[Mozilla Enterprise] Firefox Configuration Confusion - Need to Secure Firefox

Eddie Rowe eddie.rowe at tdhca.state.tx.us
Tue Sep 10 16:02:40 UTC 2019 

Yes, I inherited the non-ESR install.  We will be 100% ESR by end of the year when the last Win7 system is retired.

From: Enterprise <enterprise-bounces at mozilla.org> On Behalf Of Romain Testard
Sent: Monday, September 09, 2019 2:59 AM
To: Philipp Madersbacher <philipp.madersbacher at gmail.com>
Cc: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] Firefox Configuration Confusion - Need to Secure Firefox

Indeed, the policy can be used to disable DoH and please keep in mind that DoH is not being deployed on ESR.

More details on the DoH roll-out:
- SUMO page https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.mozilla.org_en-2DUS_kb_configuring-2Dnetworks-2Ddisable-2Ddns-2Dover-2Dhttps&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=jJkcRdubtS-NmTjLG4SCd86mr3TVB14xtpIfMXMcVrk&e=>
- ESR will NOT be impacted
- We're targeting rapid release users on 69 with IP addresses located in the US. We're NOT enabling DoH if any enterprise policy is detected, and if the enterprise roots pref is enabled. However, the proper way is to set the DoH enterprise policy to disable it. Administrators can also add exceptions, if they like DoH but it can break specific sites (e.g. because of split-horizon)

On Mon, Sep 9, 2019 at 9:10 AM Philipp Madersbacher <philipp.madersbacher at gmail.com<mailto:philipp.madersbacher at gmail.com>> wrote:
Hello, If your main intent is to centrally manage/disable DoH in Firefox, you can easily do so through a GPO - the relevant links for this are:
https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.mozilla.org_en-2DUS_kb_customizing-2Dfirefox-2Dusing-2Dgroup-2Dpolicy-2Dwindows&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=GYm0WRcAisCw2B3UMB80qfDZ3QSZMhYR8mSFtaqBRYc&e=>
https://github.com/mozilla/policy-templates/blob/master/README.md#dnsoverhttps<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_mozilla_policy-2Dtemplates_blob_master_README.md-23dnsoverhttps&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=8zEZh42swHEBzGej69WGl5Wi59_HwDS7yvAlyO4NJ18&e=>

No need to make the matter more complicated than it is ;-)

Best regards

Am So., 8. Sept. 2019 um 22:28 Uhr schrieb Eddie Rowe <eddie.rowe at tdhca.state.tx.us<mailto:eddie.rowe at tdhca.state.tx.us>>:
Given Mozilla’s decision to turn on DNS over HTTPS we have to secure Firefox to disable this type of nonsense or remove it from every PC in the next two weeks.  Chrome is configured through an easy to manage GPO which leverages other really smart people who have created a security baseline along with preconfigured GPOs, while Firefox does not seem to have this level of support.

Assuming a  person is new to Firefox, exactly what are we supposed to modify to setup things securely?  I see references to things going into Mozilla.cfg, policies.json, GPO, autoconfig.js…I probably missed a file too.  I see people helpfully answering a question and telling the person to go to https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment<https://urldefense.proofpoint.com/v2/url?u=https-3A__developer.mozilla.org_en-2DUS_Firefox_Enterprise-5Fdeployment&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=-CXso3zEljza1fpH9Y3C9Jba5Xk9TwUu0A-gkjezUqs&e=> for the answer to their question, but there are just more links there.  I see people posting to not to bother with GPO because all the options are not there, but other say there are GPO settings that are no elsewhere… I see references that one thing is set one place, another place overrides…  I see one document say the autoconfig.js file goes into the folder where Firefox is installed, but the same document says it does into a subfolder…  I see references to setting preferences in the policies.json file, but I thought Mozilla.cfg was to be used for this?  Finally I see mention that there are preferences that are set in the source code that are not exposed to about:config?

Surely there is a simple one page document that walks you through this so we can spend a LIMITED amount of time sorting this out???

https://www.zdnet.com/article/mozilla-to-gradually-enable-dns-over-https-for-firefox-us-users-later-this-month/<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.zdnet.com_article_mozilla-2Dto-2Dgradually-2Denable-2Ddns-2Dover-2Dhttps-2Dfor-2Dfirefox-2Dus-2Dusers-2Dlater-2Dthis-2Dmonth_&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=mom8bD-tCg72z88i5Ys2zv21z-foQmo9Vou88AEWEyI&e=> - Ready or not, here comes DNS over HTTPS to bypass all security you have using DNS to block dangerous sites.


_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>
https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=IAnW7cKL6780SVW3_U7Jy2YAJyogbNewIMWO445F6nE&e=>

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=IAnW7cKL6780SVW3_U7Jy2YAJyogbNewIMWO445F6nE&e=> or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"
_______________________________________________
Enterprise mailing list
Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>
https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=IAnW7cKL6780SVW3_U7Jy2YAJyogbNewIMWO445F6nE&e=>

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.mozilla.org_listinfo_enterprise&d=DwMFaQ&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=ycdwMde4z0laTvLZ2h9PsSiTkY2fym34xto4YlAONG8&s=IAnW7cKL6780SVW3_U7Jy2YAJyogbNewIMWO445F6nE&e=> or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190910/b9e9f44b/attachment.html>

More information about the Enterprise mailing list