheader.value", 1); pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); pref("social.enabled", false); pref("social.remote-install.enabled", false); pref("datareporting.healthreport.uploadEnabled", false); pref("datareporting.healthreport.about.reportUrl", "127.0.0.1"); pref("datareporting.healthreport.documentServerURI", "127.0.0.1"); pref("healthreport.uploadEnabled", false); pref("social.toast-notifications.enabled", false); pref("datareporting.policy.dataSubmissionEnabled", false); pref("datareporting.healthreport.service.enabled", false); pref("browser.slowStartup.notificationDisabled", true); pref("network.http.sendRefererHeader", 2); pref("network.http.referer.spoofSource", true); //http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/ //pref("dom.storage.enabled", false); pref("dom.event.clipboardevents.enabled",false); pref("network.prefetch-next", false); pref("network.dns.disablePrefetch", true); pref("network.http.sendSecureXSiteReferrer", false); pref("toolkit.telemetry.enabled", false); // Do not tell what plugins do we have enabled: https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html pref("plugins.enumerable_names", ""); pref("plugin.state.flash", 1); // Do not autoupdate search engines pref("browser.search.update", false); // Warn when the page tries to redirect or refresh //pref("accessibility.blockautorefresh", true); pref("dom.battery.enabled", false); pref("device.sensors.enabled", false); pref("camera.control.face_detection.enabled", false); pref("camera.control.autofocus_moving_callback.enabled", false); pref("network.http.speculative-parallel-limit", 0); // Crypto hardening // https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 //General settings //pref("security.tls.unrestricted_rc4_fallback", false); //pref("security.tls.insecure_fallback_hosts.use_static_list", false); //pref("security.tls.version.min", 1); //pref("security.ssl.require_safe_negotiation", true); //pref("security.ssl.treat_unsafe_negotiation_as_broken", true); //pref("security.ssl3.rsa_seed_sha", true); //pref("security.OCSP.enabled", 1); //pref("security.OCSP.require", true); //Disable unnecessary protocols //pref("security.ssl3.rsa_rc4_128_sha", false); //pref("security.ssl3.rsa_rc4_128_md5", false); //pref("security.ssl3.rsa_des_ede3_sha", false); //pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); //pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // https://directory.fsf.org/wiki/Disable_DHE // Avoid logjam attack pref("security.ssl3.dhe_rsa_aes_128_sha", false); pref("security.ssl3.dhe_rsa_aes_256_sha", false); pref("security.ssl3.dhe_dss_aes_128_sha", false); pref("security.ssl3.dhe_rsa_des_ede3_sha", false); //Optional //Perfect forward secrecy // pref("security.ssl3.rsa_aes_256_sha", false); //Force TLS 1.2 // pref("security.tls.version.min", 3); // Disable channel updates pref("app.update.enabled", false); pref("app.update.auto", false); pref("font.default.x-western", "sans-serif"); // Mobile pref("privacy.announcements.enabled", false); pref("browser.snippets.enabled", false); pref("browser.snippets.syncPromo.enabled", false); pref("browser.snippets.geoUrl", "http://127.0.0.1/"); pref("browser.snippets.updateUrl", "http://127.0.0.1/"); pref("browser.snippets.statsUrl", "http://127.0.0.1/"); pref("datareporting.policy.firstRunTime", 0); pref("datareporting.policy.dataSubmissionPolicyVersion", 2); pref("browser.webapps.checkForUpdates", 0); pref("browser.webapps.updateCheckUrl", "http://127.0.0.1/"); pref("app.faqURL", "http://libreplanet.org/wiki/Group:IceCat/FAQ"); // Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins pref("media.gmp-manager.url", "http://127.0.0.1/"); pref("media.gmp-manager.url.override", "data:text/plain,"); pref("media.gmp-provider.enabled", false); // Don't install openh264 codec pref("media.gmp-gmpopenh264.enabled", false); //Disable heartbeat pref("browser.selfsupport.url", ""); //Disable Firefox Hello pref("loop.enabled",false); pref("loop.feedback.baseUrl", ""); pref("loop.gettingStarted.url", ""); pref("loop.learnMoreUrl", ""); pref("loop.legal.ToS_url", ""); pref("loop.legal.privacy_url", ""); pref("loop.oauth.google.redirect_uri", ""); pref("loop.oauth.google.scope", ""); pref("loop.server", ""); pref("loop.soft_start_hostname", ""); pref("loop.support_url", ""); pref("loop.throttled2",false); // Use old style preferences, that allow javascript to be disabled pref("browser.preferences.inContent",false); // Don't download ads for the newtab page pref("browser.newtabpage.directory.source", ""); pref("browser.newtabpage.directory.ping", ""); pref("browser.newtabpage.introShown", true); // Disable home snippets pref("browser.aboutHomeSnippets.updateUrl", "data:text/html"); // Disable hardware acceleration and WebGL //pref("layers.acceleration.disabled", false); pref("webgl.disabled", false); // Disable SSDP pref("browser.casting.enabled", false); //Disable directory service pref("social.directories", ""); pref("social.whitelist", ""); pref("social.shareDirectory", "");
You can't get rid of them, protocols can't be removed by about:config, you simply can enable/disable it but you not need this is not compromise your security. EME not need to entirely disabled but *sigh* no one read ever documents.... I see a lot of wrong stuff here, just copy and paste without understand how things working ... Most of them are useless because obsolete, click-to-play or controlled by internal mechanism.
Great List! There are definitely some I haven't seen or tried. Is adding/removing something in the user.js file basically the same as changing an about:config pref? Believe it or not I've never touched the user.js file even throughout all my about:config experimenting. If I didn't like how it was running I would simply start all over and manually enter the preferences I liked again..and again!
By get rid of, I mean "disabled." I disabled the two plug ins that I brought up in my initial post. I'm not talking about EME I haven't even read the whole article yet.
Hehehehe. Yes, it's the same thing, you don't need to start all over. Just make backups and then edit the files.
@CHEFKOCH are you saying the tweaks posted are pointless or something else? You'd know better than I would, but aren't preferences changed in about:config of highest authority meaning they are the rule??
All you need: https://github.com/pyllyukko/user.js I and others talked about obsolete stuff over the issue tracker there, feel free to read. I mostly contribute over GitHub directly and not want to re-spell myself here again. Yes, most stuff posted here on this thread is just copy&paste and obsolete or useless.
thanks, elapsed. That needed to be said. I started typing such a reply the other day, but bailed b/c I couldn't find a polite enough way to say it.
Editing pref.js is identical to changes via about:config (you wrote "user.js"). Tip: don't edit the js file while the browser is running; your edits will be overwritten at shutdown.
FWIW, about a month ago, after reading about "EME" aka "mediasource extensions", I tracked this down in the ff source code. It presents no "security" issue; it does arguably present a "privacy" issue (browser and/or machine_id fingerprinting). Under linux, the fingerprint string is just randomly-generated... but, under windows, the hashstring is derived from details of your device's hardware (UUID of the OS hard drive partition, etc) I can't recall finding that the hash generation considers the current profileID string of the browser (e.g. /home/inka/.mozilla/profiles/3Yb238fj3hd.default ) so, even if it gets stored to a "settings.sol" file across sessions, it (arguably) skirts the personally-identifying" bullet. If you disable via prefs, the called function returns "false" instead of returning a hashstring. (In that case, your encrypted netflix or other DRM content which depends on this auth method will refuse to load.)