Discussion in 'privacy technology' started by DasFox, Oct 12, 2011.
No it isnt,more intrusive garbage!
Im thankful none of my stuff is compatible with that garbage!
I don't doubt that geolocation is more accurate. However, my major point was that geolocation in Firefox (see the quoted text by Mozilla in my earlier post) is completely opt-in. If you don't give your explicit permission to the website asking for it, it cannot use it. So while it's certainly okay to disable it, let's not blow this out of proportion.
I'm not saying it's intrusive garbage nor am I trying to blow things out of the water with this...
The point of the post was to aim for the highest level of lock down for those that want it, or feel a need for it.
It really gets down to what you want and how far you trust...
It's like anything out there, any of it can be used against you. is it being done? I can't say for sure. Will it ever happen? Quite possibly, so is it better to be safe then sorry if you have no real need? I would think, why not close it down if you think you have no real need, just to eliminate all possibility...
Anyhow to each is own, for whatever they have a need for...
true words mate, true words...
one newbie question: i've done some config. in the preferences of firefox. - especially the ones you've posted on page two here on the thread... what happens when mozilla is updating the browser, do all the config. stay the same, or could it be that something changes due to the update? if yes, how can i safe the config., maybe all in one file and import it? (to which location?)
See post #29. Create a user.js file and save your individual settings therein. For details see here.
So doesn't look like anyone has figured these three out yet?
Of all the changes suggested by DasFox here, which ones do you think really matter and which other changes/measures would you suggest? Thinking on a good balance between performance, usability, security and privacy.
i was trying to figure out how to do this with various FF add-ons - NS, request policy, noreferrers, ghostery, csfire, useragentswitcher etc etc etc but the list you need never ends....
also seems like privacy is the big problem on the internet these days as i haven't picked up any malware in at least 3-4 years and even when i did back then the malware never did much exc chew up CPU cycles...otoh i've seen my email address, real physical address and real phone number posted together on email harvesting website and that was quite a shock and a real PITA if you have a unique name. they really don't care about anyone's privacy at all.
(i wish Wilders had an optional wiki for the 2nd post of a thread like slickdeals does - it would help to organize things like this that people were working on)
Regarding DOM storage: I found that one of my banking sites doesn't work without it so disabling it completely might produce unwanted results.
However, I've learned that the same restrictions which you apply to cookies are also applied to DOM storage. This means, if you block cookies you're also blocking DOM storage. If you allow cookies for specific sites DOM storage is also allowed for them.
Note also that since Firefox 3 access to DOM storage is very restricted.
... but NOT, e.g., addons.mozilla.org and even less other domains. See also this comment.
You may still want to disable DOM storage completely. However, I think that above facts relativize its privacy impact.
The post has gotten a lot more in depth since I started it and Wilders kills our edit button to quickly...
So this was really about coming up the level of the Tor browser bundle but in doing so, you need to consider adding a layer, using a VPN or Proxy to this mix to also improve this, otherwise just doing all these things and still surfing through your ISP IP, well you're only going so far and still not getting there all the way.
So I'm sorry I did not mention this before, but this is a MAJOR POINT! Making these changes but needing to use Firefox also through a VPN or Proxy, which is really the ultimate change for improved security...
Just out of interest, has anyone tried adding something like Proxomitron or Privoxy to the mix? I used to use the prox a long time ago and I seem to remember it was quite configurable with regard to HTTP headers...
Just a thought.
Something else people have to consider when going over this is having a good read here;
And read the PDF here;
I forgot about this site but was reminded of it over at mozillazine where I made a post about this...
What I've gotten so far is that changing the User Agent String, is distinguished because measurements do not comport to the User Agent, this is what the PDF says, so I'd like to figure if possible how we get it comport...
So far I see we need to use good plugins as I've shown, not accept cookies, kill super cookies and get this User Agent in line with the rest of the browser...
Comport, LOL, what a choice of words...
Private Browsing Mode is something we need to consider, I've personally never used it considering all the things I'm doing anyway that should make it pretty much Private Browsing...
interesting site here:
also, for this setting:
general.useragent.override - (user set string)
Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
i don't see it listed in Ubuntu FF, do we add it to config or user.js?
also a few more relevant links:
and this is an interesting PDF here that mentions Privoxy briefly in sect 6.1 along with NoScript and useragent spoofing and says that these may actually make your browser more unique in some ways:
For the full white paper: How Unique is Your Web Browser?:
EDIT: oops that PDF already mentioned, sorry....its a very interesting read....
another browser test here:
The user agent string has already been discussed, I believe on the first page...
But the biggest problem according to the EFF is that this user agent string has to be in some accordance with the rest of the browser, as they called it' 'comport' so this should really be looked into, to see if there's any truth to it...
Thanks for the links...
By the way this is the Mozilla post I made if anyone wants to keep an eye on it over there;
Interesting what Mozilla has to say here;
The TorButton doesn't look like it's going to do all it's intended properly without the Tor Browser Bundle...
By the way people add BleachBit to your aresnal it really cleans Firefox out...
BrowserSpy might just be the answer to show you the bits and pieces to make everything come into sync, like changing your User-Agent but also having all the other parts reporting correctly...
one more link worth reading (Device-Fingerprinting-and-Online-Fraud-Protection-Whitepaper):
just to give you an idea of the mindset of these folks, there's a section in there that says they'd like to be able to install software on your computer so they can detect the HDD serial # and the MAC address, but unfortunately that would
be illegal, lol.
and they discuss everything in the article that's on the JonDoFox website (browser tagging, browser fingerprinting, OS fingerprinting, and even TCP fingerprinting) so it looks like they really are using this stuff.
Ok here's a run down on everything I do in about:config but this is on Linux, for Windows the geo.wifi.uri, I'm not sure what value you use in Windows, in Linux you leave it blank.
Also the section 'Options Needed To Make User Agent Work Properly' I listed below, these were changed for Linux to make your browser look like Windows if you are already using Windows, you're not going to keep any of the values, those are to look like a Windows computer. The funny thing is, I look at the Tor Browser Bundle For Windows and it has the same options, so it's still making you look like your on Windows, just a different browser version.
Simply changing the general.useragent.override is not enough, there are other parameters that can tell what system you are using and then it will be seen that you are just spoofing this.
I looked over Tor pretty good so I think I have everything you need in the 'Options Needed To Make User Agent Work Properly' but I could be wrong and missed something, but as far as the pref.js in Tor, no I got it all correct, I'm just saying I don't know if there are other things to spoof, but I don't think so. So if anyone knows if there's more needed, then please let me know. As far as I can tell when I did online tests everything came backing saying I was on Windows 7, no Linux to be found anywhere, except Flash, which I talk about later...
A good site to check everything to make sure it all looks correct is http://browserspy.dk/ you'll see there are various tests that will detect your OS even if you just change the general.useragent.override and nothing else, so make sure all the tests show the same OS. You don't want one test saying Linux and another Windows.
Flash is the only thing I haven't figured out for Linux, but I believe in Windows you can edit the .ini file to spoof it to look like Liunx or another OS, but you'll have to check this on http://browserspy.dk/flash.php Linux is listed like this;
Full Version: LNX 11,1,102,55
browser.cache.disk.enable - (user set boolean)
browser.cache.offline.enable - (user set boolean)
browser.search.suggest.enabled - (user set boolean)
browser.sessionstore.privacy_level - (user set integer)
dom.storage.enabled - (user set boolean)
------- These Options Needed To Make User Agent Work Properly----------
general.appname.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
general.appversion.override - (user set string) - (Not sure what to change to make look like Linux or OSX?)
general.buildID.override - (user set string) - (Not sure if Linux, Windows, OSX use 0?)
general.oscpu.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
Windows NT 6.1
general.platform.override - (user set string) - (Not sure what to change to make look like Linux, or OSX?)
general.productSub.override - (user set string)- (Not sure what to change to make look like Linux, or OSX?)
general.useragent.override - (user set string) - (You'll want to use a string for the OS you want, Linux, OSX, etc...)
general.useragent.vendor - (user set string) - (Tor uses this, so I'd just leave it blank for any OS, unless you find out for sure)
value = empty
general.useragent.vendorSub - (user set string) - (Tor uses this, so I'd just leave it blank for any OS, unless you find out for sure)
value = empty
geo.enabled - (user set boolean)
geo.wifi.uri - (user set string) - (value leave blank in Linux)
leave 'value' blank
intl.accept_languages - (user set string)
network.cookie.lifetimePolicy - (user set integer)
network.http.accept.default - (user set string)
Now wait, everyone is saying I thought this is about making Firefox stronger? It is, but spoofing it to look like another OS is good too, why? Because a hacker needs to know what OS you are on to hack you, because you don't hack OSX, Linux and Windows the same, so spoofing everything will make it harder to get at you.
Now you don't have to make it look like Linux or OSX, but if you do, it's better, but you can simply go through the strings to harden it and add the addons...
I'll be honest if anyone is really into all this, I highly recommend using Linux, where so much of this is easier to deal with...
P.S. For the different strings to make look like Linux or OSX if anyone finds this information please share it and I will too!
@ DasFox -
i was wondering how you decided on the cache settings...
the JonDoFox site recommends these 2:
and i see that you recommend this one app from Tor:
and someone else recommended this one:
network.http.use-cache (set to false)
also i see that there is an add-on that helps to edit the user.js file
called ChromEdit Plus here:
has excellent reviews...
and a few settings to add if people are making user.js files:
privacy.donottrackheader.enabled;true (noscript adds its own but this seems to be the actual config listing)
network.http.accept-encoding;gzip, deflate (already the default setting, maybe to just to lock it)
I'm still trying to figure out;
Hello from DeutscheLand
If you use Jondofox, many problems will solve automatically. It is like a Mercedes Benz-Version of Privacy (while IE is like a Lada).
1. Disable all Plugins, only Flash active (Crucial for Noobs)
5. Better Privacy
6. Master Passwort +
7. Use Jondofox together with Jondonym, Perfect Privacy or Relakks.
Test it here: ip-check.info
Should look like this:
Hi victorvonhase, thanks for the reply and I do know about Jondofox and so do other people, but that is not what this post is about. It's about just making Firefox by itself more secure...
....just added request policy addon in addition to refcontrol, which I was already using. Also disabled the e-cache. I noticed three flags on a website that request policy was preventing doubleclick from mining header data.
I would think that this also may help circumvent some ISP/DNS blocks?
DasFox, first of all, thank you for your effort in this. I have a riddle for you.
You're on a Linux OS with a Firefox browser. On the first page of this thread you posted a screenshot of your JonDonym test showing the signature area green with a Firefox ID. Here's that.
Here's my screenshot of the same user agent and same signature value on Linux & Iceweasel. The major changes I made in about:config are DOM, offline storage & caching disabled, user agent string changed to JonDoFox's and the content & encoding types edited. As you can see I get a yellow box for the signature when in fact our hash values and ua strings are the same. I cannot figure out why this is. I don't have Refcontrol installed but I'd not think that would make the difference.
What do you mean?
That was a Tor screen shot you were looking at...
This is my Firefox;
Turn your cookies off and use RequestPolicy;
I wonder how/if it's possible to get the "HTTP Session" in the green? You would think there'd be a simple setting in about:config somewhere to set the length, similar to the sessionstore interval setting.
And no matter what I put down for "Useragent", it comes up red. Even if I enter exactly what it recommends to enter for the value, it comes up red. And I'm using a very common OS, and browser.
I'm speaking in terms of using no VPN or Proxy, as that's what this thread is about... being able to tweak FF to get it as private/anonymous as possible by itself.
Separate names with a comma.