Mozillas auto-installed WebRTC & Adobe plugins

Discussion in 'privacy problems' started by Brosephine, Feb 26, 2016.

  1. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Newer FF versions come with two plugins that are automatically installed.
    1. OpenH264 Video Codec provided by Cisco Systems Inc
    2. Prime-time Content Decryption Module provided by Adobe Systems, Incorporated
    I looked into both plugins and do understand their basic function, but am not clear on how vital (or not) they are for browser function and more importantly whether or not they pose any security risks?

    #1's purpose is "to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec." Since I keep WebRTC disabled by default can I disable it this plugin?
    #2 "allows you to watch DRM content on FF" and is an Adobe plugin. Do I need to treat it like risky Adobe flash and block it by default until I need it?

    Thanks!

     
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    #1 Is this really only used for WebRTC? I thought it would be used to play all h264 content. Maybe it's just an encoder (for broadcasting video), not a decoder (for receiving), in which case you could disable it fine.

    #2 I would imagine this is the plugin required to play content such as Netflix within Firefox without the need of Silverlight, Chrome has a similar plugin. You can probably disable it safely if you just do basic browsing.

    Personally I would recommend you just use click to play.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I don't have either plugin, and as far as I can tell, I don't miss them for anything that I do with Firefox.

    Bo
     
  4. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    1. It is something like proprietary cisco codec. It is only being used for video chat stuff. It has nothing to do with video decoding. It downloads blob when browser starts. You can disable it. On Debian it is disabled.

    2. It is DRM. It downloads necessary blobs to play videos. It is disabled on Debian. You should disable that too.

    And yes. They are security risk.
     
  5. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    If you don't know what it is, just don't bother responding instead of spreading misinformation.

    Reading further, the source code is freely available, so it's not proprietary at all. It is your own choice to use a binary in which case you won't pay license fees, but the code is freely viewable.

    It is also only required for video streams, so you can disable it

    It downloads decryption keys, not "binary blobs". Right now, I'd wager it's only required for Netflix, but that will probably grow in future.

    That depends on your definition of security risk. Technically every addon/plugin/extension you add will increase your attack surface, thus being a "security risk". But if you're using this term to compare it to the likes of Java or Flash plugins, then I would not classify it as a "security risk".
     
  6. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Thanks for the feedback. That's strange you doing have those plugins by default. Are you using an older version of FF?
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I am using Firefox 44.0.2. I avoid plugins that I don't have any use for. So, I got rid of them by changing the preference below to false:
    media.gmp-provider.enabled

    Bo
     
  8. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Well thanks for setting the record straight @elapsed.

    Video streaming seems to work just fine without the OpenH plugin, so I wonder whats its benfit it
     
    Last edited: Feb 27, 2016
  9. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Cool that's a good "about:config" tweak to know. Adding it to my list!

    Do you tweak many other about:configs? I ask bec for the longest time I only altered the 10 very common ones which increase privacy, but have recently come across some extended about:config tweak lists which I experimented with and got mixed results.
     
  10. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I think when they state "video streams" they are referring to WebRTC video streams, not generic videos streams from YouTube etc.

    However, the streams you were watching may be encoded in VP9 and not h264. The former wouldn't require that plugin.
     
  11. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    * WebRTC is not a plugin it's a protocol, you can disable it within the option [ensure you installed latest FF Final Version]
    * OpenH264 is an Cisco plugin which is open source and isolated running according to the papers.
    * As always there is no security risk, it's depending which pages you visit and depending on other things, like javascript/html5....

    If you not like one of them just install the ESR Firefox versions.
     
  12. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    If you don't want the H264 plug-in, put this in your user.js file:

    Code:
    pref("media.gmp-gmpopenh264.enabled", false);
    A few more tweaks, if you want to check them out:

    Code:
    f// Use LANG environment variable to choose locale
    pref("intl.locale.matchOS", true);
    
    // Disable default browser checking.
    pref("browser.shell.checkDefaultBrowser", false);
    
    // Don't disable our bundled extensions in the application directory
    pref("extensions.autoDisableScopes", 11);
    pref("extensions.shownSelectionUI", true);
    
    // Disable "alt" as a shortcut key to open full menu bar. Conflicts with "alt" as a modifier
    pref("ui.key.menuAccessKeyFocuses", false);
    
    // Disable the GeoLocation API for content
    pref("geo.enabled", false);
    
    // Make sure that the request URL of the GeoLocation backend is empty
    pref("geo.wifi.uri", "");
    
    // Disable Pocket and make sure that the request URLs of the Pocket are empty
    pref("browser.pocket.enabled", false);
    pref("browser.pocket.api", "");
    pref("browser.pocket.site", "");
    pref("browser.pocket.oAuthConsumerKey", "");
    pref("browser.pocket.useLocaleList", false);
    pref("browser.pocket.enabledLocales", "");
    
    // Disable Freedom Violating DRM Feature
    pref("browser.eme.ui.enabled", false);
    pref("media.eme.enabled", false);
    pref("media.eme.apiVisible", false);
    
    // Default to classic view for about:newtab
    pref("browser.newtabpage.enhanced", false);
    
    // Override add-on signing
    pref("xpinstall.signatures.required", false);
    
    // Poodle attack
    pref("security.tls.version.min", 1);
    
    // Don't call home for blacklisting
    pref("extensions.blocklist.enabled", false);
    
    // Disable plugin installer
    pref("plugins.hide_infobar_for_missing_plugin", true);
    pref("plugins.hide_infobar_for_outdated_plugin", true);
    pref("plugins.notifyMissingFlash", false);
    
    //https://developer.mozilla.org/en-US/docs/Web/API/MediaSource
    //pref("media.mediasource.enabled",true);
    
    //Speeding it up
    pref("network.http.pipelining", true);
    pref("network.http.proxy.pipelining", true);
    pref("network.http.pipelining.maxrequests", 10);
    pref("nglayout.initialpaint.delay", 0);
    
    // Disable third party cookies
    pref("network.cookie.cookieBehavior", 1);
    
    // Prevent EULA dialog to popup on first run
    pref("browser.EULA.override", true);
    
    // disable app updater url
    pref("app.update.url", "http://127.0.0.1/");"
    
    // Set useragent to Firefox compatible
    //pref("general.useragent.compatMode.firefox", true);
    // Spoof the useragent to a generic one
    pref("general.useragent.compatMode.firefox", true);
    // Spoof the useragent to a generic one
    pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0");
    pref("general.appname.override", "Netscape");
    pref("general.appversion.override", "44.0");
    pref("general.buildID.override", "Gecko/20100101");
    pref("general.oscpu.override", "Windows NT 6.1");
    pref("general.platform.override", "Win32");
    
    // Privacy & Freedom Issues
    // https://webdevelopmentaid.wordpress.com/2013/10/21/customize-privacy-settings-in-mozilla-firefox-part-1-aboutconfig/
    // https://panopticlick.eff.org
    // http://ip-check.info
    // http://browserspy.dk
    // https://wiki.mozilla.org/Fingerprinting
    // http://www.browserleaks.com
    // http://fingerprint.pet-portal.eu
    pref("privacy.donottrackheader.enabled", true);
    pref("privacy.donottrackheader.value", 1);
    pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
    pref("social.enabled", false);
    pref("social.remote-install.enabled", false);
    pref("datareporting.healthreport.uploadEnabled", false);
    pref("datareporting.healthreport.about.reportUrl", "127.0.0.1");
    pref("datareporting.healthreport.documentServerURI", "127.0.0.1");
    pref("healthreport.uploadEnabled", false);
    pref("social.toast-notifications.enabled", false);
    pref("datareporting.policy.dataSubmissionEnabled", false);
    pref("datareporting.healthreport.service.enabled", false);
    pref("browser.slowStartup.notificationDisabled", true);
    pref("network.http.sendRefererHeader", 2);
    pref("network.http.referer.spoofSource", true);
    //http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/
    //pref("dom.storage.enabled", false);
    pref("dom.event.clipboardevents.enabled",false);
    pref("network.prefetch-next", false);
    pref("network.dns.disablePrefetch", true);
    pref("network.http.sendSecureXSiteReferrer", false);
    pref("toolkit.telemetry.enabled", false);
    // Do not tell what plugins do we have enabled: https://mail.mozilla.org/pipermail/firefox-dev/2013-November/001186.html
    pref("plugins.enumerable_names", "");
    pref("plugin.state.flash", 1);
    // Do not autoupdate search engines
    pref("browser.search.update", false);
    // Warn when the page tries to redirect or refresh
    //pref("accessibility.blockautorefresh", true);
    pref("dom.battery.enabled", false);
    pref("device.sensors.enabled", false);
    pref("camera.control.face_detection.enabled", false);
    pref("camera.control.autofocus_moving_callback.enabled", false);
    pref("network.http.speculative-parallel-limit", 0);
    
    // Crypto hardening
    // https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
    //General settings
    //pref("security.tls.unrestricted_rc4_fallback", false);
    //pref("security.tls.insecure_fallback_hosts.use_static_list", false);
    //pref("security.tls.version.min", 1);
    //pref("security.ssl.require_safe_negotiation", true);
    //pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
    //pref("security.ssl3.rsa_seed_sha", true);
    //pref("security.OCSP.enabled", 1);
    //pref("security.OCSP.require", true);
    //Disable unnecessary protocols
    //pref("security.ssl3.rsa_rc4_128_sha", false);
    //pref("security.ssl3.rsa_rc4_128_md5", false);
    //pref("security.ssl3.rsa_des_ede3_sha", false);
    //pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
    //pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
    // https://directory.fsf.org/wiki/Disable_DHE
    // Avoid logjam attack
    pref("security.ssl3.dhe_rsa_aes_128_sha", false);
    pref("security.ssl3.dhe_rsa_aes_256_sha", false);
    pref("security.ssl3.dhe_dss_aes_128_sha", false);
    pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
    //Optional
    //Perfect forward secrecy
    // pref("security.ssl3.rsa_aes_256_sha", false);
    //Force TLS 1.2
    // pref("security.tls.version.min", 3);
    
    // Disable channel updates
    pref("app.update.enabled", false);
    pref("app.update.auto", false);
    
    pref("font.default.x-western", "sans-serif");
    
    // Mobile
    pref("privacy.announcements.enabled", false);
    pref("browser.snippets.enabled", false);
    pref("browser.snippets.syncPromo.enabled", false);
    pref("browser.snippets.geoUrl", "http://127.0.0.1/");
    pref("browser.snippets.updateUrl", "http://127.0.0.1/");
    pref("browser.snippets.statsUrl", "http://127.0.0.1/");
    pref("datareporting.policy.firstRunTime", 0);
    pref("datareporting.policy.dataSubmissionPolicyVersion", 2);
    pref("browser.webapps.checkForUpdates", 0);
    pref("browser.webapps.updateCheckUrl", "http://127.0.0.1/");
    pref("app.faqURL", "http://libreplanet.org/wiki/Group:IceCat/FAQ");
    
    // Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins
    pref("media.gmp-manager.url", "http://127.0.0.1/");
    pref("media.gmp-manager.url.override", "data:text/plain,");
    pref("media.gmp-provider.enabled", false);
    // Don't install openh264 codec
    pref("media.gmp-gmpopenh264.enabled", false);
    
    //Disable heartbeat
    pref("browser.selfsupport.url", "");
    
    //Disable Firefox Hello
    pref("loop.enabled",false);
    pref("loop.feedback.baseUrl", "");
    pref("loop.gettingStarted.url", "");
    pref("loop.learnMoreUrl", "");
    pref("loop.legal.ToS_url", "");
    pref("loop.legal.privacy_url", "");
    pref("loop.oauth.google.redirect_uri", "");
    pref("loop.oauth.google.scope", "");
    pref("loop.server", "");
    pref("loop.soft_start_hostname", "");
    pref("loop.support_url", "");
    pref("loop.throttled2",false);
    
    // Use old style preferences, that allow javascript to be disabled
    pref("browser.preferences.inContent",false);
    
    // Don't download ads for the newtab page
    pref("browser.newtabpage.directory.source", "");
    pref("browser.newtabpage.directory.ping", "");
    pref("browser.newtabpage.introShown", true);
    
    // Disable home snippets
    pref("browser.aboutHomeSnippets.updateUrl", "data:text/html");
    
    // Disable hardware acceleration and WebGL
    //pref("layers.acceleration.disabled", false);
    pref("webgl.disabled", false);
    
    // Disable SSDP
    pref("browser.casting.enabled", false);
    
    //Disable directory service
    pref("social.directories", "");
    pref("social.whitelist", "");
    pref("social.shareDirectory", "");
    
     
  13. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Thanks for the resource.

    Luckily I was able to get rid of it by changing an about:config preference.
     
  14. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    You can't get rid of them, protocols can't be removed by about:config, you simply can enable/disable it but you not need this is not compromise your security.

    EME not need to entirely disabled but *sigh* no one read ever documents....
    I see a lot of wrong stuff here, just copy and paste without understand how things working ... Most of them are useless because obsolete, click-to-play or controlled by internal mechanism.
     
  15. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Great List! There are definitely some I haven't seen or tried.
    Is adding/removing something in the user.js file basically the same as changing an about:config pref? Believe it or not I've never touched the user.js file even throughout all my about:config experimenting. If I didn't like how it was running I would simply start all over and manually enter the preferences I liked again..and again!
     
  16. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    By get rid of, I mean "disabled." I disabled the two plug ins that I brought up in my initial post. I'm not talking about EME I haven't even read the whole article yet.
     
  17. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Hehehehe. Yes, it's the same thing, you don't need to start all over. Just make backups and then edit the files.
     
  18. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    @CHEFKOCH are you saying the tweaks posted are pointless or something else?

    You'd know better than I would, but aren't preferences changed in about:config of highest authority meaning they are the rule??
     
  19. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    All you need:
    https://github.com/pyllyukko/user.js

    :thumb:

    I and others talked about obsolete stuff over the issue tracker there, feel free to read. I mostly contribute over GitHub directly and not want to re-spell myself here again.
    Yes, most stuff posted here on this thread is just copy&paste and obsolete or useless.
     
  20. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    thanks, elapsed. That needed to be said.
    I started typing such a reply the other day, but bailed b/c I couldn't find a polite enough way to say it.
     
  21. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Editing pref.js is identical to changes via about:config (you wrote "user.js").
    Tip: don't edit the js file while the browser is running; your edits will be overwritten at shutdown.
     
  22. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    FWIW, about a month ago, after reading about "EME" aka "mediasource extensions", I tracked this down in the ff source code. It presents no "security" issue; it does arguably present a "privacy" issue (browser and/or machine_id fingerprinting).
    Under linux, the fingerprint string is just randomly-generated... but, under windows, the hashstring is derived from details of your device's hardware (UUID of the OS hard drive partition, etc)

    I can't recall finding that the hash generation considers the current profileID string of the browser
    (e.g. /home/inka/.mozilla/profiles/3Yb238fj3hd.default )
    so, even if it gets stored to a "settings.sol" file across sessions, it (arguably) skirts the personally-identifying" bullet.
    If you disable via prefs, the called function returns "false" instead of returning a hashstring.
    (In that case, your encrypted netflix or other DRM content which depends on this auth method will refuse to load.)
     
  23. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    181
    Location:
    Metropolis
    Awesome I'll check it out.
    Thanks for the heads up!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.