Rework install process + add strong Firefox user.js

.mozilla/firefox/user.js

@@ -0,0 +1,196 @@
+/*
+  Sources:
+    - https://github.com/pyllyukko/user.js
+    - https://github.com/amq/firefox-debloat
+*/
+
+/* HTML5 / APIs / DOM */
+
+user_pref("geo.enabled", false);
+user_pref("media.peerconnection.enabled", false);
+user_pref("media.navigator.enabled", false);
+user_pref("dom.battery.enabled", false);
+user_pref("dom.telephony.enabled", false);
+user_pref("beacon.enabled", false);
+user_pref("dom.event.clipboardevents.enabled", false);
+user_pref("dom.enable_performance", false);
+user_pref("media.webspeech.recognition.enable", false);
+user_pref("media.getusermedia.screensharing.enabled", false);
+user_pref("device.sensors.enabled", false);
+user_pref("browser.send_pings", false);
+user_pref("browser.send_pings.require_same_host", true);
+
+/* misc */
+
+user_pref("browser.search.defaultenginename", "DuckDcukGo");
+user_pref("clipboard.autocopy", false);
+user_pref("browser.fixup.alternate.enabled", false);
+user_pref("network.proxy.socks_remote_dns", true);
+user_pref("network.proxy.type", 0);
+user_pref("security.mixed_content.block_active_content", true);
+user_pref("security.mixed_content.block_display_content", true);
+user_pref("javascript.options.methodjit.chrome", false);
+user_pref("javascript.options.methodjit.content", false);
+user_pref("javascript.options.asmjs", false);
+user_pref("gfx.font_rendering.opentype_svg.enabled", false);
+
+/* extensions / plugins  */
+
+user_pref("plugin.state.flash", 0);
+user_pref("plugins.click_to_play", true);
+user_pref("extensions.update.enabled", true);
+user_pref("extensions.blocklist.enabled", true);
+
+/* firefox features / components */
+
+user_pref("toolkit.telemetry.enabled", false);
+user_pref("privacy.trackingprotection.enabled", true);
+user_pref("browser.polaris.enabled", true);
+user_pref("datareporting.healthreport.uploadEnabled", false);
+user_pref("datareporting.healthreport.service.enabled", false);
+user_pref("browser.newtabpage.enhanced", false);
+user_pref("browser.newtab.preload", false);
+user_pref("browser.newtabpage.directory.ping", "");
+user_pref("browser.selfsupport.url", "");
+user_pref("loop.enabled", false);
+user_pref("browser.safebrowsing.enabled", false);
+user_pref("browser.safebrowsing.downloads.enabled", false);
+user_pref("browser.safebrowsing.malware.enabled", false);
+user_pref("browser.pocket.enabled", false);
+user_pref("media.eme.enabled", false);
+user_pref("media.gmp-eme-adobe.enabled", false);
+user_pref("browser.search.suggest.enabled", false);
+
+/* automatic connections */
+
+user_pref("browser.search.geoip.url", "");
+user_pref("network.predictor.enabled", false);
+user_pref("browser.casting.enabled", false);
+user_pref("media.gmp-gmpopenh264.enabled", false);
+user_pref("media.gmp-manager.url", "");
+user_pref("network.http.speculative-parallel-limit", 0);
+user_pref("browser.aboutHomeSnippets.updateUrl", "");
+user_pref("browser.search.update", false);
+
+/* HTTP */
+
+user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
+//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
+user_pref("security.csp.experimentalEnabled", true);
+user_pref("security.csp.enable", true);
+user_pref("privacy.donottrackheader.enabled", true);
+user_pref("network.http.sendRefererHeader", 1);
+user_pref("network.http.referer.spoofSource", true);
+user_pref("network.http.sendSecureXSiteReferrer", false);
+user_pref("network.cookie.cookieBehavior", 1);
+
+/* UI related */
+
+user_pref("dom.event.contextmenu.enabled", false);
+user_pref("plugins.update.notifyUser", true);
+user_pref("security.warn_entering_weak", true);
+user_pref("security.ssl.warn_missing_rfc5746", 1);
+user_pref("security.ask_for_password", 0);
+user_pref("browser.xul.error_pages.expert_bad_cert", 2);
+
+/* TLS / HTTPS / OCSP related stuff */
+
+user_pref("network.stricttransportsecurity.preloadlist", true);
+user_pref("network.http.spdy.enabled", true);
+user_pref("network.http.spdy.enabled.v3", true);
+user_pref("network.http.spdy.enabled.v3-1", true);
+user_pref("security.OCSP.enabled", true);
+user_pref("security.ssl.enable_ocsp_stapling", true);
+user_pref("security.OCSP.require", true);
+user_pref("security.enable_tls_session_tickets", false);
+
+user_pref("security.enable_ssl3", false);
+user_pref("security.cert_pinning.enforcement_level", 2);
+user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
+user_pref("security.ssl.errorReporting.automatic", false);
+
+/* CIPHERS */
+
+user_pref("security.ssl3.rsa_null_sha", false);
+user_pref("security.ssl3.rsa_null_md5", false);
+user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
+user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
+user_pref("security.ssl3.ecdh_rsa_null_sha", false);
+user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
+
+user_pref("security.ssl3.rsa_seed_sha", false);
+
+// 40 bits
+user_pref("security.ssl3.rsa_rc4_40_md5", false);
+user_pref("security.ssl3.rsa_rc2_40_md5", false);
+
+// 56 bits
+user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
+
+// 128 bits
+user_pref("security.ssl3.rsa_camellia_128_sha", false);
+//user_pref("security.ssl3.rsa_aes_128_sha", false);
+user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
+user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
+user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
+user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
+user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
+user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
+
+// RC4 (CVE-2013-2566)
+user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
+user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
+user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
+user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
+user_pref("security.ssl3.rsa_rc4_128_md5", false);
+user_pref("security.ssl3.rsa_rc4_128_sha", false);
+
+/*
+* 3DES -> false because effective key size < 128
+*
+* https://en.wikipedia.org/wiki/3des#Security
+* http://en.citizendium.org/wiki/Meet-in-the-middle_attack
+*
+* see also: http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
+*/
+user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
+user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
+user_pref("security.ssl3.rsa_des_ede3_sha", false);
+user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
+
+// ciphers with ECDH (without /e$/)
+user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
+user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
+user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
+
+// 256 bits without PFS
+user_pref("security.ssl3.rsa_camellia_256_sha", false);
+user_pref("security.ssl3.rsa_aes_256_sha", false);
+
+// ciphers with ECDHE and > 128bits
+user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
+user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
+
+// GCM... yes please!
+user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
+user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);
+
+// susceptible to the logjam attack – https://weakdh.org/
+user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
+user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
+
+// ciphers with DSA (max 1024 bits)
+user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
+user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
+user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
+user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
+user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
+
+// fallbacks
+user_pref("security.ssl3.rsa_aes_256_sha", true);
+user_pref("security.ssl3.rsa_aes_128_sha", true);

install.sh

@@ -20,7 +20,7 @@ cd $(dirname "$0")
 if [ "$1" == "install" ] || [ "$1" == "link" ] || [ "$1" == "links" ]
 then
     REMOVE=1
-    BIN="ln -s"
+    BIN="ln -L -s"
 elif [ "$1" == "update" ] || [ "$1" == "pull" ]
 then
     git stash &&
@@ -34,7 +34,7 @@ then
 elif [ "$1" == "copy" ]
 then
     REMOVE=1
-    BIN="cp -r"
+    BIN="cp -L -r"
 else
     echo -e "\e[32;01mNemunaire's configuration \e[0;33m("`git branch --no-color | grep '*' | cut -d " " -f 2-`")\e[0m"
     echo -e "    \e[01mAuthor:\e[0m\t\t"`git log -1 --format="%aN <%aE>"`
@@ -61,10 +61,49 @@ IGNORE_FILES=".
               install.sh"
 
 TMPERR=`mktemp`
+doins() {
+    echo -ne "Installing ${1##./} ...\t"
+
+    # Alignment
+    [ ${#1} -lt 11 ] && echo -en "\t"; [ ${#1} -lt 19 ] && echo -en "\t"
+
+    if [ -L "$2" ]
+    then
+	echo -e "\e[36mAlready installed\e[0m"
+    elif [ -d "$2" ] && [ -d "$1" ]
+    then
+	echo -e "\e[33mExistant directory\e[0m"
+	DESTDIR="${DESTDIR}/$1" install_dir "$1"
+    elif [ -e "$2" ]
+    then
+	echo -e "\e[35mAlready exists\e[0m"
+    else
+	if $BIN "$(pwd)/$1" "$2" >&2 2> "$TMPERR"
+	then
+	    echo -e "\e[32mdone\e[0m"
+	else
+	    echo -e "\e[31;01mfail\e[0m"
+	fi
+	cat "$TMPERR"
+    fi
+}
+
 install_dir() {
     for f in `ls -a "$1"`
     do
-	if ! in_list "$IGNORE_FILES" "$f"
+	if [ "$1/$f" == "./.mozilla" ]
+	then
+	    if [ -d "${DESTDIR}/.mozilla/firefoxd" ]
+	    then
+		find ${DESTDIR}/.mozilla/firefox -mindepth 1 -maxdepth 1 -type d |
+		while read dest
+		do
+		    mozilla_case "$1/$f" "$dest"
+		done
+	    else
+		echo -e "Installing .mozilla/firefox ...\t\t\e[34mSkipped\e[0m"
+	    fi
+	elif ! in_list "$IGNORE_FILES" "$f"
 	then
             if [ "$REMOVE" -eq 0 ]; then
 		echo -ne "Removing $1/$f ...\t"
@@ -76,33 +115,18 @@ install_dir() {
                     echo -e "Not installed"
 		fi
             else
-		echo -ne "Installing $1/$f ...\t"
-
-		# Alignment
-		[ $((${#f} + ${#1})) -lt 8 ] && echo -en "\t"; [ $((${#f} + ${#1})) -lt 16 ] && echo -en "\t"
-
-		if [ -L "${DESTDIR}/$1/$f" ]
-		then
-	            echo -e "\e[36mAlready installed\e[0m"
-		elif [ -d "${DESTDIR}/$1/$f" ] && [ -d "$1/$f" ]
-		then
-	            echo -e "\e[33mExistant directory\e[0m"
-		    install_dir "$1/$f"
-		elif [ -e "${DESTDIR}/$1/$f" ]
-		then
-	            echo -e "\e[35mAlready exists\e[0m"
-		else
-	            if $BIN "$(pwd)/$1/$f" "${DESTDIR}/$1/$f" >&2 2> "$TMPERR"
-	            then
-			echo -e "\e[32mdone\e[0m"
-		    else
-			echo -e "\e[31;01mfail\e[0m"
-		    fi
-	            cat "$TMPERR"
-		fi
+		doins "$1/$f" "${DESTDIR}/$f"
             fi
 	fi
     done
 }
+
+mozilla_case() {
+    echo -e "Installing .mozilla/firefox/${2##*/} ...\t\e[33mExisting profile\e[0m"
+    DESTDIR="${2}" install_dir .mozilla/firefox
+}
+
+# Common installation
 install_dir .
+
 rm "${TMPERR}"