Well, I read [most of] that and the HTTP/2 draft and some related material including: TLS Next Protocol Negotion (NPN), TLS Application-Layer Protocol Negotiation (ALPN), and HTTP Alternative Services. I had skimmed some of it before, but this was enough of a deluge that I'm overwhelmed at the moment. I definitely have to go back over it several more times and do or review some testing. Right now, I'm thinking my decision to disable all of that was the correct decision and gives me some breathing room. What is the most compelling reason you can think of to enable it?
One question, today my machine upgraded to Firefox 38 ESR browser.search.countryCode browser.search.region With region by how is this set? I mean it seems to be set by the user and if you reset it, the values are deleted. intl.locale.matchOS;fallse Also this value is set to false, which is good. Any ideas?
// Some notes on countryCode and region prefs: https://mxr.mozilla.org/mozilla-release/source/toolkit/components/search/nsSearchService.js#425 Bug 1123974 discussion and previous bugs mentioned https://bugzilla.mozilla.org/show_bug.cgi?id=1123974
All the SPDY references had me in a deja-vu old-dinosaur mode. I recall session persistence stuff in connection with things like FTAM. In that instance, the idea was certainly to persist over network outages and also machine outages, and being the session layer, were supposed to be insulated or ignorant of network layer information (e.g. IP address). But these days, I completely agree with comments above, that you want control over this at the application user level. Because - by and large - the networking speeds and reliability are such that you have a good chance of hour-long transfers going OK (and transport layer protection and retransmission doing most of the recovery work), there is little justification for having a persistent network-stack-based persistence of sessions when you can't manage or approve those. Sounds very dangerous from a privacy point of view, but likely is symptomatic of the services wanting to turn our browsers into graphically attractive dumb terminals to their "mainframes".
This might be interesting (although I haven't checked it very thoroughly yet): https://github.com/pyllyukko/user.js
Earlier in this thread (hope I'm posting to the correct thread) someone mentioned interest in exporting / importing prefs. I just noticed this extension (haven't yet tested it) which might be useful: https://addons.mozilla.org/en-US/firefox/addon/save-load-prefs "Load preferences from a file into Firefox. Useful for mobile devices that don't allow access to the Firefox profile directory. About this add-on: (compatible with ff versions 26+) To use this addon, go to its options page in under Tools->Add-ons. Save your current user preferences to the configured location. The file has the same format as <your-firefox-profile>/prefs.js. Edit this file as you wish and save to a new file. Then load your new preferences into Firefox. The addon will save them to your profile." ================== BTW: In case you haven't noticed, AMO enables you to browse online the source code for extensions hosted on the AMO site. Here's a link to view the "save-load-prefs" extension source code: https://addons.mozilla.org/en-US/firefox/files/browse/321694/
Iceweasel in debian stable and testing repositories is version 31esr. In later ff versions, and in iceweasel v38esr (debian unstable + experimental repositories) the phish-related safebrowsing hashlists are retrieved from mozilla-hosted servers but, yes, a few lists are still retrieved from google servers. Regarding the favicon requests behavior, nearly all of the remote icons are present in (inherited from) "default search engines list" supplied in the firefox build source. Debian devs added an item "search debian package lists" & supply data:image/x-icon right in the xml file. Same (local imagedata supplied) in other debian-added search engine entries that I checked. FWIW, aside from user-agent and/or "appid", I find nothing being leaked by these requests & have no qualms nor complaint regarding these. If you do, you can launch first-run without network connectivity and -- disable safebrowsing via about:config -- remove most of, or all of, the search engine entries (or edit each search xml file to change/remove remote icon imagefile URL)
Does anyone know what is the situation of Iceweasel from Trisquel's/Parabola's repos? ANd what about IceCat?
This thread is about firefox. If you want to talk about Trisquel and IceCactus browser instead, go here: https://trisquel.info/en/forum/icecat-3170
I really love this thread. By now, it's already into 6 pages. Is it possible or can someone consolidate all the latest privacy config settings?
I tried to do this and it crashed out FF... nothing worked, had to reinstall it. Had the same version, same addons & versions of them too. But it didn't work by replacing that pref file with the one I saved from my old installation. So now I just do it all over again. I wish there were an easier way but I haven't found one.
I notice it trying to connect to 63.245.0.0 - 63.245.255.255 I block that range and only unblock it temporarily when I update addons. I also found a range HTTPS-Everywhere uses to phone... somewhere. 69.50.0.0 - 69.50.255.255 Here's one Microsoft uses for good measure: 69.28.0.0 - 69.28.255.255 It's a good habit to get into looking at active connection lists/logs, or netstat -an to look for non-DNS IP's and see if they're necessary or not for the proper functionality of the site/program. If it's not, shoot first and ask question later. I even found two ranges that Ixquick uses, but the downside is that with searches the pages don't load. It happens enough that it's a major irritant, like 35% of the time I'd say. But if you're interested here they are: 213.144.0.0 - 213.144.255.255 69.90.210.0 - 69.90.210.255 I have a bunch more too. I block them in my router... all but the Ixquick & Firefox ones.
I prefer using CCleaner to erase my sandbox. I enter the command: "Directory:\CCleaner\CCleaner.exe" /delete "%SANDBOX%" And have CCleaner set up for secure deletion, 1 pass.
Seems reasonable, predictable, that a repurposed prefs file would be unusable unless you search/replaced path-related strings, ESPECIALLY the prefs associated with various addons. As for the claim "you only need the pref.js file", clearly that is incorrect if any addons were (and/or are now) installed. I've lost track whether it has been mentioned already in this looooong thread, but... the FEBE addon is reputedly (i haven't personally checked it against recent ff versions) still able to facilitate the migration of profiles.
Heads up, some potentially disruptive changes are in the works: https://wiki.mozilla.org/Firefox/Go_Faster, short presentation video @ https://air.mozilla.org/go-faster/ For those who don't want to review the above, a few notes I made: For Firefox Desktop, and potentially other products, Mozilla intends to switch to a continuous delivery model, which will involve more frequent, smaller, updates. The addon system will be leveraged, and a new type of "system addon" will be used to ship Firefox features. An example was given, of a woman using Firefox's search interface to perform searches and who steps away from her device for a moment. While she is away, a restartless system-addon is delivered and the search functionality is changed. When she comes back and resumes her searching, she'll automatically be using the newer functionality. System addons will apply to all profiles (under debate). System addons may not be uninstallable, but they may be disableable. There will be increased use of experiments and also instrumentation (telemetry). A goal is to validate ideas with users and incorporate only those features that are popular. Mozilla will begin testing features on subsets of the release channel, and rolling features out to release users in a phased manner. Plans are to separate some data from the product and have the installer/updater download that data separately. There is mention of "security policy updates" through a new update service, but I'm not sure what that refers to.
Looks like Fetch was enabled by default in FF39, and the code no longer checks for the dom.fetch.enabled pref. Pref to turn TP on when in Private Browsing mode https://bugzilla.mozilla.org/show_bug.cgi?id=1138979 privacy.trackingprotection.pbmode.enabled Unified Telemetry work continues: https://wiki.mozilla.org/Unified_Telemetry https://bugzilla.mozilla.org/showdependencytree.cgi?id=1122515 https://mxr.mozilla.org/mozilla-central/source/toolkit/components/telemetry/docs/ Came across this: [e10s] Make a version of nsIContentPolicy that doesn't pass the node as a parameter https://bugzilla.mozilla.org/show_bug.cgi?id=1128798 which discusses an issue with nsIContentPolicy based filtering in e10s, and mentions efforts to develop a Chrome like WebRequest API. It sounds like they intend to keep and make some improvements to nsiContentPolicy, but it will be more difficult to use due to e10s. So a more simple API was considered, and due to the desire to make porting Chrome extensions to Firefox easy, they created a WebRequest like API. I sure hope we don't lose anything as a result of this and/or other efforts to move towards more common APIs.
All is ok except browser.cache.memory.enable = false, which is a nonsense, especially with disk cache disabled. I have otherwise those settings among several others, memory cache set to 512MB and Cyberfox profile on a RAMdisk. Security, privacy, swiftness.
http://www.theregister.co.uk/2015/08/07/update_firefox_to_foil_russian_filestealing_vuln_exploit/ "Danger, Will Robinson! Gotta stay safe. Update immediately! Make sure AutomaticUpYours is enabled..." ? No. decrease the attack surface: pdfjs.disabled = true and stick with a "dumb" (no frills, no scripting) PDF reader: http://www.sumatrapdfreader.org/free-pdf-reader.html Supported OS: Windows 8, Windows 7, Vista, XP
I was wondering if you guys could tell me if this is effective and if I placed the file in the right folder. I am using this guys user.js file https://www.reddit.com/r/privacy/comments/2uaent/tips_to_tune_your_firefox/ I placed it in firefox by going to help > troubleshooting information > show folder and pasting it in there do those tweaks look effective? is it working just by being in that folder?
Holysmoke, a comparatively better (more comprehensive) list was recently provided here @post #32 ---v https://www.wilderssecurity.com/threads/firefox-quiet.375074/page-2 In regard to "...and if I placed the file in the right folder": I would discourage the "quickfix" approach of blindly downloading and pasting, en masse, someone's suggested prefs. If you're not willing/able to visit about:config and thoughtfully select and alter pref values, just fuggedaboutit.