K-Meleon on Goanna :  K-Meleon Forum
Building K-Meleon on top of the Goanna engine 
Pages: Previous12
Current Page: 2 of 2
Re: Better Privacy & Security settings for K-Meleon
Posted by: Yogi
Date: January 08, 2018 12:11PM

@J.G.

Your prefs at first glance (I didn't go through all of them)

user_pref("fehlt security.ssl3.dhe_dss_aes_128_sha", false);
There is no "fehlt" in about:config. All your prefs containing that word are useless.
---------------------------------------------------------------------------------
Before adding a pref check the default one. Example:
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
is already set to false in default configuration.
It makes no sense to fill up your user.js with default prefs.
---------------------------------------------------------------------------------
user_pref("dom.storage.enabled", false);
In such cases you should warn the clueless user that it will break some sites:
user_pref("dom.storage.enabled", false); // will break some sites
Besides, if the above pref is set to false the following one in your file
user_pref("dom.storage.default_quota", 0);
is redundant. You have more than one such redundant prefs in your file. They don't do any harm, only make needlessly the user.js file bigger.

Last but not least smiling smiley
You should add only items to your user.js which apply to your configuration. (E.g. pref for proxy if you are using one and the mod pref makes sense)

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: J.G.
Date: January 08, 2018 12:56PM

@Yogi
these settings are not mine, I have found them at PaleMoon forum about how to increase security and privacy, so probably some have been included and others were dismissed. Some values set by default by KMeleon are included to be sure they are disabled for future releases. At KM76RC2 they are not included due the absence of future releases. Still no problem found while browsing. smiling smiley

- Thanks for your feedback.

Sources of the tweaks:
https://forum.palemoon.org/viewtopic.php?t=13486
https://www.heise.de/forum/heise-online/News-Kommentare/Frankreich-laesst-Google-buessen/Google-Co-im-Firefox-loeschen/thread-1264641/#posting_7080470
Main post: http://kmeleonbrowser.org/forum/read.php?19,144468,144512#msg-144512



Edited 1 time(s). Last edit at 01/08/2018 12:57PM by J.G..

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: siria
Date: January 08, 2018 01:43PM

Quote
Yogi
user_pref("fehlt security.ssl3.dhe_dss_aes_128_sha", false);
There is no "fehlt" in about:config. All your prefs containing that word are useless.

Oops... shame on me, completely overlooked those!
Thank you for pointing them out Yogi smiling smiley
@J.G. you mentioned those prefs were recommended by a german user, and "fehlt" is simply the german word for "missing"! And am rather sure there are no prefs possible which contain any blank spaces in their name, so this alone would have been been suspicious already.

Quote
Yogi
In such cases you should warn the clueless user that it will break some sites:
user_pref("dom.storage.enabled", false); // will break some sites

Yep, that's also very important to be aware of.
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Otherwise, if a pref is redundant or already KM-default, that's matter of opinion in my opinion, as long as there's no harm smiling smiley

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: J.G.
Date: January 08, 2018 02:40PM

@Siria and @Yogi, thank you for all the help, fixed all suggestions. smiling smiley

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: Yogi
Date: January 08, 2018 02:46PM

Quote
J.G.

Some values set by default by KMeleon are included to be sure they are disabled for future releases.

Sorry, this is above my head.
Could you please give a specific example from your above posted prefs?

Quote
J.G.
At KM76RC2 they are not included due the absence of future releases.

Could you please give a specific example from your above posted prefs?

- My point was and still is -

Better privacy and security sounds fantastic!
Only problem is that all int. default prefs are set for a configuration that works best for most people.
Therefore only people who know exactly what they are doing should touch those prefs.
It's up to everybody to take the necessary time for reading and understanding what each pref stands for.
It's all out there except maybe for some hidden prefs.
Just copying prefs blindly from different sources can cause more trouble than benefit!
Those intern prefs can be tweaked once you know what you're doing but only according to personal needs and priorities.
Such priorities are e.g. convenience, security or privacy. Most of the time, one tweak at the expense of something else.
There is no golden bullet that can fit everybody. The default int. prefs are closest to such a golden bullet. smiling smiley

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: siria
Date: January 08, 2018 03:08PM

Quote
siria
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Sorry for quoting myself, but since I'm doing since years much the same as J.G. cool smiley (just not in such masses, rather one by one), here's another important advantage of keeping own "improvements" in a separate file in defaults folder:
If some day the browser behaves strangely and no clue what could be the exact reason, I can simply remove that file for a quick test. That restores all settings to true KM-default in seconds, the whole bunch at once cool smiley

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: J.G.
Date: January 08, 2018 03:20PM

Quote
Yogi
Quote
J.G.
Some values set by default by KMeleon are included to be sure they are disabled for future releases.
Sorry, this is above my head.
Could you please give a specific example from your above posted prefs?

I just added all the proposed tweaks to my about.config, including the default ones by KMeleon, because I don't know if they will change or not in a future testing release. Furthermore there is no development route for Kmeleon Goanna, no official release date for release candidates and there is no list of proposed changes or improvements. At least I have not found it yet. Again, these are not my tweaks, I found them and I only proposed them to be valuated by people more skilled than me in these technical business. confused smiley

Quote
Yogi
Quote
J.G.
At KM76RC2 they are not included due the absence of future releases.

Could you please give a specific example from your above posted prefs?

Same answer as above. This is not a question of specific examples.

Quote
Yogi

- My point was and still is -

Better privacy and security sounds fantastic!
Only problem is that all int. default prefs are set for a configuration that works best for most people.
Therefore only people who know exactly what they are doing should touch those prefs.
It's up to everybody to take the necessary time for reading and understanding what each pref stands for.
It's all out there except maybe for some hidden prefs.
Just copying prefs blindly from different sources can cause more trouble than benefit!
Those intern prefs can be tweaked once you know what you're doing but only according to personal needs and priorities.
Such priorities are e.g. convenience, security or privacy. Most of the time, one tweak at the expense of something else.
There is no golden bullet that can fit everybody. The default int. prefs are closest to such a golden bullet. smiling smiley

When I arrived here, there was no development effort at all. Mostly all was stopped. However, security and privacy could have been discussed a lot, just to improve or whatever else. Or to build a macro for private browsing or any kind of idea to improve something. Again, these are not my tweaks, I just added to my about.config and I am happy with them. I recommended to test them in a cloned portable folder, just for testing purposes. However, to be sure that everybody understand this, I will add to the topic the word "Testing". mad smiley



Edited 1 time(s). Last edit at 01/08/2018 03:38PM by J.G..

Options: ReplyQuote
Re: Better Privacy & Security settings for K-Meleon
Posted by: J.G.
Date: January 08, 2018 03:23PM

Quote
siria
Quote
siria
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Sorry for quoting myself, but since I'm doing since years much the same as J.G. cool smiley (just not in such masses, rather one by one), here's another important advantage of keeping own "improvements" in a separate file in defaults folder:
If some day the browser behaves strangely and no clue what could be the exact reason, I can simply remove that file for a quick test. That restores all settings to true KM-default in seconds, the whole bunch at once cool smiley

A very good idea indeed, I will try to follow all your suggestions. smiling smiley

Options: ReplyQuote
Re: Better Privacy Security settings?
Posted by: callahan
Date: February 03, 2018 02:17PM

J.G. ... thanks for your hard work putting this list together and also to siria for the 'education' of adding everything quicker.

I think I did everything correctly ... when I go to the SSL Test page:

https://www.ssllabs.com/ssltest/viewMyClient.html#1517666680207&frame_loaded

I get these last six entries in 'red' ... and they are all listed as 'WEAK'.

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256

Using the latest KM-Gonna (01-28) ... not sure what or why these entries are there. Anyone else have these showing up?

Add: In reading the thread again I missed or it didn't completely sink in the post by hermes on 31 Dec 2017.

"About two years ago, I was engaged a similar question. As a result, made a configuration file for KM. Much had to bring, as part of settings causes failure for many sites. More of all it is necessary to be careful in blocking so-called weak encryption (128 bits). Setup for advanced default protection is not universal. And every single case it is impossible to foresee. For myself, I have set up, but this required multiple experiments of trial and error."

.... so I may be thinking to just let these 'WEAK' items alone.

callahan



Edited 1 time(s). Last edit at 02/05/2018 10:34AM by callahan.

Options: ReplyQuote
Re: Better Privacy Security settings?
Posted by: J.G.
Date: February 05, 2018 04:06PM

Hello @callahan, thanks!

With all the tweaks added, KMG 20180203 only informs about:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256

By the way, 'Weak' cyphers also appears for Chrome/Firefox:

For latest Chrome 64.x:
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

For latest Firefox 58.x:
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

confused smiley

Edited: after @callahan advice, I have added these next tweaks:
user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false);
user_pref("security.ssl3.rsa_aes_256_sha", false);
user_pref("security.ssl3.rsa_aes_256_sha256", false);
user_pref("security.ssl3.rsa_camellia_256_sha", false);


Tested fine, no more 'weak' ciphers are shown at site:
https://www.ssllabs.com/ssltest/viewMyClient.html
Please see main post at:
http://kmeleonbrowser.org/forum/read.php?19,144468,144512#msg-144512



Edited 13 time(s). Last edit at 02/05/2018 08:25PM by J.G..

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


K-Meleon forum is powered by Phorum.