From 58a4f76dcad054cac6d5624b6f95e23145c16ae1 Mon Sep 17 00:00:00 2001
From: tilpner
Date: Sun, 5 Apr 2020 20:48:13 +0200
Subject: ocsp, safebrowsing: refactor to finer choices per topic

---
 default.nix                 |  6 ++++--
 nix/lib.nix                 |  6 +++---
 profiles/noOCSP.nix         |  5 -----
 profiles/noSafebrowsing.nix | 10 ----------
 profiles/ocsp.nix           | 25 +++++++++++++++++++++++++
 profiles/safebrowsing.nix   | 32 ++++++++++++++++++++++++++++++++
 6 files changed, 64 insertions(+), 20 deletions(-)
 delete mode 100644 profiles/noOCSP.nix
 delete mode 100644 profiles/noSafebrowsing.nix
 create mode 100644 profiles/ocsp.nix
 create mode 100644 profiles/safebrowsing.nix

diff --git a/default.nix b/default.nix
index e2b0656..8fdf3e1 100644
--- a/default.nix
+++ b/default.nix
@@ -27,7 +27,7 @@ in rec {
 
     addons.disableExtensionSignatureChecking
     addons.privacybadger addons.noscript
-    addons.borderify
+    # addons.borderify
 
     minimalConnections
     minimalHome
@@ -40,10 +40,12 @@ in rec {
     noPocket
     noTunnels
     noLocation
-    noSafebrowsing
+    safebrowsing.disableAll
     restrict
     # distrustUser
 
+    ocsp.disabled
+
     forgetActivity
 
     { policies.RequestedLocales = [ "de-DE" "en-US" ]; }
diff --git a/nix/lib.nix b/nix/lib.nix
index 12940b1..1095ab4 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -19,7 +19,7 @@ rec {
     else abort "unsupported value type: ${builtins.typeOf v}";
 
   mkPrefs = settings: pkgs.writeText "prefs.js"
-    ("// dummy line\n" + 
+    ("// dummy line\n" +
     (lib.concatStringsSep "\n"
       (lib.mapAttrsToList (k: v: "pref(\"${k}\", ${mkValueString v}, locked);")
         (flattenAttrs settings))));
@@ -39,7 +39,7 @@ rec {
     inherit policies;
   });
 
-  mergeProfiles = profiles:                                         
+  mergeProfiles = profiles:
     let
       sanitise = args: {
         policies = args.policies or {};
@@ -55,7 +55,7 @@ rec {
       policies' = mkPolicies policies;
       preferences' = mkPrefs preferences;
       patched = pkgs.runCommand "firefox-bundle" {
-          nativeBuildInputs = [ pkgs.nix ]; 
+          nativeBuildInputs = [ pkgs.nix ];
           disallowedReferences = [ firefox ];
         } ''
         cp -r ${firefox} $out
diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix
deleted file mode 100644
index a61b9ed..0000000
--- a/profiles/noOCSP.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ }: {
-  preferences = {
-    security.OCSP.enabled = false;
-  };
-}
diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix
deleted file mode 100644
index bd53006..0000000
--- a/profiles/noSafebrowsing.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ffLib }: {
-  preferences = {
-    browser.safebrowsing = {
-      phishing.enabled = false;
-      malware.enabled = false;
-      downloads.enabled = false;
-      downloads.remote.enabled = false;
-    };
-  };
-}
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+  meta.description = ''
+    The Online Certificate Status Protocol is used to distrust revoked certificates.
+    When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+    responsible certificate authority whether the received certificate is still valid.
+    It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+  '';
+
+  enabled.preferences = {
+    security.OCSP = {
+      enabled = 1;
+      # OCSP is useless, if the response is not mandatory
+      require = true;
+    };
+
+    security.ssl = {
+      enable_ocsp_stapling = true;
+      enable_ocsp_must_staple = true;
+    };
+  };
+
+  disabled.preferences = {
+    security.OCSP.enabled = 0;
+  };
+}
diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix
new file mode 100644
index 0000000..79f3c82
--- /dev/null
+++ b/profiles/safebrowsing.nix
@@ -0,0 +1,32 @@
+{ ffLib }: rec {
+  meta.description = ''
+    Safebrowsing is a feature meant to protect the user from malicious websites and downloads.
+
+    See:
+      - https://wiki.mozilla.org/Security/Safe_Browsing
+      - https://wiki.mozilla.org/Security/Application_Reputation
+  '';
+
+  disableDownloads.preferences = {
+    browser.safebrowsing = {
+      downloads = {
+        # TODO: does this do offline checks?
+        enabled = false;
+        remote = {
+          enabled = false;
+          url = "";
+        };
+      };
+    };
+  };
+
+  disablePhishing.preferences = {
+    browser.safebrowsing.phishing.enabled = false;
+  };
+
+  disableMalware.preferences = {
+    browser.safebrowsing.malware.enabled = false;
+  };
+
+  disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ];
+}
-- 
cgit v1.2.3