@J.G.

Your prefs at first glance (I didn't go through all of them)

user_pref("fehlt security.ssl3.dhe_dss_aes_128_sha", false);

There is no "fehlt" in about:config. All your prefs containing that word are useless.
---------------------------------------------------------------------------------
Before adding a pref check the default one. Example:

user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

is already set to false in default configuration.
It makes no sense to fill up your user.js with default prefs.
---------------------------------------------------------------------------------

user_pref("dom.storage.enabled", false);

In such cases you should warn the clueless user that it will break some sites:

user_pref("dom.storage.enabled", false); // will break some sites

Besides, if the above pref is set to false the following one in your file

user_pref("dom.storage.default_quota", 0);

is redundant. You have more than one such redundant prefs in your file. They don't do any harm, only make needlessly the user.js file bigger.

Last but not least
You should add only items to your user.js which apply to your configuration. (E.g. pref for proxy if you are using one and the mod pref makes sense)

@Yogi
these settings are not mine, I have found them at PaleMoon forum about how to increase security and privacy, so probably some have been included and others were dismissed. Some values set by default by KMeleon are included to be sure they are disabled for future releases. At KM76RC2 they are not included due the absence of future releases. Still no problem found while browsing.

- Thanks for your feedback.

Sources of the tweaks:
https://forum.palemoon.org/viewtopic.php?t=13486
https://www.heise.de/forum/heise-online/News-Kommentare/Frankreich-laesst-Google-buessen/Google-Co-im-Firefox-loeschen/thread-1264641/#posting_7080470
Main post: http://kmeleonbrowser.org/forum/read.php?19,144468,144512#msg-144512



Edited 1 time(s). Last edit at 01/08/2018 12:57PM by J.G..

Quote
Yogi

user_pref("fehlt security.ssl3.dhe_dss_aes_128_sha", false);

There is no "fehlt" in about:config. All your prefs containing that word are useless.

Oops... shame on me, completely overlooked those!
Thank you for pointing them out Yogi
@J.G. you mentioned those prefs were recommended by a german user, and "fehlt" is simply the german word for "missing"! And am rather sure there are no prefs possible which contain any blank spaces in their name, so this alone would have been been suspicious already.

Quote
Yogi
In such cases you should warn the clueless user that it will break some sites:

user_pref("dom.storage.enabled", false); // will break some sites

Yep, that's also very important to be aware of.
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Otherwise, if a pref is redundant or already KM-default, that's matter of opinion in my opinion, as long as there's no harm

@Siria and @Yogi, thank you for all the help, fixed all suggestions.

Quote
J.G.

Some values set by default by KMeleon are included to be sure they are disabled for future releases.

Sorry, this is above my head.
Could you please give a specific example from your above posted prefs?

Quote
J.G.
At KM76RC2 they are not included due the absence of future releases.

Could you please give a specific example from your above posted prefs?

- My point was and still is -

Better privacy and security sounds fantastic!
Only problem is that all int. default prefs are set for a configuration that works best for most people.
Therefore only people who know exactly what they are doing should touch those prefs.
It's up to everybody to take the necessary time for reading and understanding what each pref stands for.
It's all out there except maybe for some hidden prefs.
Just copying prefs blindly from different sources can cause more trouble than benefit!
Those intern prefs can be tweaked once you know what you're doing but only according to personal needs and priorities.
Such priorities are e.g. convenience, security or privacy. Most of the time, one tweak at the expense of something else.
There is no golden bullet that can fit everybody. The default int. prefs are closest to such a golden bullet.

Quote
siria
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Sorry for quoting myself, but since I'm doing since years much the same as J.G. :cool: (just not in such masses, rather one by one), here's another important advantage of keeping own "improvements" in a separate file in defaults folder:
If some day the browser behaves strangely and no clue what could be the exact reason, I can simply remove that file for a quick test. That restores all settings to true KM-default in seconds, the whole bunch at once :cool:

Quote
Yogi

Quote
J.G.
Some values set by default by KMeleon are included to be sure they are disabled for future releases.

Sorry, this is above my head.
Could you please give a specific example from your above posted prefs?

I just added all the proposed tweaks to my about.config, including the default ones by KMeleon, because I don't know if they will change or not in a future testing release. Furthermore there is no development route for Kmeleon Goanna, no official release date for release candidates and there is no list of proposed changes or improvements. At least I have not found it yet. Again, these are not my tweaks, I found them and I only proposed them to be valuated by people more skilled than me in these technical business. :s

Quote
Yogi

Quote
J.G.
At KM76RC2 they are not included due the absence of future releases.

Could you please give a specific example from your above posted prefs?

Same answer as above. This is not a question of specific examples.

Quote
Yogi

- My point was and still is -

Better privacy and security sounds fantastic!
Only problem is that all int. default prefs are set for a configuration that works best for most people.
Therefore only people who know exactly what they are doing should touch those prefs.
It's up to everybody to take the necessary time for reading and understanding what each pref stands for.
It's all out there except maybe for some hidden prefs.
Just copying prefs blindly from different sources can cause more trouble than benefit!
Those intern prefs can be tweaked once you know what you're doing but only according to personal needs and priorities.
Such priorities are e.g. convenience, security or privacy. Most of the time, one tweak at the expense of something else.
There is no golden bullet that can fit everybody. The default int. prefs are closest to such a golden bullet.

When I arrived here, there was no development effort at all. Mostly all was stopped. However, security and privacy could have been discussed a lot, just to improve or whatever else. Or to build a macro for private browsing or any kind of idea to improve something. Again, these are not my tweaks, I just added to my about.config and I am happy with them. I recommended to test them in a cloned portable folder, just for testing purposes. However, to be sure that everybody understand this, I will add to the topic the word "Testing". :mad:



Edited 1 time(s). Last edit at 01/08/2018 03:38PM by J.G..

Quote
siria

Quote
siria
Just why I think it's important to add comments in the file, and that's also one advantage of having them in a separate file instead of only in about:config, where no comments are possible.

Sorry for quoting myself, but since I'm doing since years much the same as J.G. :cool: (just not in such masses, rather one by one), here's another important advantage of keeping own "improvements" in a separate file in defaults folder:
If some day the browser behaves strangely and no clue what could be the exact reason, I can simply remove that file for a quick test. That restores all settings to true KM-default in seconds, the whole bunch at once :cool:

A very good idea indeed, I will try to follow all your suggestions.

J.G. ... thanks for your hard work putting this list together and also to siria for the 'education' of adding everything quicker.

I think I did everything correctly ... when I go to the SSL Test page:

https://www.ssllabs.com/ssltest/viewMyClient.html#1517666680207&frame_loaded

I get these last six entries in 'red' ... and they are all listed as 'WEAK'.

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256

Using the latest KM-Gonna (01-28) ... not sure what or why these entries are there. Anyone else have these showing up?

Add: In reading the thread again I missed or it didn't completely sink in the post by hermes on 31 Dec 2017.

"About two years ago, I was engaged a similar question. As a result, made a configuration file for KM. Much had to bring, as part of settings causes failure for many sites. More of all it is necessary to be careful in blocking so-called weak encryption (128 bits). Setup for advanced default protection is not universal. And every single case it is impossible to foresee. For myself, I have set up, but this required multiple experiments of trial and error."

.... so I may be thinking to just let these 'WEAK' items alone.

callahan



Edited 1 time(s). Last edit at 02/05/2018 10:34AM by callahan.

Hello @callahan, thanks!

With all the tweaks added, KMG 20180203 only informs about:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256

By the way, 'Weak' cyphers also appears for Chrome/Firefox:

For latest Chrome 64.x:
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

For latest Firefox 58.x:
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112

:s

Edited: after @callahan advice, I have added these next tweaks:
user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false);
user_pref("security.ssl3.rsa_aes_256_sha", false);
user_pref("security.ssl3.rsa_aes_256_sha256", false);
user_pref("security.ssl3.rsa_camellia_256_sha", false);

Tested fine, no more 'weak' ciphers are shown at site:
https://www.ssllabs.com/ssltest/viewMyClient.html
Please see main post at:
http://kmeleonbrowser.org/forum/read.php?19,144468,144512#msg-144512



Edited 13 time(s). Last edit at 02/05/2018 08:25PM by J.G..

Quote
hermes
(..)

Do note, when you request something look in about:networking (very useful). Sometimes even query search engines require so many third-party servers... immediately obvious why need filters for URL.

Anyone try about:about ?

"This is a list of “about” pages for your convenience.
Some of them might be confusing. Some are for diagnostic purposes only.
And some are omitted because they require query strings."

Quote
J.G.
------------------------------------
Final Tweaks tested
- Updated 20180416
Advice: if not sure, test them with one 'cloned' KMeleon folder.
------------------------------------

Recommended elevated privacy and security for travelling USB devices.
All tweaks are reversible. Any issue found will be informed in this post.

Following @siria recommendations, all these settings can be added all together to prefs.js file located at profile folder of any KMeleon and KMeleon Goanna too, just copy and paste the next useful lines:

(...)

Thanks for tweaks. You can also check this (for older versions):
https://b.agilob.net/better-security-privacy-and-anonymity-in-firefox

__________________________________________
How to install Firefox addons in KM 76 RC:
http://kmeleonbrowser.org/forum/read.php?9,141979
Icons for Goanna KM/SM:
http://kmeleonbrowser.org/forum/read.php?10,150634
K-Meleon Quick Reference:
http://kmeleonbrowser.org/docs.php
Basilisk/KM/SM xpi converter:
https://www.addonconverter.fotokraina.com/
Best regards.



Edited 1 time(s). Last edit at 08/12/2018 03:12PM by luk3Z.

Anyway some tweaks are still useful in Goanna:

https://b.agilob.net/better-security-privacy-and-anonymity-in-firefox

__________________________________________
How to install Firefox addons in KM 76 RC:
http://kmeleonbrowser.org/forum/read.php?9,141979
Icons for Goanna KM/SM:
http://kmeleonbrowser.org/forum/read.php?10,150634
K-Meleon Quick Reference:
http://kmeleonbrowser.org/docs.php
Basilisk/KM/SM xpi converter:
https://www.addonconverter.fotokraina.com/
Best regards.



Edited 2 time(s). Last edit at 05/22/2019 08:09AM by luk3Z.

Quote
luk3Z
(..)
Anyone try about:about ?
"This is a list of “about” pages for your convenience.
Some of them might be confusing. Some are for diagnostic purposes only.
And some are omitted because they require query strings." (...)

One of the nicest 'about:' is 'about:credits', plenty of amazing people there.



Edited 1 time(s). Last edit at 08/12/2018 05:10PM by J.G..

Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs
https://www.bleepingcomputer.com/news/software/firefox-gets-privacy-boost-by-disabling-proximity-and-ambient-light-sensor-apis/ - long link doesn't work
So there is tiny: http://tinyurl.com/3xxtzjct

device.sensors.proximity.enabled
device.sensors.ambientLight.enabled
device.sensors.enabled
device.sensors.orientation.enabled
device.sensors.motion.enabled

__________________________________________
How to install Firefox addons in KM 76 RC:
http://kmeleonbrowser.org/forum/read.php?9,141979
Icons for Goanna KM/SM:
http://kmeleonbrowser.org/forum/read.php?10,150634
K-Meleon Quick Reference:
http://kmeleonbrowser.org/docs.php
Basilisk/KM/SM xpi converter:
https://www.addonconverter.fotokraina.com/
Best regards.



Edited 2 time(s). Last edit at 02/23/2024 06:18PM by luk3Z.