User.js: changelog: v66-beta

No words or emoticons can express my gratitude for your work guys!

Maybe the wrong thread for this if so I'll remove it but any chance the latest script + firefox 66.0.2 still allows oscp query and disabling the myriad number of "features" mozilla calls malware protection? On startup I see hits for

 firefox.settings.services.mozilla.com 63.245.217.105
ocsp.digicert.com
cs9.wac.phicdn.net

From what I think is a config that should be blocking those (note the typo in OCSP):

$ egrep -i '(settings.services.mozilla.com|oscp|ocsp)' user.js   | grep -v \*
     1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
user_pref("extensions.blocklist.url", "https://127.0.0.1/blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
user_pref("security.ssl.enable_ocsp_stapling", false);
user_pref("security.OCSP.enabled", 0);
user_pref("security.OCSP.require", false);
   // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]

Maybe the wrong thread

Nah, in here is good - better than having a thousand open issues :)

the myriad number of "features" mozilla calls malware protection

I don't understand. I get it, English is not your native language?

I don't follow at all, what are you basing that on?

Mozilla doesn't ship anything that is malicious, and they certainly don't care about harvesting anything PII from anyone. Telemetry is needed for development (and we turn it off), and follow-on search (the engine, not the query) is income related, etc (and we turn it off). We even turn off a couple of real time Safe Browsing options. In other words, there is nothing here that is a privacy or security risk. If you don't trust Mozilla, then stop using their products.

Hope that was an attempt at sarcasm? Many of those "features" do not have UI front ends. The only way what you say would make any sense is if the telemtry was not part of production builds.

If you don't trust Mozilla, then stop using their products.

That is just absurd.

I "get" that some people want ZERO external connects unless they explicitly ask for it - and this user.js should do that. Been a while since I looked at anything in wireshark. But there is nothing bad about any of it (unless it's an extension gone rogue, or badly configured)

That said: I see nothing "bad" about these connections.

You might want to look with wireshark before commenting on the risk those connections cause. There are also places that pay for data by the byte.

note the typo

oscpu is os (operating system) + cpu (architecture) and returns a navigator property: e.g "Windows NT 6.1; Win64; x64" - has nothing to do with OCSP. Is that what you meant by a typo?

Indeed it was an error. I meant it as OCSP.

should be blocking those

"on startup" .. the pref switches whether or not you "use" OCSP. Maybe FF still downloads an update for OCSP on start and this isn't covered by the pref? I'm not sure what those two connections are. Are you using any extensions? HTTPS-Everywhere?

The OCSP request came when I loaded github and continue to happen despite the setting. This is a fresh install with only two extensions - uBo and uM.

Also note that FF will always check for updates unless you use Policies - although this is not on startup but timed every so often. But if your browser wasn't open recently, then it would happen on startup.

Which is part of being evil. They are timed in hopes no one notices. I did because all of mozilla.[com|org|net] hosts are blocked.

Funny thing about firefox.settings.services.mozilla.com is it now appears in about:config under "services.settings.server". Only reference I can find to that is #442

edit: cs9.wac.phicdn.net is part of the ocsp thing

# host ocsp.digicert.com
ocsp.digicert.com is an alias for cs9.wac.phicdn.net.
cs9.wac.phicdn.net has address 93.184.220.29

Indeed.

Which is part of being evil. They are timed in hopes no one notices

That and other things you are saying are just over the top and absurd.

It's absurd to want a browser not calling home? Noted. Interesting position given the project.

They are timed so as to be effective but not too intrusive - the timing was tweaked over several releases and went from immediately on every startup and annoying as fuck to being less often (12 hrs) and not in your face every startup.

I don't follow, how is a background task in your face?

How is 12 hrs "so they won't be noticed"? The whole point of them is so they ARE noticed. I'll write that again .. slowly ... The whole point of them is so they ARE noticed. Q.E.D (quod erat demonstrandum)

I'm not entirely sure you know what I'm refering to. Let me say it slowly: The metrics are communicated with background processes. I'm not refering to processes which require user intervention (assuming you configure them as such to begin with). ie, Updates. Regardless they would only be noticed from infrastructure monitoring, there is NOTHING in Firefox alerting the user. Hell I don't think they even show up in uBo or uM.

The fact they cannot be disabled in Windows without a policy is so that gazillions of end users are regularly updated (as they would have been anyway, but this picks on all those who disabled it and forgot - which telemetry showed was quite a few). This is a responsible thing to do with such a highly used app that you know, connects to the internet and is a large attack vector. End users can still disable it the actual auto-updates. Sheesh. There is nothing EVIL about any of this.

What on Earth are you talking about. These are Firefox specific, they have nothing to do with Windows, I don't use nor have that piece of crap installed. It's somewhat disturbing you either fail to see or outright ignore the fact that these are not simple requests. There is metadata sent with them. If they were as simple to disable as you claim, ghacks wouldn't be needed.

The OCSP request came when I loaded github

Well, you didn't say that. You said "on startup I hits for". Maybe it still checks for them but doesn't use them. IDK.

Well, how else would they have ? I certainly didn't tell Firefox to do so.

When do you get the firefox.settings.services.mozilla.com one? On startup? I assume so, since it makes zero sens to be doing that in github.

It's something in the background, doesn't appear site specific. I can still see firefox hitting it for dns.

// Remote settings preferences
pref("services.settings.poll_interval", 86400); // 24H
pref("services.settings.server", "https://firefox.settings.services.mozilla.com/v1");
pref("services.settings.changes.path", "/buckets/monitor/collections/changes/records");
pref("services.settings.default_bucket", "main");
pref("services.settings.default_signer", "remote-settings.content-signature.mozilla.org");

That is in a fucking production release. How on Earth you judge that to be acceptable from Mozilla speaks volumes.

Is there a question somewhere or are you just throwing insults and accusations around?

How on Earth you judge that to be acceptable from Mozilla speaks volumes.

"remote settings" is how they ship updates for revoked certs, malicious addons, vulnerable plugins etc.
Do you think it would be more acceptable for mozilla to NOT do that? seriously?
You found the prefs to block all that so what else do you want.

And if the OCSP setting is not doing anything that's a bug and you should report it so they can fix it. There's nothing we can do about that with the user.js - a pref either works as it should or it's broken. Report it to mozilla if you want it fixed

I'm quite flood by this but for documentation:

Because your STR (steps to reproduce)

What are you talking about exactly? There were no formal steps because I wasn't sure posting in the thread was correct.

So when you say "It's absurd to want a browser not calling home?", all you're telling me is that you only see black and white, and can't be objective.

And you're failing to understand how such policies (by Mozilla), go against the very core of what you're trying to accomplish. I'm quite aware it's a popular position that auto updates are good security practice.

So if you're up to it, maybe we can find out what ails you and help you. But if you want to nut off at me again, then well, I won't (help)

I'm not asking you for help. Fact that you believe I'd nutt to you is your ego.

Is there a question somewhere or are you just throwing insults and accusations around?
...
And if the OCSP setting is not doing anything that's a bug and you should report it so they can fix it.

You answered your own question.

You've both gone on some rant I have no idea where it comes from. I know neither of you.

• firefox.settings.services.mozilla.com 63.245.217.105

You can type the following url:
https://firefox.settings.services.mozilla.com/v1/

...and into the text that appears is included: https://github.com/mozilla-services/kinto-amo/

Kinto Servers by Mozilla are used to update blacklists of addons, plugins, gfx cards and certificates.

• ocsp.digicert.com

One of the many Online Certificate Status Protocol Servers that's needed for FF to work.

• cs9.wac.phicdn.net

Same as above, see: https://github.com/MrAlex94/Waterfox/issues/460#issuecomment-390434586

Related: https://github.com/pyllyukko/user.js/issues/17

OCSP Servers are contacted everytime you land on an https:// page. If you block them, once the Certificates in your browser are out of date, you won't see any https:// page.