Firefox - Change These For Better Privacy - Security

Discussion in 'privacy technology' started by DasFox, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    No it isnt,more intrusive garbage!

    Im thankful none of my stuff is compatible with that garbage!
     
  2. tlu

    tlu Guest

    I don't doubt that geolocation is more accurate. However, my major point was that geolocation in Firefox (see the quoted text by Mozilla in my earlier post) is completely opt-in. If you don't give your explicit permission to the website asking for it, it cannot use it. So while it's certainly okay to disable it, let's not blow this out of proportion.
     
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I'm not saying it's intrusive garbage nor am I trying to blow things out of the water with this...

    The point of the post was to aim for the highest level of lock down for those that want it, or feel a need for it.

    It really gets down to what you want and how far you trust...

    It's like anything out there, any of it can be used against you. is it being done? I can't say for sure. Will it ever happen? Quite possibly, so is it better to be safe then sorry if you have no real need? I would think, why not close it down if you think you have no real need, just to eliminate all possibility...

    Anyhow to each is own, for whatever they have a need for... :)
     
  4. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    411
    Thanks DasFox ;)
     
  5. Digizik

    Digizik Registered Member

    Joined:
    Oct 28, 2011
    Posts:
    15
    true words mate, true words...

    one newbie question: i've done some config. in the preferences of firefox. - especially the ones you've posted on page two here on the thread... what happens when mozilla is updating the browser, do all the config. stay the same, or could it be that something changes due to the update? if yes, how can i safe the config., maybe all in one file and import it? (to which location?) :rolleyes:
     
  6. tlu

    tlu Guest

    See post #29. Create a user.js file and save your individual settings therein. For details see here.
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    So doesn't look like anyone has figured these three out yet?

    HTTP session
    Signature
    Charset
     
  8. guest

    guest Guest

    Interesting thread.
    Of all the changes suggested by DasFox here, which ones do you think really matter and which other changes/measures would you suggest? Thinking on a good balance between performance, usability, security and privacy.
     
  9. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    Great thread...

    i was trying to figure out how to do this with various FF add-ons - NS, request policy, noreferrers, ghostery, csfire, useragentswitcher etc etc etc but the list you need never ends....

    also seems like privacy is the big problem on the internet these days as i haven't picked up any malware in at least 3-4 years and even when i did back then the malware never did much exc chew up CPU cycles...otoh i've seen my email address, real physical address and real phone number posted together on email harvesting website and that was quite a shock and a real PITA if you have a unique name. they really don't care about anyone's privacy at all.

    (i wish Wilders had an optional wiki for the 2nd post of a thread like slickdeals does - it would help to organize things like this that people were working on)
     
  10. tlu

    tlu Guest

    Regarding DOM storage: I found that one of my banking sites doesn't work without it so disabling it completely might produce unwanted results.

    However, I've learned that the same restrictions which you apply to cookies are also applied to DOM storage. This means, if you block cookies you're also blocking DOM storage. If you allow cookies for specific sites DOM storage is also allowed for them.

    Note also that since Firefox 3 access to DOM storage is very restricted.

    ... but NOT, e.g., addons.mozilla.org and even less other domains. See also this comment.

    You may still want to disable DOM storage completely. However, I think that above facts relativize its privacy impact.
     
  11. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    The post has gotten a lot more in depth since I started it and Wilders kills our edit button to quickly...

    So this was really about coming up the level of the Tor browser bundle but in doing so, you need to consider adding a layer, using a VPN or Proxy to this mix to also improve this, otherwise just doing all these things and still surfing through your ISP IP, well you're only going so far and still not getting there all the way.

    So I'm sorry I did not mention this before, but this is a MAJOR POINT! Making these changes but needing to use Firefox also through a VPN or Proxy, which is really the ultimate change for improved security...
     
  12. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Just out of interest, has anyone tried adding something like Proxomitron or Privoxy to the mix? I used to use the prox a long time ago and I seem to remember it was quite configurable with regard to HTTP headers...

    Just a thought.
     
  13. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Something else people have to consider when going over this is having a good read here;

    http://panopticlick.eff.org/

    And read the PDF here;

    http://panopticlick.eff.org/browser-uniqueness.pdf

    I forgot about this site but was reminded of it over at mozillazine where I made a post about this...

    What I've gotten so far is that changing the User Agent String, is distinguished because measurements do not comport to the User Agent, this is what the PDF says, so I'd like to figure if possible how we get it comport...

    So far I see we need to use good plugins as I've shown, not accept cookies, kill super cookies and get this User Agent in line with the rest of the browser...

    Comport, LOL, what a choice of words... :)

    Private Browsing Mode is something we need to consider, I've personally never used it considering all the things I'm doing anyway that should make it pretty much Private Browsing...
     
    Last edited: Dec 16, 2011
  14. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    interesting site here:

    http://pseudo-flaw.net/content/defcon/dc-17-demos/


    also, for this setting:

    general.useragent.override - (user set string)
    Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0


    i don't see it listed in Ubuntu FF, do we add it to config or user.js?


    also a few more relevant links:

    https://wiki.mozilla.org/Fingerprinting
    https://wiki.mozilla.org/Security/Anonymous_Browsing
    http://browserspy.dk/

    and this is an interesting PDF here that mentions Privoxy briefly in sect 6.1 along with NoScript and useragent spoofing and says that these may actually make your browser more unique in some ways:

    For the full white paper: How Unique is Your Web Browser?:
    https://panopticlick.eff.org/browser-uniqueness.pdf

    EDIT: oops that PDF already mentioned, sorry....its a very interesting read....

    another browser test here:

    http://www.secustudy.com/
     
    Last edited: Dec 17, 2011
  15. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    The user agent string has already been discussed, I believe on the first page...

    But the biggest problem according to the EFF is that this user agent string has to be in some accordance with the rest of the browser, as they called it' 'comport' so this should really be looked into, to see if there's any truth to it...

    Thanks for the links...

    By the way this is the Mozilla post I made if anyone wants to keep an eye on it over there;

    http://forums.mozillazine.org/viewtopic.php?f=7&t=2373095&p=11565209#p11565209

    Interesting what Mozilla has to say here;

    The TorButton doesn't look like it's going to do all it's intended properly without the Tor Browser Bundle...

    By the way people add BleachBit to your aresnal it really cleans Firefox out... :)

    http://bleachbit.sourceforge.net/

    BrowserSpy might just be the answer to show you the bits and pieces to make everything come into sync, like changing your User-Agent but also having all the other parts reporting correctly...

    http://browserspy.dk/
     
    Last edited: Dec 17, 2011
  16. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    one more link worth reading (Device-Fingerprinting-and-Online-Fraud-Protection-Whitepaper):

    http://www.scribd.com/doc/5342718/Device-Fingerprinting-and-Online-Fraud-Protection-Whitepaper

    just to give you an idea of the mindset of these folks, there's a section in there that says they'd like to be able to install software on your computer so they can detect the HDD serial # and the MAC address, but unfortunately that would
    be illegal, lol.



    and they discuss everything in the article that's on the JonDoFox website (browser tagging, browser fingerprinting, OS fingerprinting, and even TCP fingerprinting) so it looks like they really are using this stuff.



    ...
     
  17. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Ok here's a run down on everything I do in about:config but this is on Linux, for Windows the geo.wifi.uri, I'm not sure what value you use in Windows, in Linux you leave it blank.

    Also the section 'Options Needed To Make User Agent Work Properly' I listed below, these were changed for Linux to make your browser look like Windows if you are already using Windows, you're not going to keep any of the values, those are to look like a Windows computer. The funny thing is, I look at the Tor Browser Bundle For Windows and it has the same options, so it's still making you look like your on Windows, just a different browser version.

    Simply changing the general.useragent.override is not enough, there are other parameters that can tell what system you are using and then it will be seen that you are just spoofing this.

    I looked over Tor pretty good so I think I have everything you need in the 'Options Needed To Make User Agent Work Properly' but I could be wrong and missed something, but as far as the pref.js in Tor, no I got it all correct, I'm just saying I don't know if there are other things to spoof, but I don't think so. So if anyone knows if there's more needed, then please let me know. As far as I can tell when I did online tests everything came backing saying I was on Windows 7, no Linux to be found anywhere, except Flash, which I talk about later...

    A good site to check everything to make sure it all looks correct is http://browserspy.dk/ you'll see there are various tests that will detect your OS even if you just change the general.useragent.override and nothing else, so make sure all the tests show the same OS. You don't want one test saying Linux and another Windows.

    Flash is the only thing I haven't figured out for Linux, but I believe in Windows you can edit the .ini file to spoof it to look like Liunx or another OS, but you'll have to check this on http://browserspy.dk/flash.php Linux is listed like this;

    Platform: LNX
    Full Version: LNX 11,1,102,55

    Remember at least to use NoScript and if you can handle it I highly recommend RequestPolicy, these will at least hide Flash as well as other great things they do, but as soon as you allow JavaScript and RequestPolicy on sites, they call the OS from Flash, they also can tell you by JavaScript too...


    browser.cache.disk.enable - (user set boolean)
    false

    browser.cache.offline.enable - (user set boolean)
    false

    browser.search.suggest.enabled - (user set boolean)
    false

    browser.sessionstore.privacy_level - (user set integer)
    2

    dom.storage.enabled - (user set boolean)
    false

    ------- These Options Needed To Make User Agent Work Properly----------

    general.appname.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
    Netscape

    general.appversion.override - (user set string) - (Not sure what to change to make look like Linux or OSX?)
    5.0 (Windows)

    general.buildID.override - (user set string) - (Not sure if Linux, Windows, OSX use 0?)
    0

    general.oscpu.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
    Windows NT 6.1

    general.platform.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
    Win32

    general.productSub.override - (user set string)- (Not sure what to change to make look like Linux, or OSX?)
    20100101

    general.useragent.override - (user set string) - (You'll want to use a string for the OS you want, Linux, OSX, etc...)

    general.useragent.vendor - (user set string) - (Tor uses this, so I'd just leave it blank for any OS, unless you find out for sure)
    value = empty

    general.useragent.vendorSub - (user set string) - (Tor uses this, so I'd just leave it blank for any OS, unless you find out for sure)
    value = empty


    ---------------------------------------------------------------------------------------------------------

    geo.enabled - (user set boolean)
    false

    geo.wifi.uri - (user set string) - (value leave blank in Linux)
    leave 'value' blank

    intl.accept_languages - (user set string)
    en-us

    network.cookie.lifetimePolicy - (user set integer)
    2

    network.http.accept.default - (user set string)
    text/html,application/xml,*/*


    Now wait, everyone is saying I thought this is about making Firefox stronger? It is, but spoofing it to look like another OS is good too, why? Because a hacker needs to know what OS you are on to hack you, because you don't hack OSX, Linux and Windows the same, so spoofing everything will make it harder to get at you.

    Now you don't have to make it look like Linux or OSX, but if you do, it's better, but you can simply go through the strings to harden it and add the addons...

    I'll be honest if anyone is really into all this, I highly recommend using Linux, where so much of this is easier to deal with...

    P.S. For the different strings to make look like Linux or OSX if anyone finds this information please share it and I will too!
     
    Last edited: Dec 19, 2011
  18. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    @ DasFox -

    i was wondering how you decided on the cache settings...

    the JonDoFox site recommends these 2:

    browser.cache.disk.enable;false
    browser.cache.memory.enable;false


    and i see that you recommend this one app from Tor:

    browser.cache.offline.enable;false

    and someone else recommended this one:

    network.http.use-cache (set to false)



    also i see that there is an add-on that helps to edit the user.js file
    called ChromEdit Plus here:

    http://webdesigns.ms11.net/chromeditp.html#top

    has excellent reviews...


    and a few settings to add if people are making user.js files:

    privacy.donottrackheader.enabled;true (noscript adds its own but this seems to be the actual config listing)

    network.http.accept-encoding;gzip, deflate (already the default setting, maybe to just to lock it)
     
  19. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    I'm still trying to figure out;

    HTTP session
    Signature
    Charset
     
  20. victorvonhase

    victorvonhase Registered Member

    Joined:
    Jan 17, 2012
    Posts:
    6
    Location:
    DeutscheLand
    Hello from DeutscheLand

    If you use Jondofox, many problems will solve automatically. It is like a Mercedes Benz-Version of Privacy (while IE is like a Lada).

    1. Disable all Plugins, only Flash active (Crucial for Noobs)
    2. Adblock
    3. Noscript
    4. HTTPS-everywhere
    5. Better Privacy
    6. Master Passwort +
    7. Use Jondofox together with Jondonym, Perfect Privacy or Relakks.

    Test it here: ip-check.info

    Should look like this:
    http://s7.directupload.net/file/d/2773/kinlfcwj_jpg.htm
     
  21. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Hi victorvonhase, thanks for the reply and I do know about Jondofox and so do other people, but that is not what this post is about. It's about just making Firefox by itself more secure...

    THANKS
     
  22. Lanny1276

    Lanny1276 Registered Member

    Joined:
    Jan 8, 2012
    Posts:
    16
    Location:
    canada
    ....just added request policy addon in addition to refcontrol, which I was already using. Also disabled the e-cache. I noticed three flags on a website that request policy was preventing doubleclick from mining header data.

    I would think that this also may help circumvent some ISP/DNS blocks?
     
  23. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    DasFox, first of all, thank you for your effort in this. I have a riddle for you.

    You're on a Linux OS with a Firefox browser. On the first page of this thread you posted a screenshot of your JonDonym test showing the signature area green with a Firefox ID. Here's that.

    http://i.imgur.com/95jsu.png

    Here's my screenshot of the same user agent and same signature value on Linux & Iceweasel. The major changes I made in about:config are DOM, offline storage & caching disabled, user agent string changed to JonDoFox's and the content & encoding types edited. As you can see I get a yellow box for the signature when in fact our hash values and ua strings are the same. I cannot figure out why this is. I don't have Refcontrol installed but I'd not think that would make the difference.
    Any ideas?

    http://i43.tinypic.com/2en9v9k.png
     
  24. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    What do you mean?




    That was a Tor screen shot you were looking at...

    This is my Firefox;

    http://i.imgur.com/dcA1i.png

    Turn your cookies off and use RequestPolicy;

    https://www.requestpolicy.com/
     
  25. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I wonder how/if it's possible to get the "HTTP Session" in the green? You would think there'd be a simple setting in about:config somewhere to set the length, similar to the sessionstore interval setting.

    And no matter what I put down for "Useragent", it comes up red. Even if I enter exactly what it recommends to enter for the value, it comes up red. And I'm using a very common OS, and browser.

    I'm speaking in terms of using no VPN or Proxy, as that's what this thread is about... being able to tweak FF to get it as private/anonymous as possible by itself.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.