On Sun, 31 Jan 2016 18:38:15 +0100 Elmar Stellnberger <estellnb@elstel.org> wrote:
Am 2016-01-31 um 18:07 schrieb Ralf Mardorf:
On Sun, 31 Jan 2016 17:58:57 +0100, Elmar Stellnberger wrote:
Besides this I would suggest some improvements in the default settings
Defaults that differ from Upstream, such as removing everything Google related from about:config or what kind of "improvements"? I guess Arch users expect to get defaults that most closely correspond to Upstream.
By the time various security suggestions about Firefox settings are reaching me at least every now and then like f.i.
* Some time ago EFF said f.i. that security.ssl3.dhe_rsa_aes_128/256_sha should be set to false see: https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attac...
* Some more hints can be found at privacytools.io not all of which may be appropriate for a default configuration. https://www.privacytools.io/#about_config
* There are even more recommendations out there not all of which I do currently have handy. In my opinion collecting and considering all of that advice may be worth the work of the Arch security team.
* Removing Google as the default default search engine as well as other Google related stuff would be a good point to me as well. Endorsing ultimate trust to Google services while Google has received lots of money from intelligence services and the Pentagon should be considered a bad idea. There are plenty of alternatives like f.i. duckduckgo, qwant or ixquick. I mean we should give the user an informed choice on what services and search engines to use or not to use.
Finally we could distribute more restrictive default settings f.i. disabling flash, webgl, etc. as an additional package.
Convince upstream to make the changes and Arch will follow suit.