> Hello, > As many of you know there were various hardening patches to IceWeasel > and IceDove recently. These patches were done by myself and gleaned > from other reliable sources such as TBB and PrivacyTools.io[1], as > well as consulting the Mozilla wiki. > > Unfortunately, it has caused breakage on some websites[2][3] and > degraded user experience. This is to be expected, as the web becomes > less privacy-friendly, and more centralized/data-centric. > > A quick run down of notable patches[4]: > > 1) Disable Telemetry for good (it was previously storing all the > telemetry data and probing your OS ever 2 minutes or so, including > open tabs and websites for 'analytical purposes') > > 2) Disable Balrog/AUS5, Mozilla's new non-transparent remote update > mechanism that fingerprints the user. > > 3) Disable Facial Recognition, Speech Recognition, and Virtual Reality > API. > > 4) Disable various data leaks and remote updates, attempt to > completely stop Google from being queried and downloading their > "safe-browsing" list for every page you visit. > > 5) Stop IP leaks caused by WebRTC, WebSockets, and Captive Portal > Detection. > > 6) Disable DOM Storage due to many privacy concerns and it being off > in all modern versions of TBB. > > 7) Disable weak hash and broken SSL implementation which do not > prevent eaves droppers from reading the page. > > > _- So this puts the nonprism projects at a crossroads. Do we want to > favour accessibility and "features" over "privacy"?_ > > From my personal opinion, nonprism should provide security and privacy > by default. Users can choose to opt-out of nonprism if they wish. This > is easily done by A) not using nonprism, or B) using about:config > and/or user.js to override the settings. > > Meanwhile, some users have questioned why nonprism is not on by > default[5], and I think this is a valid point from a security > standpoint. Users may be using Parabola under the impression they are > experiencing the safest possible defaults, and this is currently not > the case. > > 1. https://www.privacytools.io/#about_config > > 2. https://labs.parabola.nu/issues/1113 > > 3. https://labs.parabola.nu/issues/1114 > > 4. > https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js > / > https://git.parabola.nu/abslibre.git/plain/nonprism-testing/iceweasel/vendor.js > > 5. https://labs.parabola.nu/issues/1093#note-3 > > > Now that everyone is aware of the issues, please discuss. I do not > feel [nonprism] should become "privacy-lite" and libre become "no > protection at all". > > > Luke > > > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.parabola.nu/mailman/listinfo/dev I have helped Emulatorman add a post-install notice to nonprism packages to notify users of hardening and a link to this thread. Also I forgot to mention a consensus cut off date. Please reach consensus by October 24th 2016. Luke
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
