mikaela.github.io/blog/_posts/2024-05-17-https-everywhere.md

309 lines
12 KiB
Markdown
Raw Permalink Normal View History

---
layout: post
title: "HTTPS Everywhere through browser policy"
category: [english]
tags: [firefox, chromium, browsers, browser, policy]
redirect_from:
- /https-everywhere.html
- /httpseverywhere.html
- /https.html
2024-05-30 08:05:52 +02:00
lang: en
robots: noai
---
2024-06-19 07:19:44 +02:00
_I used to be sad since the EFF discontinued HTTPS Everywhere extension since
the setting often didn't sync and it only applied to me as opposed to everyone
using a shared computer. However since I have dived into browser policies, this
is no longer an issue for me._
I will be referring to my
[shell-things](https://gitea.blesmrt.net/mikaela/shell-things/) repository a
lot, particularly `etc/`, in case the link rots in the future, chances are my
git forges still have that available. I also have
[a script etc/init-browser-profiles.bash](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/init-browser-policies.bash)
that creates the directories, symlinks for Chromium-based browsers and sets the
permissions properly (if something won't work for you, check the permissions!),
so I only need to manage Chromium to also manage Brave, Google Chrome, Microsoft
Edge, Vivaldi etc.
Please note that I don't have a Windows or macOS at paw and my only advice for
those is the official documentation (bottom of the page).
<!-- editorconfig-checker-disable -->
<!-- prettier-ignore-start -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
2024-05-30 08:05:52 +02:00
<em lang="fi">Automaattinen sisällysluettelo</em> / <em lang="en">Automatically generated Table of Contents</em>
- [Chromium](#chromium)
- [DNS-over-HTTPS](#dns-over-https)
- [Firefox](#firefox)
- [DNS-over-HTTPS](#dns-over-https-1)
- [Documentation and other policies](#documentation-and-other-policies)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- prettier-ignore-end -->
<!-- editorconfig-checker-enable -->
## Chromium
I love Chromium policies as I can just throw them in the directories
`/etc/opt/chromium/policies/{managed,recommended}/` in different `.json` files
2024-06-19 07:19:44 +02:00
and then just copy what I need instead of... Now I am going ahead of myself with
Firefox. Managed means that the setting will be locked for the user and that is
what I am using here, recommended will change the default and show an indicator
for the user about it being recommended while still allowing it to be changed by
the way.
The case of HTTPS Everywhere is simple. I will copy a bit of my script:
```bash
sudo mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
sudo chmod -v a+rx /etc/opt/chromium/policies/
sudo mkdir -vp /etc/opt/chromium/policies/recommended
sudo chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
```
---
If you don't speak \*nix, `mkdir -vp` creates the directories verbosely
including their parent directories if those don't exist already and
2024-06-19 07:19:44 +02:00
`chmod -v a+rx` verbosely allows everyone to read and execute, which is required
for listing directory contents.
```bash
# An example, without the -p there would be error about the parent directory
# not existing
% mkdir -vp /tmp/meow/meow
mkdir: created directory '/tmp/meow'
mkdir: created directory '/tmp/meow/meow'
% chmod -v a+rx /tmp/meow
mode of '/tmp/meow' retained as 0755 (rwxr-xr-x)
```
---
2024-06-19 07:19:44 +02:00
Anyway, HTTPS Everywhere for Chromium. Once the directory exists, it's just a
matter of creating a json file there, e.g.
`/etc/opt/chromium/policies/managed/https-everywhere.json`:
```json
{
"EncryptedClientHelloEnabled": true,
"HttpsOnlyMode": "force_enabled",
"HttpsUpgradesEnabled": true
}
```
Now visit `about:policy` and see the policy appear (or if Chromium was already
running, click `Update policies`) and you are done. Try visiting
[http.badssl.com](https://http.badssl.com) to see it in action.
2024-06-19 07:19:44 +02:00
Of course the user can still navigate there, but HTTPS Everywhere the extension
had that behaviour too and there is likely a separate policy for that.
_EncryptedClientHello was added here some hours after publishing the article
alongside with Firefox DNS-over-HTTPS. See the bottom of page for changelog
link._
To put `EncryptedClientHello` simply, it will hide which domain you are
2024-06-19 07:19:44 +02:00
requesting from https capable web server, which may be serving multiple domains
when DNS-Over-HTTPS is used
([Chromium restriction](https://issues.chromium.org/issues/40935452)), while
generally the query for `example.net` would go in plaintext alongside _Server
Name Indication_.
2024-06-19 07:19:44 +02:00
It's good for your privacy, bad for enterprise network admin or those willing to
perform censorship.
### DNS-over-HTTPS
2024-06-19 07:19:44 +02:00
You might have noticed that Chromium no longer allows you to use DNS over HTTPS
since the browser is now "managed by an organization". This will require another
policy that either unlocks it or forces everyone to use it.
`/etc/opt/chromium/policies/managed/doh-unlocked-unset.json`:
```json
{
"DnsOverHttpsMode": "automatic"
}
```
and the user is once again free to use their preferred DoH provider.
`/etc/opt/chromium/policies/managed/doh-quad9.json`:
```json
{
"DnsOverHttpsMode": "automatic",
"DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
}
```
2024-06-19 07:19:44 +02:00
And the user is using DNS-over-HTTPS from Quad9 with fallback to system resolver
allowed (which for me is encrypted anyway). The `automatic` could be replaced
with `secure` to not allow downgrade, but I had issues with Chromium losing
connectivity entirely.
You may notice that multiple DoH providers are allowed, however I don't know
2024-06-19 07:19:44 +02:00
what logic is used for choosing between them. Oh and the weird https port 5053?
It comes from
[docs.quad9.net/services](https://docs.quad9.net/services/#alternate-ports).
## Firefox
Firefox is a bit more complicated in the sense that everything belongs to one
2024-06-19 07:19:44 +02:00
`policies.json` file, so there is no separating different policies to different
files _and_ there is no direct policy for HTTPS-only mode.
2024-06-19 07:19:44 +02:00
_**WARNING for [LibreAwoo](https://librewolf.net/) users**_!
[This will mask LibreAwoo's policy](https://codeberg.org/librewolf/issues/issues/1767)
(`/usr/share/librewolf/distribution/policies.json`,
[codeberg](https://codeberg.org/librewolf/settings/src/branch/master/distribution/policies.json)),
2024-06-19 07:19:44 +02:00
so make sure to copy the parts you wish to use before applying this (although I
think it might have this out of the box).
Hoping you read the Chromium section above, you may know the drill with the
commands and flags:
```bash
sudo mkdir -vp /etc/firefox/policies
sudo chmod -v a+rx /etc/firefox/
sudo chmod -v a+rx /etc/firefox/policies/
# A new command! Updates modification/creation dates to now or if it doesn't
# exist, creates the file
sudo touch /etc/firefox/policies/policies.json
sudo chmod -v a+r /etc/firefox/policies/policies.json
# Firefox ESR reads a different directory that I don't want to manage
# separately. -n prevents creating /etc/firefox/firefox if the symlink
# already exists.
sudo ln -nsv /etc/firefox /etc/firefox-esr
```
Now edit the `/etc/firefox/policies/policies.json` with your favourite text
editor and have contents similar to:
```json
{
"policies": {
"DisableEncryptedClientHello": false,
"Preferences": {
"dom.block_download_insecure": {
"Status": "locked",
"Type": "boolean",
"Value": true
},
"dom.security.https_only_mode": {
"Status": "locked",
"Type": "boolean",
"Value": true
}
}
}
}
```
2024-06-19 07:19:44 +02:00
After saving and restarting Firefox, `about:policies` should display the change,
`about:config` should display the two preferences as grayed out and within
settings HTTPS-Only mode is used in all windows and grayed out.
An easy test is again [http.badssl.com](http://http.badssl.com).
### DNS-over-HTTPS
2024-06-19 07:19:44 +02:00
_This section was edited in afterwards some hours after the publishing. Refer to
the log link on the bottom for more information._
2024-06-19 07:19:44 +02:00
Like Chromium, Firefox also supports DoH, although here it must be in the same
`/etc/firefox/policies/policies.json` file as before. It's simply appended (or
prepended) a bit:
```json
{
"policies": {
"DNSOverHTTPS": {
"Enabled": true,
"Fallback": false,
"Locked": true,
"ProviderURL": "https://dns.quad9.net/dns-query"
},
"DisableEncryptedClientHello": false,
"Preferences": {
"dom.block_download_insecure": {
"Status": "locked",
"Type": "boolean",
"Value": true
},
"dom.security.https_only_mode": {
"Status": "locked",
"Type": "boolean",
"Value": true
}
}
}
}
```
The new sections are also quite self-explanatory with boolean `true` or `false`
values.
- Is DoH enabled by default?
2024-06-19 07:19:44 +02:00
- Is it OK to automatically use system resolver if the DoH server doesn't work?
(There is a similar warning as with HTTPS only mode even if this was `false`
like in the example.)
- Is the user allowed to change these options (including which DoH server (if
any) they want to use) or are they grayed out? I like locking it so I don't
have to worry where else I may have configured it.
- Which URL is used for queries? I am under impression that unlike with
Chromium, multiple addresses aren't allowed here.
2024-06-19 07:19:44 +02:00
_Have you seen a note about temptation to write about IPv6 here? Perhaps you are
looking for `network.dns.preferIPv6` and `network.trr.early-AAAA`?_
**Updated note on Firefox ECH:** DNS-Over-HTTPS is no longer required for ECH,
2024-06-19 07:19:44 +02:00
since `network.dns.native_https_query` exists (if you aren't using ESR branch on
version 115). You should already know how to enable it if you have read this far
😼
2024-06-19 07:19:44 +02:00
**_SEQUEL ANNOUNCEMENT!_** [Part Ⅱ: Browser policies Ⅱ: Deploying PrivacyBadger
and uBlock Origin]({% post_url blog/2024-05-22-policy-contentblocker %}) is now online!
## Documentation and other policies
In case you have talked with me recently, chances are you have heard me
complaining about all the nice settings being hidden in browser policy.
- You have probably already found my policies already, but anyway here they are,
all paths referring to the `shell-things` repo:
- [etc/init-browser-policies.bash](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/init-browser-policies.bash)
- [etc/opt/chromium/policies](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/opt/chromium/policies)
- [etc/firefox/policies](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/firefox/policies)
- _PS. If you read them too deeply, do as I say, not as I do, because I do
have a bit too many extensions and all..._
- The official documentation:
- [mozilla.github.io/policy-templates](https://mozilla.github.io/policy-templates/)
- [LibreAwoo policies.json could be mentioned here as well](https://codeberg.org/librewolf/settings/src/branch/master/distribution/policies.json)
2024-06-19 07:19:44 +02:00
- [chromeenterprise.google/policies/](https://chromeenterprise.google/policies/)
mostly also applies to Chromium based browsers, who may have their own
additions:
- [Brave group policy](https://support.brave.com/hc/en-us/articles/360039248271-Group-Policy)
- [Microsoft Edge policy documentation](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies)
- Other documentation that may be interesting:
- [Ecosia as default search engine through Group Policy](https://ecosia.helpscoutdocs.com/article/487-windows-group-policy-guides)
- [Privacy Badger enterprise deployment and configuration](https://github.com/EFForg/privacybadger/blob/master/doc/admin-deployment.md)
- [I maybe got involved there too a bit](https://github.com/EFForg/privacybadger/discussions/2947)
2024-06-19 07:19:44 +02:00
- [Deploying uBlock Origin](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin)
and
[deploying uBlock Origin configuration](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin:-configuration)
- These also apply to [AdNauseam](https://adnauseam.io/), just change the
extension ID in your policy.
- Possibly helpful Wikipedia articles:
- [HTTPS Everywhere](https://en.m.wikipedia.org/wiki/HTTPS_Everywhere)
- [DNS-over-HTTPS](https://en.m.wikipedia.org/wiki/DNS_over_HTTPS)
- [Server Name Indication & Encrypted Client-Hello](https://en.m.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello)
[_GitHub commits for this page._](https://github.com/Mikaela/mikaela.github.io/commits/master/blog/_posts/2024-05-17-https-everywhere.md)