User.js: changelog: v64-beta

Created on 13 Dec 2018  Â·  12Comments  Â·  Source: arkenfox/user.js
  • date: 13-December-2018
  • foreword: These are all the changes since the last changelog (v63-beta).
  • note: the comments in the code blocks below are for this changelog's commentary

FF64 Release notes
FF64 for developers
FF64 compatibility

changelog: [[all changes](https://github.com/ghacksuserjs/ghacks-user.js/compare/3003f2d...e60abd6)]

  • all user.js updates for Firefox v64 are detailed in the ToDo: diffs FF63-FF64 issue

    • includes links to the commits made for each pref, links to bugzilla tickets, our discussions etc.

  • new version of the user.js updater for macOS and Linux (see #553)! Thanks @overdodactyl !
  • minor adjustments in the user.js to make data collection easier for a massive project that @overdodactyl has started working on: an online, interactive, real-time user.js (see #578)

    • still in the early stages but already looking great! Thanks @overdodactyl !!

  • for all the rest see the full list of pref changes below

all pref changes:

  • new active prefs:
user_pref("devtools.webide.autoinstallADBExtension", false);
user_pref("dom.event.highrestimestamp.enabled", true);
user_pref("security.mixed_content.block_object_subrequest", true);
user_pref("toolkit.coverage.opt-out", true);
  • new in 64beta but commented out by default:
//user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
  • activated previously commented-out prefs:
user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);
user_pref("privacy.userContext.enabled", true);
user_pref("privacy.userContext.longPressBehavior", 2);
user_pref("privacy.userContext.ui.enabled", true);
  • changed values:
user_pref("browser.aboutHomeSnippets.updateUrl", ""); // 63beta: "data:,"
  • commented out:
//user_pref("browser.library.activity-stream.enabled", false);
//user_pref("browser.sessionstore.max_tabs_undo", 0);
//user_pref("browser.sessionstore.resume_from_crash", false);
//user_pref("full-screen-api.enabled", false);
//user_pref("general.warnOnAboutConfig", false);
//user_pref("permissions.default.geo", 2);
//user_pref("security.tls.version.min", 3);
  • removed from the user.js:
user_pref("browser.eme.ui.enabled", false);
user_pref("browser.sessionstore.max_windows_undo", 0);
user_pref("media.navigator.video.enabled", false); // covered by media.navigator.enabled
/* all these media.peerconnection.* are unnecessary and covered by media.peerconnection.enabled */
user_pref("media.peerconnection.ice.tcp", false);
user_pref("media.peerconnection.identity.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);
user_pref("media.peerconnection.turn.disable", true);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false); // default false since FF59
  • moved to 9999: DEPRECATED / REMOVED:
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false);
user_pref("browser.onboarding.enabled", false);
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("security.csp.enable_violation_events", false);

Any and all help, suggestions, recommendations, links, tips and tricks, questions, thank you's or what have you are welcome - signup/login and start typing - thanks

changelog
Source
picture earthlng
👍43 🎉2

Most helpful comment

:+1: x 1000 on @overdodactyl 's project ... something for the masses that can leverage the information we painstakingly built into the js. Still some work to do on our end, [setup tags and merging that with relaxed/harden stickies - it's getting close guys!

And loads more potential for this: e.g. generating custom overrides: manual editing or bulk switching active/inactive based on setup tags etc.

picture Thorin-Oakenpants on 13 Dec 2018
2

All 12 comments

:+1: x 1000 on @overdodactyl 's project ... something for the masses that can leverage the information we painstakingly built into the js. Still some work to do on our end, [setup tags and merging that with relaxed/harden stickies - it's getting close guys!

And loads more potential for this: e.g. generating custom overrides: manual editing or bulk switching active/inactive based on setup tags etc.

Thorin-Oakenpants picture Thorin-Oakenpants on 13 Dec 2018
2

@claustromaniac .. do you want to play some wargames ? You go first...

Thorin-Oakenpants picture Thorin-Oakenpants on 17 Dec 2018
😄1

There are issues with Trident Submarines. They use ‘SMCS NG’ or ‘Windows for Submarines’ released 10 years ago.

US and UK officials have announced future upgrades to their Trident missiles program, and more specifically, to the missile’s software, in order to prevent cyber-attacks.

Atavic picture Atavic on 18 Dec 2018
😄1

I'll try to remember that the next time I see someone say something about "military-grade encryption" or such...

:man_facepalming:

claustromaniac picture claustromaniac on 18 Dec 2018

Pawn to e3... oophs, wrong game

Thorin-Oakenpants picture Thorin-Oakenpants on 18 Dec 2018

You go first...

I'll give it a go in DOS... Let's see...

CD /D "C:\Program Files\Ballistics\"
START "" launch.exe -targetLatitude "38.897957" -targetLongitude "-77.036560"
EXIT

oops... wrong target.

claustromaniac picture claustromaniac on 18 Dec 2018

why was //user_pref("security.tls.version.min", 3); commented out?
or rather why is it not set to 2?
TLS 1.1 is being deprecated slowly i.e. Github has already dropped support. https://www.ssllabs.com/ssltest/analyze.html?d=github.com&s=192.30.253.112
https://githubengineering.com/crypto-removal-notice/

Granted TLS 1.1 does not have any known vulnerabilities but TLS 1.0 does.
I think it's time to remove TLS 1.0 by setting user_pref("security.tls.version.min", 2); default is 1. Almost all servers that support TLS 1.0 also support TLS 1.1 and 1.2
https://www.ssllabs.com/ssl-pulse/
https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1/
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
https://security.googleblog.com/2018/10/modernizing-transport-security.html

publicarray picture publicarray on 26 Dec 2018

@publicarray see 0cc4007

TL;DR: security.tls.version.min is only a lower bound, and security.tls.version.max an upper bound (currently 4). Enforcing a min version > 1 will only break sites (rarely) at the expense of making us look more unique.

claustromaniac picture claustromaniac on 26 Dec 2018

@claustromaniac Thanks, Anyway I'm going to override it in my personal file. My reason is that If a server still runs on TLS 1.0 only. I would assume the server operator has not updated their software in years and is likely running other out of date software and is likely vulnerable to other things e.g. old php forum software etc.

publicarray picture publicarray on 26 Dec 2018

It was the FP aspect. The chances of hitting a TLS1.0 server is almost zero. We are happy to wait until Mozilla do it. I think it's scheduled in about a years time?

Thorin-Oakenpants picture Thorin-Oakenpants on 26 Dec 2018

Fair enough to each their own. Yes in March of 2020.

Not looking for a server with only TLS 1.0, I was only browsing on hackernews and stumbled upon this server: https://www.ssllabs.com/ssltest/analyze.html?d=community.wolfram.com 🙈 (http://community.wolfram.com/groups/-/m/t/175891)

publicarray picture publicarray on 26 Dec 2018

Re: https://github.com/ghacksuserjs/ghacks-user.js/issues/593#issuecomment-448071208

DOD reports finds no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities in the US' ballistic missile system

From: zdnet

Atavic picture Atavic on 29 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zdat picture zdat  Â·  5Comments
earthlng picture earthlng  Â·  6Comments
Thorin-Oakenpants picture Thorin-Oakenpants  Â·  4Comments
crssi picture crssi  Â·  4Comments
GIPeon picture GIPeon  Â·  3Comments