Rework install process + add strong Firefox user.js

This commit is contained in:
nemunaire 2015-06-29 17:39:56 +02:00
parent 8e69908166
commit 1c44d6d0f5
2 changed files with 247 additions and 27 deletions

196
.mozilla/firefox/user.js Normal file
View File

@ -0,0 +1,196 @@
/*
Sources:
- https://github.com/pyllyukko/user.js
- https://github.com/amq/firefox-debloat
*/
/* HTML5 / APIs / DOM */
user_pref("geo.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("media.navigator.enabled", false);
user_pref("dom.battery.enabled", false);
user_pref("dom.telephony.enabled", false);
user_pref("beacon.enabled", false);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.enable_performance", false);
user_pref("media.webspeech.recognition.enable", false);
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("device.sensors.enabled", false);
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);
/* misc */
user_pref("browser.search.defaultenginename", "DuckDcukGo");
user_pref("clipboard.autocopy", false);
user_pref("browser.fixup.alternate.enabled", false);
user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.proxy.type", 0);
user_pref("security.mixed_content.block_active_content", true);
user_pref("security.mixed_content.block_display_content", true);
user_pref("javascript.options.methodjit.chrome", false);
user_pref("javascript.options.methodjit.content", false);
user_pref("javascript.options.asmjs", false);
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* extensions / plugins */
user_pref("plugin.state.flash", 0);
user_pref("plugins.click_to_play", true);
user_pref("extensions.update.enabled", true);
user_pref("extensions.blocklist.enabled", true);
/* firefox features / components */
user_pref("toolkit.telemetry.enabled", false);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("browser.polaris.enabled", true);
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.healthreport.service.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.selfsupport.url", "");
user_pref("loop.enabled", false);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.pocket.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("browser.search.suggest.enabled", false);
/* automatic connections */
user_pref("browser.search.geoip.url", "");
user_pref("network.predictor.enabled", false);
user_pref("browser.casting.enabled", false);
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("browser.aboutHomeSnippets.updateUrl", "");
user_pref("browser.search.update", false);
/* HTTP */
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
user_pref("security.csp.experimentalEnabled", true);
user_pref("security.csp.enable", true);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("network.http.sendRefererHeader", 1);
user_pref("network.http.referer.spoofSource", true);
user_pref("network.http.sendSecureXSiteReferrer", false);
user_pref("network.cookie.cookieBehavior", 1);
/* UI related */
user_pref("dom.event.contextmenu.enabled", false);
user_pref("plugins.update.notifyUser", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.ssl.warn_missing_rfc5746", 1);
user_pref("security.ask_for_password", 0);
user_pref("browser.xul.error_pages.expert_bad_cert", 2);
/* TLS / HTTPS / OCSP related stuff */
user_pref("network.stricttransportsecurity.preloadlist", true);
user_pref("network.http.spdy.enabled", true);
user_pref("network.http.spdy.enabled.v3", true);
user_pref("network.http.spdy.enabled.v3-1", true);
user_pref("security.OCSP.enabled", true);
user_pref("security.ssl.enable_ocsp_stapling", true);
user_pref("security.OCSP.require", true);
user_pref("security.enable_tls_session_tickets", false);
user_pref("security.enable_ssl3", false);
user_pref("security.cert_pinning.enforcement_level", 2);
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
user_pref("security.ssl.errorReporting.automatic", false);
/* CIPHERS */
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
user_pref("security.ssl3.rsa_seed_sha", false);
// 40 bits
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);
// 56 bits
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
// 128 bits
user_pref("security.ssl3.rsa_camellia_128_sha", false);
//user_pref("security.ssl3.rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
// RC4 (CVE-2013-2566)
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
/*
* 3DES -> false because effective key size < 128
*
* https://en.wikipedia.org/wiki/3des#Security
* http://en.citizendium.org/wiki/Meet-in-the-middle_attack
*
* see also: http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
*/
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
// ciphers with ECDH (without /e$/)
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
// 256 bits without PFS
user_pref("security.ssl3.rsa_camellia_256_sha", false);
user_pref("security.ssl3.rsa_aes_256_sha", false);
// ciphers with ECDHE and > 128bits
user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
// GCM... yes please!
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
// susceptible to the logjam attack https://weakdh.org/
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
// ciphers with DSA (max 1024 bits)
user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
// fallbacks
user_pref("security.ssl3.rsa_aes_256_sha", true);
user_pref("security.ssl3.rsa_aes_128_sha", true);

View File

@ -20,7 +20,7 @@ cd $(dirname "$0")
if [ "$1" == "install" ] || [ "$1" == "link" ] || [ "$1" == "links" ]
then
REMOVE=1
BIN="ln -s"
BIN="ln -L -s"
elif [ "$1" == "update" ] || [ "$1" == "pull" ]
then
git stash &&
@ -34,7 +34,7 @@ then
elif [ "$1" == "copy" ]
then
REMOVE=1
BIN="cp -r"
BIN="cp -L -r"
else
echo -e "\e[32;01mNemunaire's configuration \e[0;33m("`git branch --no-color | grep '*' | cut -d " " -f 2-`")\e[0m"
echo -e " \e[01mAuthor:\e[0m\t\t"`git log -1 --format="%aN <%aE>"`
@ -61,10 +61,49 @@ IGNORE_FILES=".
install.sh"
TMPERR=`mktemp`
doins() {
echo -ne "Installing ${1##./} ...\t"
# Alignment
[ ${#1} -lt 11 ] && echo -en "\t"; [ ${#1} -lt 19 ] && echo -en "\t"
if [ -L "$2" ]
then
echo -e "\e[36mAlready installed\e[0m"
elif [ -d "$2" ] && [ -d "$1" ]
then
echo -e "\e[33mExistant directory\e[0m"
DESTDIR="${DESTDIR}/$1" install_dir "$1"
elif [ -e "$2" ]
then
echo -e "\e[35mAlready exists\e[0m"
else
if $BIN "$(pwd)/$1" "$2" >&2 2> "$TMPERR"
then
echo -e "\e[32mdone\e[0m"
else
echo -e "\e[31;01mfail\e[0m"
fi
cat "$TMPERR"
fi
}
install_dir() {
for f in `ls -a "$1"`
do
if ! in_list "$IGNORE_FILES" "$f"
if [ "$1/$f" == "./.mozilla" ]
then
if [ -d "${DESTDIR}/.mozilla/firefoxd" ]
then
find ${DESTDIR}/.mozilla/firefox -mindepth 1 -maxdepth 1 -type d |
while read dest
do
mozilla_case "$1/$f" "$dest"
done
else
echo -e "Installing .mozilla/firefox ...\t\t\e[34mSkipped\e[0m"
fi
elif ! in_list "$IGNORE_FILES" "$f"
then
if [ "$REMOVE" -eq 0 ]; then
echo -ne "Removing $1/$f ...\t"
@ -76,33 +115,18 @@ install_dir() {
echo -e "Not installed"
fi
else
echo -ne "Installing $1/$f ...\t"
# Alignment
[ $((${#f} + ${#1})) -lt 8 ] && echo -en "\t"; [ $((${#f} + ${#1})) -lt 16 ] && echo -en "\t"
if [ -L "${DESTDIR}/$1/$f" ]
then
echo -e "\e[36mAlready installed\e[0m"
elif [ -d "${DESTDIR}/$1/$f" ] && [ -d "$1/$f" ]
then
echo -e "\e[33mExistant directory\e[0m"
install_dir "$1/$f"
elif [ -e "${DESTDIR}/$1/$f" ]
then
echo -e "\e[35mAlready exists\e[0m"
else
if $BIN "$(pwd)/$1/$f" "${DESTDIR}/$1/$f" >&2 2> "$TMPERR"
then
echo -e "\e[32mdone\e[0m"
else
echo -e "\e[31;01mfail\e[0m"
fi
cat "$TMPERR"
fi
doins "$1/$f" "${DESTDIR}/$f"
fi
fi
done
}
mozilla_case() {
echo -e "Installing .mozilla/firefox/${2##*/} ...\t\e[33mExisting profile\e[0m"
DESTDIR="${2}" install_dir .mozilla/firefox
}
# Common installation
install_dir .
rm "${TMPERR}"