From 58a4f76dcad054cac6d5624b6f95e23145c16ae1 Mon Sep 17 00:00:00 2001 From: tilpner Date: Sun, 5 Apr 2020 20:48:13 +0200 Subject: ocsp, safebrowsing: refactor to finer choices per topic --- profiles/noOCSP.nix | 5 ----- profiles/noSafebrowsing.nix | 10 ---------- profiles/ocsp.nix | 25 +++++++++++++++++++++++++ profiles/safebrowsing.nix | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 57 insertions(+), 15 deletions(-) delete mode 100644 profiles/noOCSP.nix delete mode 100644 profiles/noSafebrowsing.nix create mode 100644 profiles/ocsp.nix create mode 100644 profiles/safebrowsing.nix (limited to 'profiles') diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix deleted file mode 100644 index a61b9ed..0000000 --- a/profiles/noOCSP.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ }: { - preferences = { - security.OCSP.enabled = false; - }; -} diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix deleted file mode 100644 index bd53006..0000000 --- a/profiles/noSafebrowsing.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ffLib }: { - preferences = { - browser.safebrowsing = { - phishing.enabled = false; - malware.enabled = false; - downloads.enabled = false; - downloads.remote.enabled = false; - }; - }; -} diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix new file mode 100644 index 0000000..d56d8df --- /dev/null +++ b/profiles/ocsp.nix @@ -0,0 +1,25 @@ +{ }: { + meta.description = '' + The Online Certificate Status Protocol is used to distrust revoked certificates. + When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the + responsible certificate authority whether the received certificate is still valid. + It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons. + ''; + + enabled.preferences = { + security.OCSP = { + enabled = 1; + # OCSP is useless, if the response is not mandatory + require = true; + }; + + security.ssl = { + enable_ocsp_stapling = true; + enable_ocsp_must_staple = true; + }; + }; + + disabled.preferences = { + security.OCSP.enabled = 0; + }; +} diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix new file mode 100644 index 0000000..79f3c82 --- /dev/null +++ b/profiles/safebrowsing.nix @@ -0,0 +1,32 @@ +{ ffLib }: rec { + meta.description = '' + Safebrowsing is a feature meant to protect the user from malicious websites and downloads. + + See: + - https://wiki.mozilla.org/Security/Safe_Browsing + - https://wiki.mozilla.org/Security/Application_Reputation + ''; + + disableDownloads.preferences = { + browser.safebrowsing = { + downloads = { + # TODO: does this do offline checks? + enabled = false; + remote = { + enabled = false; + url = ""; + }; + }; + }; + }; + + disablePhishing.preferences = { + browser.safebrowsing.phishing.enabled = false; + }; + + disableMalware.preferences = { + browser.safebrowsing.malware.enabled = false; + }; + + disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ]; +} -- cgit v1.2.3