ocsp, safebrowsing: refactor to finer choices per topic

4 files changed, 57 insertions, 15 deletions

diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix
deleted file mode 100644
index a61b9ed..0000000
--- a/profiles/noOCSP.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ }: {
-  preferences = {
-    security.OCSP.enabled = false;
-  };
-}
diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix
deleted file mode 100644
index bd53006..0000000
--- a/profiles/noSafebrowsing.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ffLib }: {
-  preferences = {
-    browser.safebrowsing = {
-      phishing.enabled = false;
-      malware.enabled = false;
-      downloads.enabled = false;
-      downloads.remote.enabled = false;
-    };
-  };
-}
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+  meta.description = ''
+    The Online Certificate Status Protocol is used to distrust revoked certificates.
+    When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+    responsible certificate authority whether the received certificate is still valid.
+    It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+  '';
+
+  enabled.preferences = {
+    security.OCSP = {
+      enabled = 1;
+      # OCSP is useless, if the response is not mandatory
+      require = true;
+    };
+
+    security.ssl = {
+      enable_ocsp_stapling = true;
+      enable_ocsp_must_staple = true;
+    };
+  };
+
+  disabled.preferences = {
+    security.OCSP.enabled = 0;
+  };
+}
diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix
new file mode 100644
index 0000000..79f3c82
--- /dev/null
+++ b/profiles/safebrowsing.nix
@@ -0,0 +1,32 @@
+{ ffLib }: rec {
+  meta.description = ''
+    Safebrowsing is a feature meant to protect the user from malicious websites and downloads.
+
+    See:
+      - https://wiki.mozilla.org/Security/Safe_Browsing
+      - https://wiki.mozilla.org/Security/Application_Reputation
+  '';
+
+  disableDownloads.preferences = {
+    browser.safebrowsing = {
+      downloads = {
+        # TODO: does this do offline checks?
+        enabled = false;
+        remote = {
+          enabled = false;
+          url = "";
+        };
+      };
+    };
+  };
+
+  disablePhishing.preferences = {
+    browser.safebrowsing.phishing.enabled = false;
+  };
+
+  disableMalware.preferences = {
+    browser.safebrowsing.malware.enabled = false;
+  };
+
+  disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ];
+}