From 58a4f76dcad054cac6d5624b6f95e23145c16ae1 Mon Sep 17 00:00:00 2001 From: tilpner Date: Sun, 5 Apr 2020 20:48:13 +0200 Subject: ocsp, safebrowsing: refactor to finer choices per topic --- default.nix | 6 ++++-- nix/lib.nix | 6 +++--- profiles/noOCSP.nix | 5 ----- profiles/noSafebrowsing.nix | 10 ---------- profiles/ocsp.nix | 25 +++++++++++++++++++++++++ profiles/safebrowsing.nix | 32 ++++++++++++++++++++++++++++++++ 6 files changed, 64 insertions(+), 20 deletions(-) delete mode 100644 profiles/noOCSP.nix delete mode 100644 profiles/noSafebrowsing.nix create mode 100644 profiles/ocsp.nix create mode 100644 profiles/safebrowsing.nix diff --git a/default.nix b/default.nix index e2b0656..8fdf3e1 100644 --- a/default.nix +++ b/default.nix @@ -27,7 +27,7 @@ in rec { addons.disableExtensionSignatureChecking addons.privacybadger addons.noscript - addons.borderify + # addons.borderify minimalConnections minimalHome @@ -40,10 +40,12 @@ in rec { noPocket noTunnels noLocation - noSafebrowsing + safebrowsing.disableAll restrict # distrustUser + ocsp.disabled + forgetActivity { policies.RequestedLocales = [ "de-DE" "en-US" ]; } diff --git a/nix/lib.nix b/nix/lib.nix index 12940b1..1095ab4 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -19,7 +19,7 @@ rec { else abort "unsupported value type: ${builtins.typeOf v}"; mkPrefs = settings: pkgs.writeText "prefs.js" - ("// dummy line\n" + + ("// dummy line\n" + (lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "pref(\"${k}\", ${mkValueString v}, locked);") (flattenAttrs settings)))); @@ -39,7 +39,7 @@ rec { inherit policies; }); - mergeProfiles = profiles: + mergeProfiles = profiles: let sanitise = args: { policies = args.policies or {}; @@ -55,7 +55,7 @@ rec { policies' = mkPolicies policies; preferences' = mkPrefs preferences; patched = pkgs.runCommand "firefox-bundle" { - nativeBuildInputs = [ pkgs.nix ]; + nativeBuildInputs = [ pkgs.nix ]; disallowedReferences = [ firefox ]; } '' cp -r ${firefox} $out diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix deleted file mode 100644 index a61b9ed..0000000 --- a/profiles/noOCSP.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ }: { - preferences = { - security.OCSP.enabled = false; - }; -} diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix deleted file mode 100644 index bd53006..0000000 --- a/profiles/noSafebrowsing.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ffLib }: { - preferences = { - browser.safebrowsing = { - phishing.enabled = false; - malware.enabled = false; - downloads.enabled = false; - downloads.remote.enabled = false; - }; - }; -} diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix new file mode 100644 index 0000000..d56d8df --- /dev/null +++ b/profiles/ocsp.nix @@ -0,0 +1,25 @@ +{ }: { + meta.description = '' + The Online Certificate Status Protocol is used to distrust revoked certificates. + When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the + responsible certificate authority whether the received certificate is still valid. + It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons. + ''; + + enabled.preferences = { + security.OCSP = { + enabled = 1; + # OCSP is useless, if the response is not mandatory + require = true; + }; + + security.ssl = { + enable_ocsp_stapling = true; + enable_ocsp_must_staple = true; + }; + }; + + disabled.preferences = { + security.OCSP.enabled = 0; + }; +} diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix new file mode 100644 index 0000000..79f3c82 --- /dev/null +++ b/profiles/safebrowsing.nix @@ -0,0 +1,32 @@ +{ ffLib }: rec { + meta.description = '' + Safebrowsing is a feature meant to protect the user from malicious websites and downloads. + + See: + - https://wiki.mozilla.org/Security/Safe_Browsing + - https://wiki.mozilla.org/Security/Application_Reputation + ''; + + disableDownloads.preferences = { + browser.safebrowsing = { + downloads = { + # TODO: does this do offline checks? + enabled = false; + remote = { + enabled = false; + url = ""; + }; + }; + }; + }; + + disablePhishing.preferences = { + browser.safebrowsing.phishing.enabled = false; + }; + + disableMalware.preferences = { + browser.safebrowsing.malware.enabled = false; + }; + + disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ]; +} -- cgit v1.2.3