Firefox - Change These For Better Privacy - Security

Discussion in 'privacy technology' started by DasFox, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. Eiso

    Eiso Registered Member

    Joined:
    Nov 17, 2011
    Posts:
    44
    Ah, by the way.... how did you secure HTTP Authentication without JondoFox? I can't seem to figure that out.
     
  2. tlu

    tlu Guest

    Yes, but that can be problematic in some cases. For example, on addons.mozilla.org you'll get different versions for some addons depending on the OS you're using. That's why it's a better solution to use UAControl and add that string in the "Default for sites not listed" field and set, e.g., AMO to "Normal".
     
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Thanks Eiso for the info this is great...

    For HTTP Auth try 'RequestPolicy'...

    Ok all we need now is just these three;

    HTTP session
    Signature
    Charset

    Here's a screen shot of the latest;

    http://i.imgur.com/48MUN.png

    I noticed that Tor uses these in the browser bundle;

    browser.sessionstore.privacy_level;2

    http://kb.mozillazine.org/Browser.sessionstore.privacy_level

    Dom.storage.enabled; false

    http://kb.mozillazine.org/Dom.storage.enabled

    Tor adds these two; (And they have no value, so I'm not sure about them)
    general.useragent.vendor;
    general.useragent.vendorSub;

    Here's one we should all be KILLING;
    Default setting; geo.enabled;true :thumbd:
    change to this; geo.enabled;false :thumb:

    And another Geo to kill;
    geo.wifi.uri;https://www.google.com/loc/json
    Under Windows type in ‘localhost’ and hit ‘OK’
    Under Linux leave the box blank (clear if necessary)

    The best thing I see to do at this point is to compare the 'about:config' options of the Tor browser bundle and FF...
     
    Last edited: Nov 30, 2011
  4. tlu

    tlu Guest

    Thanks DasFox for sharing this:thumb:

    How did you manage to have ETags and Authentication protected? Do you disable caching?

    EDIT: Regarding general.useragent.vendor and general.useragent.vendorSub: According to this site they are no longer specified by default in (=since) Firefox 1.5.

    EDIT2: It makes sense to create a user.js file in your FF profile folder and add your individual settings there (not only the privacy related ones), like:

    Code:
    user_pref("dom.storage.enabled", false);
    user_pref("geo.enabled", false);
    user_pref("geo.wifi.uri", " ");
    user_pref("browser.sessionstore.privacy_level", 2);
    Thus, if you create a new profile, just copy that file to the new profile folder and you'll have your individual settings back.
     
    Last edited by a moderator: Nov 30, 2011
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Hey I thought you were the pro, now you're asking the questions, hehe... :)

    Ok I'll give a run down of everything I've done so far and then we can try to figure out next these;

    HTTP Session
    Signature
    Charset

    I've divided the sections listed below in 'Bold', so please be aware of that when you're reading, that it pertains to that section only!


    Here's my list of changes in about:config;


    browser.cache.disk.enable - (user set boolean)
    false

    browser.cache.offline.enable - (user set boolean)
    false

    browser.search.suggest.enabled - (user set boolean)
    false

    browser.sessionstore.privacy_level - (user set integer)
    2

    dom.storage.enabled - (user set boolean)
    false

    general.useragent.override - (user set string)
    Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0

    geo.enabled - (user set boolean)
    false

    geo.wifi.uri - (user set string)
    leave 'value' blank for Linux, 'localhost' for Windows

    intl.charsetmenu.browser.cache - (user set string) - (Just look and see what you have?)
    UTF-8

    intl.accept_languages - (user set string)
    en-us

    network.cookie.lifetimePolicy - (user set integer)
    2

    network.http.accept.default - (user set string)
    text/html,application/xml,*/*

    Tor Browser Bundle has these, I don't think really matter, but maybe...

    browser.cache.offline.enable;false
    browser.chrome.favicons;false
    browser.chrome.image_icons.max_size;0
    browser.chrome.site_icons;false

    These are in Tor that are not in Firefox, or different in Firefox...;

    browser.history_expire_days.mirror;0 - (user set integer)
    browser.microsummary.updateGenerators;false - (user set boolean)
    browser.places.importDefaults;false - (user set boolean)
    browser.places.migratePostDataAnnotations;false - (user set boolean)
    browser.places.updateRecentTagsUri;false - (user set boolean)
    browser.safebrowsing.remoteLookups;false - (user set boolean) - seems like this should be in FF; http://kb.mozillazine.org/Browser.safebrowsing.remoteLookups
    Tor uses - extensions.autoDisableScopes;0 - Firefox uses extensions.autoDisableScopes;15 https://developer.mozilla.org/en/Installing_extensions (Hmm not sure about this...)
    extensions.blocklist.pingCountTotal;2 - (user set integer)
    Tor uses - extensions.blocklist.pingCountVersion;2 - Firefox uses extensions.blocklist.pingCountVersion;0
    extensions.checkUpdateSecurity;true - (user set boolean) - Now why the heck wasn't this added in FF? -- http://kb.mozillazine.org/Extensions.checkUpdateSecurity
    extensions.update.notifyUser;false

    I wonder if these will add a layer for spoofing...

    general.appname.override;Netscape
    general.appversion.override;5.0 (Windows)
    general.buildID.override;0
    general.oscpu.override;Windows NT 6.1
    general.platform.override;Win32
    general.productSub.override;20100101

    These below look like Better Privacy, but it's not listed in the Addons Manager;

    extensions.bprivacy.DataDir;/Users/erinn/Library/Preferences/Macromedia
    extensions.bprivacy.donotaskforfolder;true
    extensions.bprivacy.donotaskonexit;true
    extensions.bprivacy.initiated;true

    Tor - network.http.pipelining;true - FF - network.http.pipelining;false
    Tor - network.http.pipelining.maxrequests;8 - FF -network.http.pipelining.maxrequests;4
    Tor - network.http.pipelining.ssl;true - FF - network.http.pipelining.ssl;false
    Tor - network.http.proxy.pipelining;true - FF - network.http.proxy.pipelining;false
    Tor - network.protocol-handler.external-default;false - FF - network.protocol-handler.external-default;true
    Tor - network.protocol-handler.external.mailto;false - FF - network.protocol-handler.external.mailto;true
    Tor - network.protocol-handler.external.news;false - FF - network.protocol-handler.external.news;true
    Tor - network.protocol-handler.external.nntp;false - FF - network.protocol-handler.external.nntp;true
    Tor - network.protocol-handler.external.snews;false - FF - network.protocol-handler.external.snews;true
    Tor - network.protocol-handler.warn-external.file;true - FF - network.protocol-handler.warn-external.file;false
    Tor - network.protocol-handler.warn-external.mailto;true - FF - network.protocol-handler.warn-external.mailto;false
    Tor - network.protocol-handler.warn-external.news;true - FF - network.protocol-handler.warn-external.news;false
    Tor - network.protocol-handler.warn-external.nntp;true - FF - network.protocol-handler.warn-external.nntp;false
    Tor - network.protocol-handler.warn-external.snews;true - FF - network.protocol-handler.warn-external.snews;false

    Tor - permissions.memory_only;true - FF - nothing, but can it work in FF and what permissions are we talking about?

    Not sure what to think about these for now in about:config in Tor;
    Tor - extensions.autoDisableScopes;0 Firefox - autoDisableScopes;15
    extensions.shownSelectionUI;true - (Tor & FF the same)
    http://blog.ffextensionguru.com/2011/11/09/disable-firefox-8-add-on-controls/

    Tor - plugin.disable_full_page_plugin_for_types;false
    Tor - plugin.expose_full_path;true - FF - plugin.expose_full_path;false (Seems odd Tor makes it true?)
    Tor - plugin.scan.4xPluginFolder;false
    Tor - plugin.scan.Acrobat;99.0
    Tor - plugin.scan.Quicktime;99.0
    Tor - plugin.scan.SunJRE;99.0
    Tor - plugin.scan.WindowsMediaPlayer;99.0
    Tor - plugin.scan.plid.all;false
    Tor - privacy.sanitize.sanitizeOnShutdown;false - FF - privacy.sanitize.sanitizeOnShutdown;true (seems odd Tor sets this to false)

    Tor - security.enable_java;false (It's good to add this to FF if you can learn to live without Java, which can be bad...)

    Tor - signon.autofillForms;false - FF - signon.autofillForms;true

    Tor - urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey;1235166825
    Why the difference in numbers?
    FF - urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey;1325228727

    Tor - urlclassifier.tableversion.goog-black-enchash;1.55536
    Tor - urlclassifier.tableversion.goog-black-url;1.23256
    Tor - urlclassifier.tableversion.goog-white-domain;1.481
    Tor - urlclassifier.tableversion.goog-white-url;1.371
    Tor - webgl.disabled;true - FF - webgl.disabled;false (Hmm HTML5...)


    These are the addons I use;

    Adblock Plus
    Ghostery
    NoScript
    RequestPolicy

    The Tor Browser Bundle uses these addons;

    Tor Button
    HTTPS-Everywhere
    NoScript

    For what we're trying to accomplish, I don't think HTTPS-Everywhere will do anything...

    These are the differences Tor uses or doesn't use in NoScript;

    Scripts Globally Allowed (Seems odd Tor uses this)
    Automatically reload affected pages when permissions change (unchecked)
    Apply these restrictions to whitelisted sites too (Not a bad idea...)
    Forbid WebGL
    Tor uses different 'Appearance' settings...
    HTTPS - Cookies - Enable Automatic Secure Cookies Management (Not a bad idea...)
    ABE is unchecked -(Interesting, 'Enable ABE' unchecked, hmm)
    Of course no WAN IP - (People should research this to decide if the really want to use this, I've read some pros and cons and I didn't like the cons, so I'm not using it...

    By the way those user.js settings you're showing you edit them in about:config, just be sure to keep a copy as long as you don't make any other browser changes...

    P.S. That takes care of the entire about:config between the two, LOL, wheeew I'm beat! Anyone, please feel free to look in case I missed something...
     
    Last edited: Nov 30, 2011
  6. tlu

    tlu Guest

    Yeah, and your settings answer them:

    That's what I assumed. I had used those settings before but found that my browsing speed is considerably worse. So I'm still looking for an alternative solution for blocking ETags.


    No, I don't edit them in about:config as those changes are saved in prefs.js. Creating a user.js file and adding setting changes to it overrides what is in prefs.js. I prefer that as it's a very convenient way to easily restore your individual settings.
     
  7. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I'm finding this thread very helpful. Keep up the great work, you two. I've incorporated a couple of those tweaks into FF now. A few I already had.
     
  8. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Yes this has been turning out better then I expected, now just to figure out these last 3;

    HTTP Session
    Signature
    Charset

    tlu, disabling the browser cache does not change the speed. It's not going to slow your browser down, it just means it's not going to be able to store a cache, granted that means you have to wait for something to load over instead of coming from the cache, but that doesn't mean it makes your browser slower...

    On Unix/Linux I don't see that the risks are as great in Windows, where you drag in malware into the cache that infects a Windows machine, this is one BIG reason to disable them, besides others...
     
  9. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Actually, I was amazed to discover that it had hardly any impact for me. I tried the tweak with FF3 and it was a nightmare. But here on 8 it's like it's not even there. I actually had to go back and re-check to make sure the tweak stuck because everything was still so snappy. I especially expected my Youtube sub box to take forever to load those thumbnails... but they popped right up.

    I've been running with those cache tweaks for almost a month now, and they're keepers for me.
     
  10. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I'm going to say this in BIG CAPS because you don't want to overlook this in about:config, so be sure to go back up and find it!

    ----> BE SURE TO KILL THE GEO STUFF PEOPLE!
     
  11. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    @DasFox

    man, you're awesome man! this exactly what i'm looking for!
    almost everything is green in my firefox portable, except

    • authentication
    • http-session

    great thanx for this thread/ posts!
    regards, digizik
     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Is there anything other than toggling geo.enabled to false that needs to be done?
     
  13. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    Here's one we should all be KILLING;
    Default setting; geo.enabled;true
    change to this; geo.enabled;false

    And another Geo to kill;
    geo.wifi.uri;https://www.google.com/loc/json
    Under Windows type in ‘localhost’ and hit ‘OK’
    Under Linux leave the box blank (clear if necessary)

    ------------------------------------------

    authentication is now also green :)

    great! regards, digizik

    ------------------------------------------
     
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Glad to hear... :)


    Needs to be done as far as what, GEO is concerned, or everything we've been doing in this post?
     
  15. tlu

    tlu Guest

    Quite frankly, I think that the privacy threats of having geolocation enabled are limited considering what is said here:


    Besides, even if you disable geolocation any website like ip-check.info can easily detect your IP address and, consequently, where you're located.
     
  16. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    ...but not if you're using:

    • an anonymous vpn-provider
    • turn off java, javascript + flash
    • make the tweaks "dasfox" has written down

    i'm guessing that this will make it quite harder to figure out your location/ ip....
     
  17. tlu

    tlu Guest

    The first one (or, alternatively, Tor and the likes) is crucial. The other two don't prevent detecting your IP.
     
  18. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Sorry. I miossed this that you had posted.

    I was specifically asking about geolocation
     
  20. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Thanks buddy.
     
  21. tlu

    tlu Guest

    I had read that site before and I don't think that it contradicts to what I wrote in post #40. Disabling geolocation doesn't prevent a site from detecting your IP address. Only using Tor or other proxy server solutions can prevent that.
     
  22. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    411
    Can I use these settings on the latest Firefox betas?
     
  23. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Disabling it has nothing to do with not detecting your IP, I never said it did, but if we think about it, with that IP you can also tell your geo location, so why even bother with an option like this, it seems foolish.

    We're just talking about removing as much risk as possible, so really disabling this, does it help? Well it's not going to hurt anything, so it's better just to be safe then sorry...

    Getting off on a side track here, where I will say that you can see a benefit in this, is if you're using a VPN and depending on the providers information they have in regards to their servers, with the Geoip it can point back to them easier, where as if you disable it, you only see the location of the servers and no location pointing back to where the actual physical location of the company is. So just some food for thought here, for a VPN service, disabling this is a good thing, maybe with a proxy too, I'm not sure...
     
  24. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    maybe you could run it in "sandbox" mode and see how it goes? :rolleyes:
    http://www.sandboxie.com/
     
  25. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    That "geo.enabled True" was able to give away people's locations by using their router, and other local routers, while connected to a VPN. It didn't need an IP. In fact it was far more accurate than an IP address.

    https://www.wilderssecurity.com/showthread.php?t=268494

    And it was also able to give away your location while using Tor, until they patched it. I know the person who reported it to Tor, and I tried it myself. This was with the pre-configured Tor Browser. I clicked on that link shown in the post above, then refreshed the browser and it showed my location within a few yards, on Google Maps......staring me straight in the face.....while connected to Tor.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.