Bug#809354: privacy/security enhancements

Philippe Cerfon philcerf at gmail.com
Tue Dec 29 19:08:32 UTC 2015 

Package: iceweasel
Severity: wishlist

Dear maintainer(s).

Unfortunately Mozilla puts more and more questionably stuff into
Firefox, where things like CDM[0] are only the tip of the iceberg.

I've seen that you already override several settings via debian/browser.js.in.

Would you please consider to add the following (or parts of them) to the list:
1) media.gmp-provider.enabled = false
AFAIU, GMP is anyway just for 3rd party plugins that implement EMEs or CDMs.
Since both isn't desired in Debian, it would make sense to completely
disable it, even if right now the only one is OpenH264, which is
already disabled.

Additionally one could set media.gmp-manager.certs.1.issuerName,
media.gmp-manager.certs.2.issuerName and media.gmp-manager.url, to
invalid values that cannot be used, e.g.
Using a non-existent CA DN like "CN=Debian,O=Debian" and a URL like
"https://invalid/"


2) media.eme.enabled = false and media.eme.apiVisible = false
Same reason as above in (1). Debian doesn't want EME/CDM and even
though there is no CDM for the Linux Firefox, why not disabling it
already.

Similarly, media.gmp-eme-adobe.enabled = false, as soon as it would
hit Linux Firefox.


3) browser.pocket.enabled = false
Yet another disturbing thing from Mozilla, the integration of Pocket.
Searching google for it seems to return more pages where people want
to disable this for security and or privacy reasons than sites that
other results.
Especially since nothing properly warns the user about potential
implications, and since this is yet another specific proprietary
server that Mozilla pushes for whatever reasons, it should probably be
disabled per default in Debian.



There's e.g. https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 which
collects all kinds of further privacy/security related settings that
may be worth looking at.
Some of course are probably too invasive and would break many sites,
but some should be definitely considered:

4) dom.battery.enabled = false
There's really no reason every, a website should be allowed to know my
charging status (WTF Mozilla).

Other on the site mentioned above, especially "GeoLocation / Beacon",
"Social media integration", "Device tracking/statistics", "Stat
tracking / telemetry" and especially also "Link pre-fetching", seem to
be quite concerning as well; a privacy nightmare, so to say.


btw: Do you have any idea when Mozilla pulls the trigger and Adobe CDM
hits Linux Firefox as well?


Thanks for you consideration,
Philippe.




[0] AFAIK, this isn't part of the Linux port yet, is it?

More information about the pkg-mozilla-maintainers mailing list