On Sun, 31 Jan 2016 18:38:15 +0100 Elmar Stellnberger <estellnb@xxxxxxxxxx> wrote: > Am 2016-01-31 um 18:07 schrieb Ralf Mardorf: > > On Sun, 31 Jan 2016 17:58:57 +0100, Elmar Stellnberger wrote: > >> Besides this I would suggest some improvements in the default settings > > > > Defaults that differ from Upstream, such as removing everything Google > > related from about:config or what kind of "improvements"? I guess Arch > > users expect to get defaults that most closely correspond to Upstream. > > > > By the time various security suggestions about Firefox settings are > reaching me at least every now and then like f.i. > > * Some time ago EFF said f.i. that > security.ssl3.dhe_rsa_aes_128/256_sha should be set to false > see: > https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH > > * Some more hints can be found at privacytools.io not all of which may > be appropriate for a default configuration. > https://www.privacytools.io/#about_config > > * There are even more recommendations out there not all of which I do > currently have handy. In my opinion collecting and considering all of > that advice may be worth the work of the Arch security team. > > * Removing Google as the default default search engine as well as other > Google related stuff would be a good point to me as well. Endorsing > ultimate trust to Google services while Google has received lots of > money from intelligence services and the Pentagon should be considered a > bad idea. There are plenty of alternatives like f.i. duckduckgo, qwant > or ixquick. I mean we should give the user an informed choice on what > services and search engines to use or not to use. > > Finally we could distribute more restrictive default settings f.i. > disabling flash, webgl, etc. as an additional package. Convince upstream to make the changes and Arch will follow suit.
