Firefox - Change These For Better Privacy - Security

Discussion in 'privacy technology' started by DasFox, Oct 12, 2011.

Thread Status:
Not open for further replies.
  1. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    How is it affect privacy changing user agent string?
     
  2. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    just install http headers live and have a look what data sites request from the browser
     
  3. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    They can see what browser we are using. So what? I mean if we change user agent string to different Firefox version, they will see that string, so i didn't understand the reason behind it!
     
  4. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Here are some things I noticed after reading through all of this more thoroughly.

    There's a lot of things in the JonDonym test results which say that the browser I'm testing makes me stand out from other JonDonym users, but these are all things that JonDoFox corrects. Since JonDoFox's user base would be much less than even that of TOR bundle, how are JonDoFox's settings (like changing the default accepted language from [en-us, en] to [en-us] making me less identifiable by using non-standard values? o_O

    We've so far established that we cannot yet change the charset value. Mousing over 'medium' tells me I have default values for the Torbutton profile and says I differ from other JonDonym users. Tor uses the default charset values from Firefox, so..yeah, I know! Those "other" JonDonym users are anomalous when compared to normal internet users.

    About the http header signature hash value, the token in the JonDonym test ending in c715 is NOT our actual value. Mouse over 'medium' in the signature row, it will show your real value and what makes up that value. I have no idea what this c715 signature corresponds to.

    I tried the JonDoFox browser (it's a plugin to spawn a profile actually, not a full browser like TOR's) in a Debian VM. JonDoFox shows no result for charset and instead of the c715 signature, there is a "generic" Firefox header hash value signature which (for me) ends in 9446. That still doesn't match the sig hash value of my browser when using the JonDoFox plugin, regardless of whether the signature row in the test results is orange or green! In this pic, the actual signature hash ended in 9d6f.
    http://i42.tinypic.com/5ctw2.png

    The TOR browser header signature hash shows green but it still has its own individual value. The JonDonym test shows the language, charset and content types for the TOR browser are the same as the new, unmodified Firefox install. They are all green with TOR browser but orange in Firefox.

    According to Panopticlick, the TOR browser bundle has this as its http_accept header;
    [text/html, */* ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip, deflate en-us,en;q=0.5]

    and that yields 4.96 bits of identifying information for the header alone. That is the exact same (both the value and the bits of ID) as an unmodified install of Firefox 9.0.1. Contrast that to JonDonym's http header of:
    [text/html,application/xml,*/* gzip, deflate en-us]

    with 11.1 bits of info. Using the values mentioned previously in this thread for language, encoding and http.network.accept.default, I end up with 10.93 bits of identifying information and the header of [text/html, */* ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip, deflate en-us]. But THAT header can be brought back down to 4.9 simply by keeping the FF default setting for accepted language.

    I'm going to continue researching this for an article on fingerprinting for my site. It's very Schrödinger's Cat-ish, annoyingly contradictory and extremely tedious. I don't see a set of standardized settings coming out of this (possibly) unless you disable all plugins and JavaScript. Even then, you stick out as not accepting those features so you're an anomaly and for many, that's not an everyday solution to plugging browser leaks. When an attacker can use something like clock skew as an information point in identification, I begin looking in the direction of 'throw away' sessions and public computers for a 'they go high tech, you go low' sort of escape method.
     
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    To be honest I doubt you'll get an answer from anyone on the depth that you are covering, so I'd honestly shoot an email to JonDo and ask them these questions, because I don't really know.

    What I've tried to shoot for is something more like Tor for security and whether or not it makes it more identifiable I'm not sure.

    But what I have seen is this;

    1. Go with the crowd be less identifiable and be less secure, because do you think the averge computer users are more secure? They're not...

    2. Be more secure and more identifiable, but is it really much of a risk? So far I don't see any evidence that can prove you are...

    By the way here's my latest screen shot with Firefox 10; (Charset is missing, not sure why, maybe Firefox 10, but I don't have java installed...)

    http://i.imgur.com/jMeVe.png
     
    Last edited: Feb 3, 2012
  6. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Ok here's an update and how it releates to JonDonym's test.

    The Charset does not show up anymore for Firefox 10, so I don't know if this is a good thing, or their site is not supporting this in the new version.

    Also something I never really stopped to consider, but the JonDo site I realize is just trying to sell you their product and the information they share with you about the user-agent strings is not correct, that also makes me wonder about some of the other things, but at least when it comes to java/javascript releated things it's good...

    This is the mistake they made that I overlooked, that made me realize they're just trying to pitch their product to you to make it look good and anything else you're doing as bad. Well sorry it's TOTAL BS! :thumbd:

    All they're saying is by using a common user-agent string for an older version of Firefox you're safer, well this calls for a BIG LMAO because you're not! And then they're making it seem like what you are using is uncommon and their user-agent is better, sorry it's not!

    Let's get one thing straight, there's no such thing as a common or uncommon user-agent unless you made it up, otherwise they're all common, meaning real, if you used a real one.

    So don't worry it's telling you it's bad and red, just be sure to use a user-agent string for a different OS and Browser version and you'll be fine, as an example;

    This is a user-agent string for Windows 7 x64;

    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1

    This is a user agent string for XP;

    Mozilla/5.0 (Windows NT 5.1; rv:10.0) Gecko/20100101 Firefox/10.0

    And here's what JonDo recommends, so what do you notice?

    Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0

    Here's the user-agent for the latest version of Tor;

    Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0

    JonDo has simply changed the version of Firefox is all to 6.0 for Windows 7, so think to yourself, how do you think this makes you more safe? It doesn't, it's TOTAL BS!

    NT 5.1 = XP
    NT 6.1 = Win7

    So what they're telling you to do that they give you a Green on is making you actually look more unique and identifiable through browser fingerprinting, because how many people do you honestly think running Windows 7 are still using Firefox 6x? I doubt many...

    I also don't userstand why the Tor Project seems to think there's something special to their user-agent, it's just Windows 7 running Firefox 5.0, they could actually make it the real version you're using and it would be just fine.

    As I mentioned before simply changing the user-agent isn't good enough if you want to look like another system, meaning you're using Windows and you want it to look like Apple or Linux, then you need to go back and read all the setting changes I made and make those for that system. But there is still Flash, I have not figured out how to make Flash on Windows look like Flash on another OS and Flash will give you away! So for now the simplest way to hide it is behind NoScript, not allowing sites to read it... Or don't install it, LOL... ;)

    BrowserSpy will help you to see if your browser looks like the entire new system;

    http://browserspy.dk/
     
    Last edited: Feb 5, 2012
  7. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Thanks for posting again, DasFox. I'm certainly in your corner here and I don't think the JonDonym test is worth a lot. One of the main things I took away from all of the EFF's publications about fingerprinting and results from the Panopticlick experiment, is that every little change you make to your browser contributes to a unique signature. The largest variation among peoples' browser fingerprints comes down to system fonts and plugins.

    Like I said, I'm going to keep working at this. I'll contact the JonDo, Mozilla and Panopticlick people and look into what the specialized fingerprinting software does and how it's used. I'm also interested in why TOR chose FF5. Panopticlick does show that as having a very low amount of identifying bits compared to later versions, from what I've seen. I'm not sold on the idea though, that more people are using FF5 than 7, 8, or 9. I'd more easily believe there are more people still using 3.6.3 than version 5, and Firefox 10 already?? Wasn't 9.0.1 was out for all of like...2 hours?

    In a couple of weeks I'll have some order to mix with the chaos. Hopefully sooner, but school is sucking up all my free time lately.
     
    Last edited: Feb 6, 2012
  8. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Well the post is about security and making it look like another OS, but keeping things normal, not uncommon so that there is nothing unusual going on, that's the point.
     
  9. guest

    guest Guest

    would it be possible for someone to create a profile for less tech orientated.
     
  10. tlu

    tlu Guest

    Well, not a profile but a user.js file as mentioned in post #29. Technically no problem, but someone has to do it ;) Perhaps DasFox?
     
  11. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    For a Linux system I know how to make everything look like Windows...

    This is not tech orientated at all, it's simply changing settings in about:config is all...

    These are the settings I use below for a Linux system to make it look like Windows. Since I do run Linux I'll play with those settings to see if I can change them in Windows to make it look like Linux with the same results on BrowserSpy and when I'm satisfied it's correct I'll post that here...

    Then once you've made the changes you can test the browser at BrowserSpy

    http://browserspy.dk/

    The only thing I haven't figured out is if there's a way to spoof flash to look like another system on Linux, but I've read this might be possible on Windows, so the simplest thing to do in the meantime is to use NoScript and not allow the JavaScript on pages you don't trust....

    In the Firefox Preferences - Advanced - Network - Offline Storage ('Check Override automatic cache management' - 'Limit cache to 0 MB of space'

    Code:
    browser.cache.disk.enable - (user set boolean)
    false
    
    browser.cache.offline.enable - (user set boolean)
    false
    
    browser.search.suggest.enabled - (user set boolean)
    false
    
    browser.sessionstore.privacy_level - (user set integer)
    2
    
    dom.storage.enabled - (user set boolean)
    false
    
    general.appname.override - (user set string)
    Netscape
    
    general.appversion.override - (user set string)
    5.0 (Windows)
    
    general.buildID.override - (user set string)
    0
    
    general.oscpu.override - (user set string)
    Windows NT 6.1
    
    general.platform.override - (user set string)
    Win32
    
    general.productSub.override - (user set string)
    20100101
    
    [b]Change this to whatever browser string you want. Below is Win7 on FF 6.0[/b]
    general.useragent.override - (user set string)
    Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
    
    general.useragent.vendor - (user set string)
    value = empty
    
    general.useragent.vendorSub - (user set string)
    value = empty
    
    geo.enabled - (user set boolean)
    false
    
    [b]I don't see this string anymore in FF 10.0 so I'm not sure if it's needed.[/b]
    geo.wifi.uri - (user set string)
    leave 'value' blank
    
    [b] This is what Tor uses and I'm still trying to figure it out[/b]
    intl.charsetmenu.browser.cache - (user set string)
    UTF-8
    
    intl.accept_languages - (user set string)
    en-us
    
    network.cookie.lifetimePolicy - (user set integer)
    2
    
    network.http.accept.default - (user set string)
    text/html,application/xml,*/*
    
     
    Last edited: Feb 9, 2012
  12. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
  13. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Here's how to spoof yourself as Safari on Apple OSX. The values were taken from an actual Mac I messed with earlier today. The sales rep said they have a program installed on all the machines which resets them to a previous image so I'm not sure if this is the most up to date versions.

    I was using a Debian VM and Firefox 9.0.1. You can likely make anything else just as convincinly look like Linux by using Linux specific values. OSX doesn't come packaged with Flash but it does include JRE. Here are some pics between the two.

    Browserspy.dk Browser view
    Safari http://i42.tinypic.com/2eg9tec.png
    Firefox/Debian http://i40.tinypic.com/2h6ztbo.png

    The vendor doesn't show up as Apple. I can't get it to for some reason even when changing vendor.override like below. Then, since oscpu.override must be added, it shows as a blank. It needs to be there or else it would show as a Linux architecture or Windows NT version.

    Http headers
    Safari http://i42.tinypic.com/aaxhdt.png
    Firefox/Debian http://i41.tinypic.com/mrbl0m.png

    Editing to add:
    Accepted charsets is NOT listed on FF10. For anything beforehand, you can make the Cache Control area disappear by disabling caching. May or may not be worth it to you.
    Code:
    network.http.use-cache; false
    JonDonym
    Safari http://i43.tinypic.com/2u90dnr.png
    Firefox/Debian http://i44.tinypic.com/wvvcsw.png

    Charset is still there (remember, this is w/FF9) and then there's the c715 header hash signature which again, is NOT the actual signature of the browser when running the test. On the JonDonym test there's a little area to the right of the first results box. It has your IP, ISP and browser type. This showed as Firefox with the real Mac.

    Editing to add:
    On FF10, the 9446 header hash signature is what JonDonym shows, not the c715. The actual hash value I got from doing this on Windows XP with FF10 disguised as Safari/OSX matched that of the real Mac system.


    Here are the strings.
    Code:
    general.appversion.override; Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
    
    general.oscpu.override; [leave blank]
    
    general.platform.override; MacIntel
    
    general.useragent.vendor; Apple Computer, Inc.
    [I]This doesn't show in browserspy.dk but it's the value for the real Safari so I choose to include it[/I]
    
    general.userragent.override; Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
    
    intl.accept_languages; en-us
    
    network.http.accept.default; application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 
    DasFox, for this one,
    Code:
    network.http.accept.default; text/html,application/xml,*/*
    why do you change it? Just curious because the only place that value appears is in JonDonym. Tor uses the default FF string. I personally choose to leave that value alone.
     
    Last edited: Feb 15, 2012
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    The sales rep, what you walked into an Apple store and started messing with a Mac? LOL

    I only changed the network.http.accept.default; text/html,application/xml,*/* string at this point for the JonDo test, I haven't looked into this anywhere else, but even though Tor doesn't change the actual string in the about:config it's still being spoofed to show Green on JonDo and this is the only way I know how...
     
  15. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    Hey, gotta do whatcha gotta do! :D

    The JonDonym test says this signature hash value is a product of the order of different elements in your http headers. Regardless of the Firefox version, OS or anything else, I see this order is the same as reported by the JD test even though they vary in content.

    I went over to my fresh, unmodified FF10 install in a Windows XP VM. Here is a shot from the JonDonym test.
    http://i40.tinypic.com/35klno2.png

    Notice the actual value, the part under "Your Individual Header Signature".

    Now here is a fresh install of the JonDoFox profile into that same FF10 as above. The user agent string and accepted languages were by default, still those from normal Firefox. These two things needed to be set as recommended in the JonDonym test for all green to show. Result is this.
    http://i42.tinypic.com/15bt3o.png

    But again, look at the actual hash value under "Your Individual Header Signature". It's still different than the "JonDoFox Individual Header Signature" yet I'm told that my header signature matches that of JonDoFox? This obviously also shows if you just change the header elements in FF and not use the JDF profile. However, the order of header elements shown in the rollover image from both an unmodified Firefox and JDF is always the same, albeit with different values.

    Here are the headers according to browserspy.dk.

    FF10 WITH cookies
    http://i42.tinypic.com/ncfprr.png

    FF10 WITHOUT cookies
    http://i41.tinypic.com/35codbp.png

    and you'll notice that FF10 with no cookies is has the same elements as the JonDoFox profile which is below.
    http://i44.tinypic.com/2cmkdar.png


    So I'm thinking this signature value is pretty arbitrary and even if its's not, JonDoFox's signature would be easily picked out of a list of hashes of generic Firefox users. It doesn't transmit identifying information beyond the spoofed user agent string and nothing is added or removed from the header when that box is green. So I simply don't see the point.

    I'm against changing otherwise standard values of the browser to become less easily identifiable and that's what I think we do by conforming to the JonDonym test. I have emails out to JonDos GmbH asking for some clarification from their perspective. Also some stuff to the Tor group and the EFF about Panopticlick so we'll see what that accomplishes.

    Thoughts? Comments?
     
    Last edited: Feb 15, 2012
  16. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    It's the user agent string; ;)

    Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0

    Here's mine;

    http://postimage.org/image/92qjmj6rv/

    I'm not to sure how much faith I place in this since that's Win7 running FF6.0 and how many people might be doing that is the question... This then gets down to fingerprinting, how unique is this...
     
    Last edited: Feb 15, 2012
  17. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    That's exactly my point! FF6 was a release more people spent complaining about than actually using. Not to mention, FF automatically notifies about updates in Windows. I'd say anyone still on FF6 would be very unique. Panopticlick says that it is not, but Panopticlick isn't collecting new data anymore so its results are based only on just over the 470,000 unique browser fingerprints it gathered while the experiment was ongoing.

    That green hashed token value which is exclusive to JonDoFox and JonDonym's recommended settings is unique compared to FF and TOR, both of which (I'm assuming) have the majority of users compared to JonDoFox. What I'm getting at is, I think that signature value isn't useful and should be avoided for its use of non-standard elements.

    As for what to use as a FF version, I've asked the TOR guys why they chose version 5 when they build the TOR browser bundle out of version 9 (as of a week ago). I personally would just use the real browser numbers though Mozilla may have some stats on the most widely used FF version. Fingerprinting is very difficult to avoid in some form, I think the user agent string is actually going to be one of the least concerning things you have control over unless going cross platform. I also think that spoofing from a newer version of Firefox to an older one isn't worthwhile. Plus, with no charset in the http headers (I think it is worthwhile though, to make the headers as generic as possible), a user agent of FF6 (or up to version 9) but no charset received, would be anomalous.
     
    Last edited: Feb 15, 2012
  18. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I've still run across a lot of people running XP and FF 3x...

    I haven't spent any time with this, to know how unique 6.0x is and I've wondered too why JonDo and Tor seem to think these versions are good...

    So it would be great if you don't mind taking the ball and waiting on Tor and then asking JonDo, you said you asked Tor a week ago?

    So you contacted Panopticlick and they said 6x wasn't unique?

    Here's browser stats, not versions;

    http://www.w3schools.com/browsers/browsers_stats.asp

    Here's for versions; (According to this for the world it's still FF3.6 & 4.x)

    http://gs.statcounter.com/#browser_version-ww-monthly-201101-201201

    This here is just showing FF 3.x & 8.x

    http://www.w3counter.com/globalstats.php

    Here's a nice breakdown with versions/stats;

    http://www.w3schools.com/browsers/browsers_firefox.asp
     
    Last edited: Feb 15, 2012
  19. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    I don't quite understand what you mean by the take the ball thing. I emailed Tor and the EFF last Thursday but what I was referencing specifically in saying "one week ago" was that as of then, the Tor bundle comes with Firefox 9.0.1 labeled as Aurora and the ua string still points to version 5. Maybe it's changed it since then, I haven't checked back.

    I emailed JonDos today because I hadn't had time to look at this signature thing more closely and I wanted to make sure I included that in my letter to them. I haven't heard back from anyone yet. There are phone numbers I'll look into as well if it becomes clear they're not responding to emails.

    The Panopticlick test said that 5x was nearly twice as unique compared to 6x. These two pics show this. It's FF8 on Linux with spoofed info and NoScript.

    FF5
    http://i40.tinypic.com/29vhpww.png

    FF6
    http://i40.tinypic.com/2lwn5ow.png


    But..yeah, I'm running out of things to say! I think I had better sit back and wait to get info from the companies I mentioned before anything else. I don't want to start speculating further than I already have.

    Thanks for those links! Interesting, I hadn't thought to look at W3schools for statistics. Also interesting is the dispartiy between IE8 and 9 in the Statcounter chart.
     
  20. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Take the football man and run! LOL... ;) But that's what you did when you asked the questions to Tor and JonDo....

    For the Panopticlick screen shots those will be ok if you only changed the user-agent, otherwise if you changed other settings it's not going to be accurate and you'll look more unique, which I'm sure you realize, but just saying in case you forgot when you tested it...

    All I can say for now is I think FF5 and FF6 are a bit odd to be using, I'd rather use 3.6x or 8.x...
     
  21. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    For measuring the user agent string alone, it wouldn't matter. For the total browser fingerprint, yes I see what you're saying. :)

    Agreed, coupled with Windows XP x32 or 7 x64 for the win! :thumb:
     
  22. guest

    guest Guest

    I tried doing what you guys been posted but on Windows 7, 3/4 of settings you say to change aren't their when I try to change them. Is that because its windows or are u using differentr firefox versions
     
  23. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    You need to create the ones you don't see. Whether it's Windows or not, or the FF version isn't important for these settings.

    In about:config, right click. Select New, then String. Then enter the name of the string, (ex. general.platform.override) then OK. Enter its value, (ex. Win64) then OK.

    Then you'll see the change.
     
  24. guest

    guest Guest

    Ok I have a problem I have copied everything from post https://www.wilderssecurity.com/showpost.php?p=2014022&postcount=86

    But I get the following errors http://imgur.com/M54fH

    Recommended: Your browser should not cache any third party content at all, or should at least delete them upon moving to another site.

    Firefox: Use JonDoFox. Alternatively, you may switch off the cache completely: about:config, browser.cache.disk.enable:false, browser.cache.memory.enable:false

    I have both them disabled and cache is turned off and history is too.
     
  25. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    try switching off this.
    network.http.use-cache; false

    And DasFox said a few pages back that Request Policy makes the http authentication turn green.
    www.requestpolicy.com

    What version of Firefox are you using, 10? Your content types are unchanged from default settings, yet your signature is green. Haven't seen that before.

    Edit:
    Nevermind, I can get that in 10 also.
     
    Last edited: Feb 19, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.