
Firefox v46+ Security Hardening - jbaviat
https://github.com/w00w/security/blob/master/firefox.md
======
Karunamon
Some observations:

* Disabling all referers everywhere will cause difficulties accessing sites that use it to prevent hotlinking (usually image/video hosts, many blogs)

* Enabling "Do not track" concedes a lot of trust to the advertisers, and also serves to differentiate you as most people have it turned off.

* Disabling Javascript will break mostly everything, everywhere, and also serves to differentiate you. It's also of questionable use since we're already installing noscript.

* I'm not sure what color profile support has to do with security hardening

* Disabling IPV6? Really?

~~~
nextweek2
> * Disabling IPV6? Really?

From what I have read about the slow roll-out of IPv6 is because network
operators just don't know how people are going to exploit the expanded address
space.

Email spam is a good example. With a server on IPv6 I get a block of addresses
which means I can email out from any of a literally thousands of addresses.
Email servers need to be coded to be able to blacklist that block rather than
a single address.

Where ever blacklists are used they've really got to be adapted for groups of
addresses. The question is can you be sure Firefox has catered for all
security concerns surrounding a new technology?

If you are producing a security product, you don't use the latest and greatest
technology.

------
nwah1
I don't like all the features you turn off, and most seem to offer no security
benefit.

Turning off pdf.js is arguably a security downgrade, since it is a sandboxed
javascript reader and any other means of reading pdfs will not be sandboxed.

As for additions, CanvasBlocker is important to prevent browser fingerprinting
and doesn't interfere with your browsing experience once you turn off
notifications.

Ideally, Firefox's password management ought to be turned off and you should
instead use KeePass (and the PassIFox firefox addon).

I would also recommend turning on e10s since it sandboxes a lot of stuff in
processes, and is fairly stable now.

------
nwah1
Safe Browsing, even with the 2.0 API, might compromise your privacy.

[http://www.sitepronews.com/2014/10/01/googles-safe-
browsing-...](http://www.sitepronews.com/2014/10/01/googles-safe-browsing-
service-killing-privacy/)

