undefined | Better HN

0 pointsest316y ago0 comments

Of course you can lock stuff via enterprise settings so that about:config entries can't be modified by local users, but that takes time to find out and test, while removing the weird non-Chrome browser that's still present mostly for inertia reasons but nowadays only gets used for evil porn is much easier.

0 comments

close046y ago

Saving time by applying a non-solution 9like removing one browser instead of treating the root cause) is not actually saving anything. You just kick the problem further down the road. Firefox prefs are documented even if not in the most user friendly way [0][1][2][3]. For the most part performing some basic hardening and other useful config on the browser takes less than a day. A person with some IT background shouldn't have too much problems doing it and it's more or less a one time thing.

[0] https://dxr.mozilla.org/mozilla-release/source/modules/libpr...

[1] https://dxr.mozilla.org/mozilla-release/source/browser/app/p...

[2] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Ent...

[3] https://support.mozilla.org/en-US/products/firefox-enterpris...

simondedalus6y ago

no, using the nuclear option of removing the browser outright when others work is the smart, efficient option that someone who actually works in IT with limited resources would (and should) use.

this stuff about finding all the right config files during "basic hardening" and having it just work is the stuff of armchair commenters and people who do IT/security on a well funded, sufficiently redundant team. assuming the latter would be the people in charge of school IT is hopelessly naive.

close046y ago

So tell me then, what exactly are you achieving with removing Firefox when the same bypass can easily be achieved with Chrome? Remove Chrome also? Call the well funded security team to configure whatever browser you’ll eventually have to use?

The problem with half assed work is that you still put in some effort but reap none of the rewards. You work to uninstall Firefox from dozens of computers but get exactly 0 results because now you’ll have to configure Chrome. Default installations of both browsers are perfect for home use but woefully inadequate for controlled networks.

And in the end you put in just about as much effort as changing some flags in any one of the dozens of example config files available on the internet and copying it on every machine.

1 more reply

buran776y ago

How efficient is the "nuclear option" when all browsers have DNS-over-HTTPS? By then you have a few options:

- Implement a proxy to break SSL.

- Configure the browsers to disable DOH (GPO or local configuration) for as long as it's an option.

- remove all browsers because that's the solution you already have in place.

I wholeheartedly disagree with any resolution that just hides or ignores the issue especially when it's scheduled to become more or less standard.

isostatic6y ago

Yes, we should stick with IE6 on all machines, no need for any other browsers

1 more reply

j / k navigate · click thread line to collapse

0 comments

close046y ago

[0] https://dxr.mozilla.org/mozilla-release/source/modules/libpr...

[1] https://dxr.mozilla.org/mozilla-release/source/browser/app/p...

[2] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Ent...

[3] https://support.mozilla.org/en-US/products/firefox-enterpris...

simondedalus6y ago

no, using the nuclear option of removing the browser outright when others work is the smart, efficient option that someone who actually works in IT with limited resources would (and should) use.

close046y ago

And in the end you put in just about as much effort as changing some flags in any one of the dozens of example config files available on the internet and copying it on every machine.

1 more reply

buran776y ago

How efficient is the "nuclear option" when all browsers have DNS-over-HTTPS? By then you have a few options:

- Implement a proxy to break SSL.

- Configure the browsers to disable DOH (GPO or local configuration) for as long as it's an option.

- remove all browsers because that's the solution you already have in place.

I wholeheartedly disagree with any resolution that just hides or ignores the issue especially when it's scheduled to become more or less standard.

isostatic6y ago

Yes, we should stick with IE6 on all machines, no need for any other browsers

1 more reply

j / k navigate · click thread line to collapse