Firefox Lockdown

Discussion in 'privacy technology' started by guest, Sep 8, 2014.

  1. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Well, I read [most of] that and the HTTP/2 draft and some related material including: TLS Next Protocol Negotion (NPN), TLS Application-Layer Protocol Negotiation (ALPN), and HTTP Alternative Services. I had skimmed some of it before, but this was enough of a deluge that I'm overwhelmed at the moment. I definitely have to go back over it several more times and do or review some testing.

    Right now, I'm thinking my decision to disable all of that was the correct decision and gives me some breathing room. What is the most compelling reason you can think of to enable it?
     
  2. rethink

    rethink Registered Member

    Joined:
    Jan 13, 2015
    Posts:
    75
    One question, today my machine upgraded to Firefox 38 ESR
    browser.search.countryCode
    browser.search.region

    With region by how is this set? I mean it seems to be set by the user and if you reset it, the values are deleted.

    intl.locale.matchOS;fallse

    Also this value is set to false, which is good. Any ideas?
     
  3. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    All the SPDY references had me in a deja-vu old-dinosaur mode. I recall session persistence stuff in connection with things like FTAM.

    In that instance, the idea was certainly to persist over network outages and also machine outages, and being the session layer, were supposed to be insulated or ignorant of network layer information (e.g. IP address).

    But these days, I completely agree with comments above, that you want control over this at the application user level. Because - by and large - the networking speeds and reliability are such that you have a good chance of hour-long transfers going OK (and transport layer protection and retransmission doing most of the recovery work), there is little justification for having a persistent network-stack-based persistence of sessions when you can't manage or approve those. Sounds very dangerous from a privacy point of view, but likely is symptomatic of the services wanting to turn our browsers into graphically attractive dumb terminals to their "mainframes".
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    This might be interesting (although I haven't checked it very thoroughly yet):

    https://github.com/pyllyukko/user.js

     
  6. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Very interesting, thanks for the link.
     
  7. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Earlier in this thread (hope I'm posting to the correct thread) someone mentioned interest in exporting / importing prefs.
    I just noticed this extension (haven't yet tested it) which might be useful:
    https://addons.mozilla.org/en-US/firefox/addon/save-load-prefs

    "Load preferences from a file into Firefox. Useful for mobile devices that don't allow access to the Firefox profile directory.
    About this add-on:
    (compatible with ff versions 26+)
    To use this addon, go to its options page in under Tools->Add-ons.
    Save your current user preferences to the configured location.
    The file has the same format as <your-firefox-profile>/prefs.js.
    Edit this file as you wish and save to a new file. Then load your new preferences into Firefox. The addon will save them to your profile."

    ==================

    BTW: In case you haven't noticed, AMO enables you to browse online the source code for extensions hosted on the AMO site.
    Here's a link to view the "save-load-prefs" extension source code:
    https://addons.mozilla.org/en-US/firefox/files/browse/321694/
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  9. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Iceweasel in debian stable and testing repositories is version 31esr.
    In later ff versions, and in iceweasel v38esr (debian unstable + experimental repositories) the phish-related safebrowsing hashlists
    are retrieved from mozilla-hosted servers but, yes, a few lists are still retrieved from google servers.

    Regarding the favicon requests behavior, nearly all of the remote icons are present in (inherited from) "default search engines list" supplied in the firefox build source.
    Debian devs added an item "search debian package lists" & supply data:image/x-icon right in the xml file. Same (local imagedata supplied) in other debian-added search engine entries that I checked.

    FWIW, aside from user-agent and/or "appid", I find nothing being leaked by these requests & have no qualms nor complaint regarding these.
    If you do, you can launch first-run without network connectivity and
    -- disable safebrowsing via about:config
    -- remove most of, or all of, the search engine entries (or edit each search xml file to change/remove remote icon imagefile URL)
     
    Last edited: Jul 18, 2015
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Does anyone know what is the situation of Iceweasel from Trisquel's/Parabola's repos?
    ANd what about IceCat?
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
  12. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    I really love this thread. By now, it's already into 6 pages.
    Is it possible or can someone consolidate all the latest privacy config settings?
     
  13. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    If you prefer to maintain your VPN IP, uncheck the following:
    http://i57.tinypic.com/2rhtjbq.jpg
     
  14. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I tried to do this and it crashed out FF... nothing worked, had to reinstall it. Had the same version, same addons & versions of them too. But it didn't work by replacing that pref file with the one I saved from my old installation. So now I just do it all over again. I wish there were an easier way but I haven't found one.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I notice it trying to connect to 63.245.0.0 - 63.245.255.255 I block that range and only unblock it temporarily when I update addons.

    I also found a range HTTPS-Everywhere uses to phone... somewhere. 69.50.0.0 - 69.50.255.255

    Here's one Microsoft uses for good measure: 69.28.0.0 - 69.28.255.255

    It's a good habit to get into looking at active connection lists/logs, or netstat -an to look for non-DNS IP's and see if they're necessary or not for the proper functionality of the site/program. If it's not, shoot first and ask question later.

    I even found two ranges that Ixquick uses, but the downside is that with searches the pages don't load. It happens enough that it's a major irritant, like 35% of the time I'd say. But if you're interested here they are:

    213.144.0.0 - 213.144.255.255
    69.90.210.0 - 69.90.210.255

    I have a bunch more too. I block them in my router... all but the Ixquick & Firefox ones.
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I prefer using CCleaner to erase my sandbox. I enter the command: "Directory:\CCleaner\CCleaner.exe" /delete "%SANDBOX%"

    And have CCleaner set up for secure deletion, 1 pass.
     
  17. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
  18. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Seems reasonable, predictable, that a repurposed prefs file would be unusable
    unless you search/replaced path-related strings, ESPECIALLY the prefs associated with various addons.
    As for the claim "you only need the pref.js file", clearly that is incorrect if any addons were (and/or are now) installed.
    I've lost track whether it has been mentioned already in this looooong thread, but...
    the FEBE addon is reputedly (i haven't personally checked it against recent ff versions) still able to facilitate the migration of profiles.
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Heads up, some potentially disruptive changes are in the works:

    https://wiki.mozilla.org/Firefox/Go_Faster, short presentation video @ https://air.mozilla.org/go-faster/

    For those who don't want to review the above, a few notes I made:

    For Firefox Desktop, and potentially other products, Mozilla intends to switch to a continuous delivery model, which will involve more frequent, smaller, updates. The addon system will be leveraged, and a new type of "system addon" will be used to ship Firefox features. An example was given, of a woman using Firefox's search interface to perform searches and who steps away from her device for a moment. While she is away, a restartless system-addon is delivered and the search functionality is changed. When she comes back and resumes her searching, she'll automatically be using the newer functionality.

    System addons will apply to all profiles (under debate). System addons may not be uninstallable, but they may be disableable.

    There will be increased use of experiments and also instrumentation (telemetry). A goal is to validate ideas with users and incorporate only those features that are popular. Mozilla will begin testing features on subsets of the release channel, and rolling features out to release users in a phased manner. Plans are to separate some data from the product and have the installer/updater download that data separately. There is mention of "security policy updates" through a new update service, but I'm not sure what that refers to.
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Wow... that sounds feral.
     
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Looks like Fetch was enabled by default in FF39, and the code no longer checks for the dom.fetch.enabled pref.

    Pref to turn TP on when in Private Browsing mode
    https://bugzilla.mozilla.org/show_bug.cgi?id=1138979
    privacy.trackingprotection.pbmode.enabled

    Unified Telemetry work continues:
    https://wiki.mozilla.org/Unified_Telemetry
    https://bugzilla.mozilla.org/showdependencytree.cgi?id=1122515
    https://mxr.mozilla.org/mozilla-central/source/toolkit/components/telemetry/docs/

    Came across this:

    [e10s] Make a version of nsIContentPolicy that doesn't pass the node as a parameter
    https://bugzilla.mozilla.org/show_bug.cgi?id=1128798

    which discusses an issue with nsIContentPolicy based filtering in e10s, and mentions efforts to develop a Chrome like WebRequest API. It sounds like they intend to keep and make some improvements to nsiContentPolicy, but it will be more difficult to use due to e10s. So a more simple API was considered, and due to the desire to make porting Chrome extensions to Firefox easy, they created a WebRequest like API. I sure hope we don't lose anything as a result of this and/or other efforts to move towards more common APIs.
     
    Last edited: Aug 3, 2015
  22. PallMall

    PallMall Guest

    All is ok except browser.cache.memory.enable = false, which is a nonsense, especially with disk cache disabled.
    I have otherwise those settings among several others, memory cache set to 512MB and Cyberfox profile on a RAMdisk.
    Security, privacy, swiftness.
     
  23. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
  24. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    139
    I was wondering if you guys could tell me if this is effective and if I placed the file in the right folder.

    I am using this guys user.js file https://www.reddit.com/r/privacy/comments/2uaent/tips_to_tune_your_firefox/

    I placed it in firefox by going to help > troubleshooting information > show folder and pasting it in there

    do those tweaks look effective? is it working just by being in that folder?
     
  25. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    Holysmoke, a comparatively better (more comprehensive) list
    was recently provided here @post #32 ---v
    https://www.wilderssecurity.com/threads/firefox-quiet.375074/page-2

    In regard to "...and if I placed the file in the right folder":
    I would discourage the "quickfix" approach of blindly downloading and pasting, en masse, someone's suggested prefs.
    If you're not willing/able to visit about:config and thoughtfully select and alter pref values, just fuggedaboutit.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.