aboutsummaryrefslogtreecommitdiff
path: root/profiles
diff options
context:
space:
mode:
Diffstat (limited to 'profiles')
-rw-r--r--profiles/noOCSP.nix5
-rw-r--r--profiles/noSafebrowsing.nix10
-rw-r--r--profiles/ocsp.nix25
-rw-r--r--profiles/safebrowsing.nix32
4 files changed, 57 insertions, 15 deletions
diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix
deleted file mode 100644
index a61b9ed..0000000
--- a/profiles/noOCSP.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ }: {
- preferences = {
- security.OCSP.enabled = false;
- };
-}
diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix
deleted file mode 100644
index bd53006..0000000
--- a/profiles/noSafebrowsing.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ffLib }: {
- preferences = {
- browser.safebrowsing = {
- phishing.enabled = false;
- malware.enabled = false;
- downloads.enabled = false;
- downloads.remote.enabled = false;
- };
- };
-}
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+ meta.description = ''
+ The Online Certificate Status Protocol is used to distrust revoked certificates.
+ When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+ responsible certificate authority whether the received certificate is still valid.
+ It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+ '';
+
+ enabled.preferences = {
+ security.OCSP = {
+ enabled = 1;
+ # OCSP is useless, if the response is not mandatory
+ require = true;
+ };
+
+ security.ssl = {
+ enable_ocsp_stapling = true;
+ enable_ocsp_must_staple = true;
+ };
+ };
+
+ disabled.preferences = {
+ security.OCSP.enabled = 0;
+ };
+}
diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix
new file mode 100644
index 0000000..79f3c82
--- /dev/null
+++ b/profiles/safebrowsing.nix
@@ -0,0 +1,32 @@
+{ ffLib }: rec {
+ meta.description = ''
+ Safebrowsing is a feature meant to protect the user from malicious websites and downloads.
+
+ See:
+ - https://wiki.mozilla.org/Security/Safe_Browsing
+ - https://wiki.mozilla.org/Security/Application_Reputation
+ '';
+
+ disableDownloads.preferences = {
+ browser.safebrowsing = {
+ downloads = {
+ # TODO: does this do offline checks?
+ enabled = false;
+ remote = {
+ enabled = false;
+ url = "";
+ };
+ };
+ };
+ };
+
+ disablePhishing.preferences = {
+ browser.safebrowsing.phishing.enabled = false;
+ };
+
+ disableMalware.preferences = {
+ browser.safebrowsing.malware.enabled = false;
+ };
+
+ disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ];
+}