The security section is kind of boring as of now. So I'll just start bugging everyone in the privacy section then. =V I was messing around with about:config, well I'm using Pale Moon but this also should be applicable to Firefox and its derivatives. These tips have been mentioned very often, but they are sporadic and as far as I'm aware of there's no single place to gather them in one place for an easy access. So far I only have done some small configurations: Code: browser.cache.disk.enable = false browser.cache.memory.enable = false browser.send_pings = false geo.enabled = false network.dns.disableIPv6 = true network.http.sendRefererHeader = 0 If people have more info about what else needs to be configured in about:config then feel free to mention it. So anyone who wishes to harden their browser will only need to look up in one place and not missing/forgetting any manual configuration. Note: The browser.send_pings is set to "false" by default in Pale Moon. I don't know how is it in Firefox and other derivative browsers, I mentioned it just for the sake of notification. WARNING! Keep in mind that some of these tweaks may cause problems in your browsing experience. For example, network.http.sendRefererHeader set to 0 may give you problems when accessing your Outlook Mail account in your web browser. Try to set it to 1 and see if it fixes your problem.
Code: plugin.expose_full_path false // websites can't see the full path via navigator.plugins plugins.notifyMissingFlash false // block Flash notifications from appearing in the browser permissions.default.image 3 // loading images from original server only dom.battery.enabled false // fingerprinting due to differing OS implementations dom.network.enabled false // fingerprinting due to differing OS implementations dom.storage.enabled false // can store per-session or domain-specific data as name/value pairs on the client using DOM Storage.
Two options from RequestPolicy addon which you can configure within the browser itself: Code: network.dns.disablePrefetch = true network.prefetch-next = false
Do you know what setting(s) Request Policy uses to "not send" any HTTP authentication data to third-party sites? (third party tracking by authenticated headers) I don't think this is configurable through browser (about:config) settings without using something like Request Policy.
I'm not sure, but I also don't think it's possible. Browser configurations never really allow such flexibility.
According to kb.mozillazine.org when setting network.http.sendSecureXSiteReferrer (default is true) then network.http.sendRefererHeader must be set to 1 or 2 for this preference to have an effect. network.http.sendSecureXSiteReferrer; false = Don't send the Referer header when navigating from a https site to another https site. Those concerned with privacy can set this to false, realizing that this may adversely affect some sites. network.http.sendRefererHeader (default is 2 - send the Referer header) Those concerned with privacy can set this to 0, realizing that this may adversely affect some sites. Disabling Referer headers may cause some functionality on some sites to no longer work.
RP extension doesn't rely on any native (about:config) settings. It observes the on-modify-request event https://developer.mozilla.org/en/docs/Setting_HTTP_request_headers#Observers and (per rules you've setup) achieves "not send" by killing/cancelling any HTTP request intended for 3rd-party destination. By the way, RP has been recently "reborn" & is being actively developed: https://github.com/RequestPolicyContinued/requestpolicy
Well what can I say. I guess I like to go all out on HTTPS. Code: security.enable_tls_session_tickets; false // disable https-tracking security.ssl.enable_false_start; true // disable https-tracking NOTE: Default setting for _tickets is true and default setting for _start is false. Code: browser.cache.disk_cache_ssl; // default true allows the caching of secure web pages in your browser disk cache, but you may want to set this to false. I also checked into Pale Moon RC4 encryption ciphers. Of the 6 listed 2 are set to false and 4 are set to true. This may need to be addressed in Firefox and all Mozilla based forks.
Thanks for info. I take it though that if one is not using Request Policy authenticated header tracking is taking place, but the data will be deleted once browser is closed. Of couse that doesn't solve the problem when one has a browser session open and is sending data to third-party destinations.
But the two options (disable DNS prefetching and disable link prefecthing) in the advanced tab rely on about:config, right?
When you install Request Policy -> Advanced tab yes link prefetching and DNS prefetching are disabled on startup and restored back to default when Request Policy is uninstalled. (about:config) Code: extensions.requestpolicy.prefetch.dns.disableOnStartup; true extensions.requestpolicy.prefetch.link.disableOnStartup; true (about:config) network.prefetch-next; false // disable link prefetching network.dns.disablePrefetch; true // disable DNS prefetching network.dns.disablePrefetchFromHTTPS; true (NOTE: creating this preference and setting it to FALSE will enable DNS prefetching for secure links and objects) NOTE: Don't know if Request Policy handles HTTPS DNS prefetching.
If you are a bit paranoid you will touch all the things that you don't need. Such as webgl, a lot of the things under media: wave, opus, ogg and probably more. WebGL for instance has a bad security history and its very likely it could contain more issues that can help an attacker compromise your privacy and security. You should also consider sacrifice usability and disable javascript totally, the javascript code is constantly changing to offer better performance and its high risk that holes that aren't there today get added as well Have the browser identify itself like some other browser. If it looks like something else it might confuse an attacker a bit add a new string with the Preferance Name: general.useragent.override will do that to some extent, then look up what some phone or other browser use as useragent and add that value, this will make pages look odd but that's because a lot of sites relay on what browser you are identifying yourself as to serve you specific code, the idea here is that an attacker doing the same might end up not using the latest Firefox exploit against you when he thinks its a chrome user. css is something used for layout. And it has been security issues with it before, Firefox has some options in about config that let you disable some of the (mostly new) things css can do, you most likely want to do that if your goal is preventing zerodays. Custom fonts also has a history with security, it can be argued that you don't have to worry about this but I would disable downloadable fonts, I don't think this will affect the look on most pages you visit. browser.frames.enabled is also worth to maybe disable, it lets sites include other sites, so while you visit somesite.com it could make sure to load someothersite.com/funnyfish.html, it has legitimate uses but it can also be used for tracking or lunching bad code from a third party. browser.cache.offline.enable browser.cache.memory.enable These are stuff that you most likely won't need to browse around but they can store added information about you, suggestion keep it disabled. There is so much more you can do, you can do various things to make SSL a bit more restrictive in what it considers good encryption and change various sizes allowed. Its too much to go through here and I'm no expert on the area. But I think you have to consider sacrificing some functionality if your goal is a somewhat secure browser, that's usually what you do when you have a server or something, you don't keep on this and that function if you can do without it (because holes targeting those functions might have been found by an attacker already).
// disable short URL keyword guessing: set to false NOTE: default true Code: browser.fixup.alternate.enabled false keyword.enabled false NOTE: Do search on typosquatting (URL hijacking) which is a form of cybersquatting which relies on mistakes such as typographical errors made by the user inputting a website address into the browser. Firefox also should not be guessing which websites you want to go to when inputting short words into the URL address bar. Another area you might want to check is social. Open about:config and type in social (Search bar) Pale Moon by default has social.enabled set to false. (disabled) Firefox may be set to true. You can change the other (social.) preferences here to as well if you want.
Attached is a list of 375 preferences, in alphabetical order, with no suggested values. I think the vast majority of these would be of interest to someone wanting to lock down their browser. Some preferences on the list are loosely coupled to the subject. Some are on the list for other reasons. A tiny number of the preferences won't be found in about:config because they aren't set by default or checked into release yet. These aren't marked. I small number of the preferences may no longer be applicable. The ones I know to question are marked with // Defunct? You can search for preferences via https://mxr.mozilla.org/. Most would want to search the release branch. Nearly all preferences will show up as complete strings. However, sometimes the code uses a separate prefix and you'll have to search for fragments of the preference string. You can also search for info at bugzilla.mozilla.org, support.mozilla.org, etc. It is hard to keep up with FF changes. I doubt the list is perfect. Worth considering: autoconfig and user.js Edit: Added a few more
That's quite the list. I noticed some users are using 'localhost' as the string value in preferences such as: browser.geolocation.warning.infoURL browser.contentHandlers.types... gecko.handlerService.schemes... Some more about:config tweaks to consider. Code: breakpad.reportURL // default=https://crash-stats.mozilla.com/report/index/ Disable Firefox crash error reporting to Mozilla by deleting URL string (leave blank) Code: browser.urlbar.trimURL; false Don't trim "http://" prefix in location bar - you want all parts of url to show. Code: browser.send_pings.require_same_host; true Disable sending pings to 3rd party content hosts.
That was my attempt at a "short list" too Already found a few more I know I'll want to look at. BTW, I'm pretty sure dom.network.enabled -> dom.netinfo.enabled.
Please Note: There are some about:config preferences that are enabled by default in Firefox, but are disabled by default in Pale Moon. Thought I would try to compare both browsers preferences. IMO both browsers can be "locked down" tighter than their default settings. TOR browser does change a lot of these settings and probably JonDonym as well. Also some preferences may not exist. (different developers and things keep changing in builds) Some may need to be created, but be aware not all may work because of coding changes. As TheWindBringeth noted some are to question. // defunct.
Ah, I forget you guys are talking about Pale Moon. You currently have these? // Network API pref("dom.network.enabled", true); pref("dom.network.metered", false); Mozilla Release has these: #if defined(MOZ_WIDGET_GONK) || defined(MOZ_WIDGET_ANDROID) // Network Information API pref("dom.netinfo.enabled", true); #else pref("dom.netinfo.enabled", false); #endif https://bugzilla.mozilla.org/show_bug.cgi?id=960426
RP simply toggles the pref. AFAIK, the browser refrains from performing DNSprefetch, period (including https scheme), while network.dns.disablePrefetch=true
Thanks for the link. Lot's of info to digest. Currently examining TorBrowser - Firefox 24.8.0ESR (about:config) TBB version 3.6.5 (Windows) Looking at preferences in the browser, dom, extensions, media, network, privacy and security sections. Have used Linux also.
How are you carrying out the comparison? Manually? With the help of a tool? That diffs website got me thinking. Perhaps one way to approach the problem would be to write an extension which a) works with Firefox and derivatives, b) dumps all preferences and values to a file. Then that extension, or another tool, could be used to compare/review preference dump files. I think such a tool could make it much easier to look for (run-time) preference differences in two Firefox versions, Firefox vs PaleMoon, Firefox vs TorBrowser, whatever. Perhaps export prefs from N browsers and programmatically create one column-sortable table showing the results for each. I'm going to pursue this at some point in the future and see if it works. Thought I'd mention it in case someone wants to look for an existing extension that does this and/or wants to pursue it themselves.
