[arch-general] opinion request about Firefox add-ons

[Doug Newgard]

On Sun, 31 Jan 2016 18:38:15 +0100
Elmar Stellnberger <estellnb at elstel.org> wrote:

> Am 2016-01-31 um 18:07 schrieb Ralf Mardorf:
> > On Sun, 31 Jan 2016 17:58:57 +0100, Elmar Stellnberger wrote:  
> >> Besides this I would suggest some improvements in the default settings  
> >
> > Defaults that differ from Upstream, such as removing everything Google
> > related from about:config or what kind of "improvements"? I guess Arch
> > users expect to get defaults that most closely correspond to Upstream.
> >  
> 
> By the time various security suggestions about Firefox settings are 
> reaching me at least every now and then like f.i.
> 
> * Some time ago EFF said f.i. that
> security.ssl3.dhe_rsa_aes_128/256_sha should be set to false
> see: 
> https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
> 
> * Some more hints can be found at privacytools.io not all of which may 
> be appropriate for a default configuration.
> https://www.privacytools.io/#about_config
> 
> * There are even more recommendations out there not all of which I do 
> currently have handy. In my opinion collecting and considering all of 
> that advice may be worth the work of the Arch security team.
> 
> * Removing Google as the default default search engine as well as other 
> Google related stuff would be a good point to me as well. Endorsing 
> ultimate trust to Google services while Google has received lots of 
> money from intelligence services and the Pentagon should be considered a 
> bad idea. There are plenty of alternatives like f.i. duckduckgo, qwant 
> or ixquick. I mean we should give the user an informed choice on what 
> services and search engines to use or not to use.
> 
> Finally we could distribute more restrictive default settings f.i. 
> disabling flash, webgl, etc. as an additional package.

Convince upstream to make the changes and Arch will follow suit.