Firefox - Change These For Better Privacy - Security

Discussion in 'privacy technology' started by DasFox, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Here are some things I'd like to discuss to help improve Firefox security and privacy.

    1. Firefox feature - 'Tell websites I do not want to be tracked' - (good feature?)

    2. HTTP Authentication Headers - (What can we do to change this?)

    3. Cache E-tags - (What can we do to change this?)

    4. HTTP Session - (What can we do to change this?)

    5. User-Agent - (What can we do to change this?)


    Share what you know...


    THANKS
     
    Last edited: Oct 12, 2011
  2. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    This setting sets the variable HTTP_DNT=1 in your browser's HTTP header. I'd say it's a good feature for compliant websites that actually obey the rule, but it certainly won't protect you from the majority of rogue sites that simply choose to ignore it.

    Not sure what the specific threat is here... please elaborate.

    Nothing, unfortunately... other than perhaps disabling the Firefox cache altogether (which would be impractical for the majority of users). But as long as you make a habit of emptying your browser cache regularly, those E-Tags will not persist for too long.

    See #2

    You can manually set the preference "general.useragent.override" in about:config. Or, you can use an add-on such as User Agent Switcher to accomplish this task. Keep in mind, the goal should be to have a generic User Agent, so as to blend in with everyone else. What you don't want to do is set an unusual or unique User Agent, because that will make you stick out like a sore thumb (which defeats the purpose entirely). In my case, I already have a very common OS and browser version, so I just prefer to leave this setting alone.
     
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    HTTP Authentication Headers - Many browsers allow web sites to send hidden authentication data to third party sites. We want to protect against tracking from third party HTTP authentication headers. By the way Tor resolves this problem, so there must be a way for people to do the same in Firefox.

    Cache E-tags - We don't want to cache any third party content. Tor has resolved this, so I say there must be a way to do this also in Firefox.

    HTTP Session - The longer the session lasts, the easier it is to identify you. Tor changes your identity to resolve this, so there must be a way to do this also in Firefox.


    THANKS
     
  4. tlu

    tlu Guest

    For issues #1 and 3 you might want to try the add-on anonymoX. I've tried it for selected sites and its performance is okay. I'm not sure if it takes care about e-tags. However, Modify Headers is reported to be able to remove e-tags - I haven't checked that, though.

    EDIT: Other measures/add-ons have been often mentioned in other threads. Using Noscript is also recommended if it comes to privacy. Other examples are Refcontrol, Cookie Monster and Better Privacy.
     
    Last edited by a moderator: Oct 13, 2011
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Or, you could use TAILS (The Amnesia Incognito Live System).

    You could even swap some of the TAILS definitions of the Iceweasel (Firefox) profile prefs.js file (regarding your about:config values) if you are willing to do the work, and then change your everyday Firefox profile in that way.

    -- Tom
     
  6. NexusPrime

    NexusPrime Registered Member

    Joined:
    Oct 14, 2011
    Posts:
    2
    Last edited: Oct 14, 2011
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Sorry for any confusion, I was looking for ways to edit these things within Firefox, not use addons or any other software....

    I just thought all of these things could be taken care of in about:config


    THANKS
     
  8. tlu

    tlu Guest

    I said in post #4 that Modify Headers is reported to be able to remove etags - but this is definitely NOT true. Modify Headers can only modify/add/filter request headers but NOT response headers like ETags.

    According to its developer the addon BetterCache checks or modifies Etags and other response headers. However, I have no idea how exactly BetterCache does that and if it's really able to remove ETags. The same applies to another FF addon, Tamperdata.
     
  9. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    While we're on this subject here are some things I have figured out how to do, to improve things. Number 2 by the way takes care of the E-Tags...

    1. How to edit the User Agent string

    To change the User Agent string, just enter about:config as an address in the address bar of FireFox, the location where you normally enter a URL (link). I recommend to preserve the original value, which you can get when you enter just about: in the address bar.

    Now press the right mouse button to get the context menu and select "String" from the menu entry "New". Enter the preference name "general.useragent.override", without the quotes. Next, enter the new User Agent value you want Mozilla Firefox to use. Check the new value by entering about: in the address bar.


    2. How to completely disable FireFox cache

    Web caching is great, there's no doubt about it. Even in the days of 50Mb broadband, caching stuff still speeds things up no end.

    Here's how to disable FireFox's browser cache completely.

    Fire up FireFox
    Type about:config in your address bar
    Type `cache' in the search bar, and look for network.http.use-cache, and double click it to set it to false. Double clicking it again will set it to true and re-enable the cache


    3. You can enable or disable the referrer from being reported to web sites that you visit with this Firefox tweak.

    1. Type about:config in the address bar and press Enter.

    2. Find the entry that says Network.http.sendRefererHeader and double-click on it.

    3. Set the entry to one of the following:

    0 - Disable referrer.
    1 - Send the Referer header when clicking on a link, and set document.referrer for the following page.
    2 - Send the Referer header when clicking on a link or loading an image.
     
    Last edited: Oct 17, 2011
  10. tlu

    tlu Guest

    @DasFox:

    regarding 1: Yes, modifying User Agent can be done via about:config or via several addons. I doubt, though, that adding your name and your website really enhances privacy :D

    regarding 2: Disabling caching seems to be a solution for ETags but it reduces speed. That's why I'm reluctant to do that. There are addons (SaferCache and SaferMemory) but, unfortunately, they are incompatible with newer FF versions.

    regarding 3: Controlling Referrers via about:config is possible but I prefer RefControl as it's more flexible. I only block 3rd party requests as recommended on that site - allowing them for selected sites is easy if necessary. Generally blocking referrers breaks too many sites.
     
  11. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    The way I deal with referrers is simply not to click on certain hyperlinks. If need be, I'll just do a "Copy Link Location" and manually paste the URL into the address bar--which effectively breaks the "referrer" functionality altogether. Most of the time it doesn't really matter though, especially if the hyperlink(s) are on a public site (such as this one)--in which case the privacy issue befalls on the owner of the originating web site, not the end user. The only example I can think of where referrers may be an issue is if the URL string of the originating web site contains some client-specific data, such as the address of your personal webmail account.

    In most circumstances, however, I find that there's generally little or nothing to be gained (from a privacy standpoint) by blocking or obfuscating the real referrer.
     
  12. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    tlu the name and your website for the user agent, actually someone mentioned that, my bad for not editing that out, I personally don't do this...

    Yeah I'm not sure if hiding the referrer really improves anything CasperFace....


    THANKS
     
  13. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    Im running IE6 (MyIE2) and its as easy as opening my registry and going to that key and changing it :)
     
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    The problem with RefControl is that it's on a per-site basis...

    To much work involved with this...

    I'd rather have something that simply disables to all sites and simply enable it when needed....
     
  15. tlu

    tlu Guest

    But if you configure RefControl in such a way that it only blocks 3rd party requests (which is the critical thing regarding privacy) this doesn't break 99% of all websites. Thus, the exception list can be kept rather short in my experience.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    This doesn't apply on HTTPS sites btw, you can switch network.http.sendSecureXSiteReferrer to false if you want to turn that off as well.
     
  17. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    When I configure RefControl the "default for sites not listed" is "Block". No need to list specific sites. Wouldn't this provide the solution you are looking for or am I missing something?
     
  18. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    So http.sendRefererHeader and network.http.sendSecureXSiteReferrer might be a good thing to do?


    I was reading about that, forgot to ask, sounds like a catch all for everything not listed, so then we don't need to make up any rules if you just want a default that takes care of everything?
     
  19. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    276
    Location:
    USA
    Yes. And from what I see on the help page for RefControl, you can "block all sites not listed" and then add the sites that need to have a referral to work to the list as "Normal". I have a few sites that do not work, but it is usually Ghostery blocking trackers rather than RefControl.
     
  20. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Now I'm trying to decide if it's really worth using, hehe... :doubt:
     
  21. x942

    x942 Guest

    I use the two addons for this:

    Random User Agent (Changes user agent on open)

    RefControl default send nothing.
     
  22. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Yeah RefControl quite easy and seems effective, just default and nothing...
     
  23. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I'm trying to get Firefox as close as possible in terms of security and privacy, like Tor, without the Tor network...

    I'm using the JonDonym IP check for this;

    http://ip-check.info/?lang=en

    At this point in time I'm not sure if this is a good test or snake oil, but it does seem to be ok...

    Here is Firefox on the test;

    http://i.imgur.com/HEWnu.png

    Here is Tor on the test;

    http://i.imgur.com/95jsu.png

    For Firefox I'm still trying to figure out how to get these green; (I'm not sure how Tor is doing this).

    Signature
    User-Agent
    Language
    Charset
    Content types


    THANKS
     
  24. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Hi DasFox,

    The difference between, e.g. TAILS (which uses Tor in the Firefox Debian derivative named IceWeasel and Firefox) is in the prefs.js file which exists in the Firefox profile directory. For Linux, the profile directory is in /home/<account>/.mozilla in the subdirectory:
    ~<account>/.mozilla/firefox/*.default

    For Windows or Mac OS X, you will have to consult the Firefox Knowledge database for information at: https://support.mozilla.com/en-US/kb/Profiles to find its location.

    -- Tom
     
  25. Eiso

    Eiso Registered Member

    Joined:
    Nov 17, 2011
    Posts:
    44
    Hello DasFox, I understand you completely.

    In order to get green at ip-check.info anonymity check you may enter the following strings into about:config ;

    For User-Agent search: general.useragent.override enter Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 into string value.

    For Language search: intl.accept_languages enter en-us
    into string value.

    For Content types search: network.http.accept.default enter text/html,application/xml,*/*
    into string value.

    I'm still trying to figure out the others for ya. Good luck :)
     
    Last edited: Nov 24, 2011
Loading...
Thread Status:
Not open for further replies.