Am 2016-01-31 um 18:07 schrieb Ralf Mardorf:
On Sun, 31 Jan 2016 17:58:57 +0100, Elmar Stellnberger wrote:
Besides this I would suggest some improvements in the default settings
Defaults that differ from Upstream, such as removing everything Google
related from about:config or what kind of "improvements"? I guess Arch
users expect to get defaults that most closely correspond to Upstream.
By the time various security suggestions about Firefox settings are
reaching me at least every now and then like f.i.
* Some time ago EFF said f.i. that
security.ssl3.dhe_rsa_aes_128/256_sha should be set to false
see:
https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
* Some more hints can be found at privacytools.io not all of which may
be appropriate for a default configuration.
https://www.privacytools.io/#about_config
* There are even more recommendations out there not all of which I do
currently have handy. In my opinion collecting and considering all of
that advice may be worth the work of the Arch security team.
* Removing Google as the default default search engine as well as other
Google related stuff would be a good point to me as well. Endorsing
ultimate trust to Google services while Google has received lots of
money from intelligence services and the Pentagon should be considered a
bad idea. There are plenty of alternatives like f.i. duckduckgo, qwant
or ixquick. I mean we should give the user an informed choice on what
services and search engines to use or not to use.
Finally we could distribute more restrictive default settings f.i.
disabling flash, webgl, etc. as an additional package.
