12 KiB
I used to be sad since the EFF discontinued HTTPS Everywhere extension since the setting often didn’t sync and it only applied to me as opposed to everyone using a shared computer. However since I have dived into browser policies, this is no longer an issue for me.
I will be referring to my shell-things
repository a lot, particularly etc/
, in case the link rots
in the future, chances are my git forges still have that available. I
also have a
script etc/init-browser-profiles.bash that creates the directories,
symlinks for Chromium-based browsers and sets the permissions properly
(if something won’t work for you, check the permissions!), so I only
need to manage Chromium to also manage Brave, Google Chrome, Microsoft
Edge, Vivaldi etc.
Please note that I don’t have a Windows or macOS at paw and my only advice for those is the official documentation (bottom of the page).
Chromium
I love Chromium policies as I can just throw them in the directories
/etc/opt/chromium/policies/{managed,recommended}/
in
different .json
files and then just copy what I need
instead of… Now I am going ahead of myself with Firefox. Managed means
that the setting will be locked for the user and that is what I am using
here, recommended will change the default and show an indicator for the
user about it being recommended while still allowing it to be changed by
the way.
The case of HTTPS Everywhere is simple. I will copy a bit of my script:
sudo mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
sudo chmod -v a+rx /etc/opt/chromium/policies/
sudo mkdir -vp /etc/opt/chromium/policies/recommended
sudo chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
If you don’t speak *nix, mkdir -vp
creates the
directories verbosely including their parent directories if those don’t
exist already and chmod -v a+rx
verbosely allows everyone
to read and execute, which is required for listing directory
contents.
# An example, without the -p there would be error about the parent directory
# not existing
% mkdir -vp /tmp/meow/meow
mkdir: created directory '/tmp/meow'
mkdir: created directory '/tmp/meow/meow'
% chmod -v a+rx /tmp/meow
mode of '/tmp/meow' retained as 0755 (rwxr-xr-x)
Anyway, HTTPS Everywhere for Chromium. Once the directory exists,
it’s just a matter of creating a json file there, e.g.
/etc/opt/chromium/policies/managed/https-everywhere.json
:
{
"EncryptedClientHelloEnabled": true,
"HttpsOnlyMode": "force_enabled",
"HttpsUpgradesEnabled": true
}
Now visit about:policy
and see the policy appear (or if
Chromium was already running, click Update policies
) and
you are done. Try visiting http.badssl.com to see it in
action.
Of course the user can still navigate there, but HTTPS Everywhere the extension had that behaviour too and there is likely a separate policy for that.
EncryptedClientHello was added here some hours after publishing the article alongside with Firefox DNS-over-HTTPS. See the bottom of page for changelog link.
To put EncryptedClientHello
simply, it will hide which
domain you are requesting from https capable web server, which may be
serving multiple domains when DNS-Over-HTTPS is used (Chromium
restriction), while generally the query for example.net
would go in plaintext alongside Server Name Indication.
It’s good for your privacy, bad for enterprise network admin or those willing to perform censorship.
DNS-over-HTTPS
You might have noticed that Chromium no longer allows you to use DNS over HTTPS since the browser is now “managed by an organization”. This will require another policy that either unlocks it or forces everyone to use it.
/etc/opt/chromium/policies/managed/doh-unlocked-unset.json
:
{
"DnsOverHttpsMode": "automatic"
}
and the user is once again free to use their preferred DoH provider.
/etc/opt/chromium/policies/managed/doh-quad9.json
:
{
"DnsOverHttpsMode": "automatic",
"DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
}
And the user is using DNS-over-HTTPS from Quad9 with fallback to
system resolver allowed (which for me is encrypted anyway). The
automatic
could be replaced with secure
to not
allow downgrade, but I had issues with Chromium losing connectivity
entirely.
You may notice that multiple DoH providers are allowed, however I don’t know what logic is used for choosing between them. Oh and the weird https port 5053? It comes from docs.quad9.net/services.
Firefox
Firefox is a bit more complicated in the sense that everything
belongs to one policies.json
file, so there is no
separating different policies to different files and there is
no direct policy for HTTPS-only mode.
WARNING for LibreAwoo users! This will mask
LibreAwoo’s policy
(/usr/share/librewolf/distribution/policies.json
, codeberg),
so make sure to copy the parts you wish to use before applying this
(although I think it might have this out of the box).
Hoping you read the Chromium section above, you may know the drill with the commands and flags:
sudo mkdir -vp /etc/firefox/policies
sudo chmod -v a+rx /etc/firefox/
sudo chmod -v a+rx /etc/firefox/policies/
# A new command! Updates modification/creation dates to now or if it doesn't
# exist, creates the file
sudo touch /etc/firefox/policies/policies.json
sudo chmod -v a+r /etc/firefox/policies/policies.json
# Firefox ESR reads a different directory that I don't want to manage
# separately. -n prevents creating /etc/firefox/firefox if the symlink
# already exists.
sudo ln -nsv /etc/firefox /etc/firefox-esr
Now edit the /etc/firefox/policies/policies.json
with
your favourite text editor and have contents similar to:
{
"policies": {
"DisableEncryptedClientHello": false,
"Preferences": {
"dom.block_download_insecure": {
"Status": "locked",
"Type": "boolean",
"Value": true
},
"dom.security.https_only_mode": {
"Status": "locked",
"Type": "boolean",
"Value": true
}
}
}
}
After saving and restarting Firefox, about:policies
should display the change, about:config
should display the
two preferences as grayed out and within settings HTTPS-Only mode is
used in all windows and grayed out.
An easy test is again http.badssl.com.
DNS-over-HTTPS
This section was edited in afterwards some hours after the publishing. Refer to the log link on the bottom for more information.
Like Chromium, Firefox also supports DoH, although here it must be in
the same /etc/firefox/policies/policies.json
file as
before. It’s simply appended (or prepended) a bit:
{
"policies": {
"DNSOverHTTPS": {
"Enabled": true,
"Fallback": false,
"Locked": true,
"ProviderURL": "https://dns.quad9.net/dns-query"
},
"DisableEncryptedClientHello": false,
"Preferences": {
"dom.block_download_insecure": {
"Status": "locked",
"Type": "boolean",
"Value": true
},
"dom.security.https_only_mode": {
"Status": "locked",
"Type": "boolean",
"Value": true
}
}
}
}
The new sections are also quite self-explanatory with boolean
true
or false
values.
- Is DoH enabled by default?
- Is it OK to automatically use system resolver if the DoH server
doesn’t work? (There is a similar warning as with HTTPS only mode even
if this was
false
like in the example.) - Is the user allowed to change these options (including which DoH server (if any) they want to use) or are they grayed out? I like locking it so I don’t have to worry where else I may have configured it.
- Which URL is used for queries? I am under impression that unlike with Chromium, multiple addresses aren’t allowed here.
Have you seen a note about temptation to write about IPv6 here?
Perhaps you are looking for network.dns.preferIPv6
and
network.trr.early-AAAA
?
Updated note on Firefox ECH: DNS-Over-HTTPS is no
longer required for ECH, since
network.dns.native_https_query
exists (if you aren’t using
ESR branch on version 115). You should already know how to enable it if
you have read this far 😼
Documentation and other policies
In case you have talked with me recently, chances are you have heard me complaining about all the nice settings being hidden in browser policy.
- You have probably already found my policies already, but anyway here
they are, all paths referring to the
shell-things
repo:- etc/init-browser-policies.bash
- etc/opt/chromium/policies
- etc/firefox/policies
- PS. If you read them too deeply, do as I say, not as I do, because I do have a bit too many extensions and all…
- The official documentation:
- mozilla.github.io/policy-templates
- chromeenterprise.google/policies/ mostly also applies to Chromium based browsers, who may have their own additions:
- Other documentation that may be interesting:
- Ecosia as default search engine through Group Policy
- Privacy Badger enterprise deployment and configuration
- Deploying
uBlock Origin and deploying
uBlock Origin configuration
- These also apply to AdNauseam, just change the extension ID in your policy.
- Possibly helpful Wikipedia articles: