From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id WLEOOB5hqWE/KQAAgWs5BA (envelope-from ) for ; Fri, 03 Dec 2021 01:13:18 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id KuW9Mx5hqWHQcgAAB5/wlQ (envelope-from ) for ; Fri, 03 Dec 2021 00:13:18 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A653C2DF51 for ; Fri, 3 Dec 2021 01:13:18 +0100 (CET) Received: from localhost ([::1]:41470 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mswCR-0005Or-P8 for larch@yhetil.org; Thu, 02 Dec 2021 19:13:16 -0500 Received: from eggs.gnu.org ([209.51.188.92]:33206) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mswCE-0005Of-KG for bug-guix@gnu.org; Thu, 02 Dec 2021 19:13:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38124) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mswCE-0003yb-C1 for bug-guix@gnu.org; Thu, 02 Dec 2021 19:13:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mswCE-0002Kv-84 for bug-guix@gnu.org; Thu, 02 Dec 2021 19:13:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#52236: PRIVACY: Integrate arkenfox for icecat configuration Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 03 Dec 2021 00:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52236 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Jacob Hrbek , 52236@debbugs.gnu.org Received: via spool by 52236-submit@debbugs.gnu.org id=B52236.16384903638957 (code B ref 52236); Fri, 03 Dec 2021 00:13:02 +0000 Received: (at 52236) by debbugs.gnu.org; 3 Dec 2021 00:12:43 +0000 Received: from localhost ([127.0.0.1]:49670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mswBv-0002KP-DW for submit@debbugs.gnu.org; Thu, 02 Dec 2021 19:12:43 -0500 Received: from world.peace.net ([64.112.178.59]:55454) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mswBr-0002K4-3j for 52236@debbugs.gnu.org; Thu, 02 Dec 2021 19:12:42 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mswBh-0007x1-UY; Thu, 02 Dec 2021 19:12:30 -0500 From: Mark H Weaver In-Reply-To: References: Date: Thu, 02 Dec 2021 19:11:52 -0500 Message-ID: <87lf12o8bg.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1638490398; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=2wISgzX6dVK2ci+QGDRqRkWvOrUfhzHicFzvUp0hNdk=; b=RmrSUKxYOt39J5aDhti/yIJlrt+DtHauSuTg4wQcViKZWFu9UL01TT1jWgVGq6NY9igMq+ lyIOtjJouIdVWrLhY184RMpXsO2I7kXquEC3eu3zSTiOr+L2xEWvFOjEyX+AZJj9wcCzAF Iah+2O+RtpqUccidgRqAwcEHKJlN9PB4qEIy4X0lIxDknwFvV6gfUlWriJnPdAQnwkVzHB Gpv+tc/2O+g0smGRCfkgZcHDY+i8R5vpmwb/39VYRyjGmMR6fmJmVeUP9iTxxx/ltoZVxu oNR3Vf/97pkfS01N9SHY3jLdR1Gz56adCADKyG8+LCAmfPt1mHopACskC2q4+g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1638490398; a=rsa-sha256; cv=none; b=I5eALwlqlV/IPYj0dVSnLCrMkUrzauPpiBkpYBLH7/wRUkyh6f3Xkgus4teT2InFdi8dAD rM7yA2JqGWz5z15bZXcwOpl4PDTbcU41+v3j2xGuA3qSwMb28X1PGNqMeINHtDn7Ld2+AY Wn+jg4IBeejoytuNsK2M/tLiOGSpSc1pO+/PgBLsDfos5RBg/lUbHnTDKaiUiPMcB7dZgh 9tzNjCrYmPXAISMS5fLQg8CvVYNk/hKySi7gwg/TtW3CeDbgzlwYYlGtbmm0Ppf2B/8wZK 2Hq1m5QrF+tdfQ7LS9AuoxJNk4lEOir9qkk5FbT7ZUkGNbg8wJ5Wp+QeySyNAQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: A653C2DF51 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: FuPFVtKI4nRk Hi Jacob, Jacob Hrbek writes: > Arkenfox is a community > maintained user.js file used for browser hardening. In the past, I've investigated and integrated some ideas from similar "user.js"-style projects into IceCat. I'm open to integrating more, but I'd prefer to see proposals in manageable chunks on the gnuzilla mailing lists. > Proposing to implement it's configuration in GNU Guix's IceCat mainly: > > - geo.provider.network.uri (it's pinging google servers currently) Geolocation is disabled by default in IceCat. When you say that "it's pinging google servers currently", have you observed this in its default configuration, or did you enable Geolocation? FWIW, I've test-run IceCat on my own system and monitored the network traffic on a number of occasions, including after the update to 91, and I've not seen evidence of the pinging you describe. Can you please elaborate? > - Actual disabling of WebRTC Your use of the word "Actual" above seems to suggest that the IceCat project aims to disable WebRTC. I'm not aware of any such decision by the IceCat project. IceCat *does* set both "media.peerconnection.ice.no_host" and "media.peerconnection.ice.default_address_only" to true by default, however. Anyway, I'm open to discussing proposed changes to IceCat's default settings, preferably on the gnuzilla mailing lists. > - Clearing on re-start (privacy.clearOnShutdown.*) I'm open to discussing proposed changes to IceCat's default settings, but I don't think this is what most of our users want by default. There's at least one setting in about this ("Delete cookies and site data when IceCat is closed"), and I'm open to adding more settings to that page. > - toolkit.telemetry.enable = false instead of forced true I consider it a high priority to disable *all* telemetry in IceCat, and I've made an effort to do so. I've looked for evidence of telemetry by monitoring network activity when using IceCat, and I haven't found any. If you have evidence that any telemetry is actually enabled in IceCat, *please* show us the evidence. It is indeed interesting that in , "toolkit.telemetry.enable" is presented as being forced set to true. I hadn't previously noticed that. I should say that in addition to (attempting to) set "toolkit.telemetry.enable" to "false", just as Arkenfox does, we also set "toolkit.telemetry.server" to "". https://git.sv.gnu.org/cgit/gnuzilla.git/tree/data/settings.js?id=32631cac00953abbac61dc7ab1a0eafbdd59b53a#n131 Moreover, we apply some patches to IceCat to fix issues that I discovered while monitoring IceCat's network activity: https://git.sv.gnu.org/cgit/gnuzilla.git/tree/data/patches/moz-configure-changes.patch?id=32631cac00953abbac61dc7ab1a0eafbdd59b53a https://git.sv.gnu.org/cgit/gnuzilla.git/tree/data/patches/fix-data-reporting-check.patch?id=32631cac00953abbac61dc7ab1a0eafbdd59b53a https://git.sv.gnu.org/cgit/gnuzilla.git/tree/data/patches/disable-settings-services.patch?id=32631cac00953abbac61dc7ab1a0eafbdd59b53a > Additional configuration should be defined in guix-home with sane > default so that the browser can be a sufficient replacement for Tor > Browser Bundle. Please see Maxime's comments on this, which I agree with. I'm sorry to say that I don't see a way for IceCat users to hide that they are probably using IceCat. If you require strong anonymity, your best bet is to use Tor Browser Bundle. Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about .