top | item 18587261

(no title)

I've got this list in my favs, I think it was posted on HN a while ago:

https://gist.github.com/0XDE57/fbd302cef7693e62c769

I had some problems with sendRefererHeader, so it can definitely break some websites

discuss

lorenzhs|7 years ago

See, there are some good ideas in that list, but then it gets to disabling Safe Browsing without any explanation. There's a lot of false information around about what Safe Browsing sends to whom, and you should make sure you know what you're doing when disabling it.

Also, the DNS cache size explanation is a bit backwards. "Number of cached DNS entries. Lower number = More requests but less data stored." Where do you think that data is stored? Bigger cache size means fewer requests that inform a third-party (your DNS server) of which sites you're visiting. (Information leaks from the speed of resolving a query might be a concern, but I'm not sure how doable this is from a webpage.)

And then it disables all caches (including in-memory) for... what reason, exactly? You can configure firefox to clear all your browser data when you close it.

But then they force-enable WebGL, which enables quite a few tracking techniques. This list is weird.

I guess all I want to say is don't blindly apply settings from this list. The author traded a lot of convenience, speed, and security for some perceived privacy.

vonseel|7 years ago

> don't blindly apply settings from this list

I am not a security expert, but I tend to agree with this. I took a look at the script and noticed a few of the things you pointed out, and I have had horrible experiences running random scripts I found on Github before from claimed-to-be "experts", so I'll stick with the defaults (and UBlock).

idoubtit|7 years ago

> don't blindly apply settings from this list.

Unfortunately, there is no real documentation of the various about:config parameters. So one has to trust doubtful sources on what settings would be useful, or spend many hours reading the source code of Firefox.

I don't understand why each setting is not documented on the about:config page. It would bind the documentation to the release, providing the info suitable for the FF version. I can't see any drawback, except that developers would have to provide a small description of every setting they introduce, which I hope they already do somewhere.

Here is my own frustrating experience with about:config. I sometimes hit Ctrl-q when I meant Ctrl-w. So instead of closing a tab in FF, I close the application and loose my input on some pages. I tried to restore the (previously default) behavior of asking for confirmation before quitting. I had 2 settings in "about:config" named "browser.warnOnQuit" and "browser.showQuitWarning". Only the former one is documented in the mozillaZine wiki. It seems the latter was the old name of this setting, which FF updates never migrated.

So I changed the config, and nothing happened. After several variations, I headed for the source code of FF, and saw this setting was ignored when "restoring sessions" was active. There is no way to ask for confirmation in modern FF.

kekebo|7 years ago

Cached DNS queries / speed to resolve can indeed be exploited, as shown here: https://www.chaoswebs.net/timebleed/

There are efforts to prevent this in the future but for now disabling or limiting DNS cache seems the only viable option.

Tsubasachan|7 years ago

Safe browsing would not be bad if it were just a warning. Unfortunately the concept of personal responsibillity is absent from Firefox. I remember a time when you could click "I know what I am doing take me to the site anyway".

WalterGR|7 years ago

it can definitely break some websites.

That makes sense. Checking the Referer header is a quick and dirty way to implement cross-site request forgery (CSRF) protection.

unicornporn|7 years ago

Not as extensive, but certainly more user friendly option:

https://ffprofile.com/