diff options
Diffstat (limited to 'profiles')
-rw-r--r-- | profiles/noOCSP.nix | 5 | ||||
-rw-r--r-- | profiles/noSafebrowsing.nix | 10 | ||||
-rw-r--r-- | profiles/ocsp.nix | 25 | ||||
-rw-r--r-- | profiles/safebrowsing.nix | 32 |
4 files changed, 57 insertions, 15 deletions
diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix deleted file mode 100644 index a61b9ed..0000000 --- a/profiles/noOCSP.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ }: { - preferences = { - security.OCSP.enabled = false; - }; -} diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix deleted file mode 100644 index bd53006..0000000 --- a/profiles/noSafebrowsing.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ffLib }: { - preferences = { - browser.safebrowsing = { - phishing.enabled = false; - malware.enabled = false; - downloads.enabled = false; - downloads.remote.enabled = false; - }; - }; -} diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix new file mode 100644 index 0000000..d56d8df --- /dev/null +++ b/profiles/ocsp.nix @@ -0,0 +1,25 @@ +{ }: { + meta.description = '' + The Online Certificate Status Protocol is used to distrust revoked certificates. + When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the + responsible certificate authority whether the received certificate is still valid. + It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons. + ''; + + enabled.preferences = { + security.OCSP = { + enabled = 1; + # OCSP is useless, if the response is not mandatory + require = true; + }; + + security.ssl = { + enable_ocsp_stapling = true; + enable_ocsp_must_staple = true; + }; + }; + + disabled.preferences = { + security.OCSP.enabled = 0; + }; +} diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix new file mode 100644 index 0000000..79f3c82 --- /dev/null +++ b/profiles/safebrowsing.nix @@ -0,0 +1,32 @@ +{ ffLib }: rec { + meta.description = '' + Safebrowsing is a feature meant to protect the user from malicious websites and downloads. + + See: + - https://wiki.mozilla.org/Security/Safe_Browsing + - https://wiki.mozilla.org/Security/Application_Reputation + ''; + + disableDownloads.preferences = { + browser.safebrowsing = { + downloads = { + # TODO: does this do offline checks? + enabled = false; + remote = { + enabled = false; + url = ""; + }; + }; + }; + }; + + disablePhishing.preferences = { + browser.safebrowsing.phishing.enabled = false; + }; + + disableMalware.preferences = { + browser.safebrowsing.malware.enabled = false; + }; + + disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ]; +} |