Firefox Lockdown

Discussion in 'privacy technology' started by guest, Sep 8, 2014.

  1. guest

    guest Guest

    The security section is kind of boring as of now. So I'll just start bugging everyone in the privacy section then. =V

    I was messing around with about:config, well I'm using Pale Moon but this also should be applicable to Firefox and its derivatives. These tips have been mentioned very often, but they are sporadic and as far as I'm aware of there's no single place to gather them in one place for an easy access. So far I only have done some small configurations:

    Code:
    browser.cache.disk.enable = false
    browser.cache.memory.enable = false
    browser.send_pings = false
    geo.enabled = false
    network.dns.disableIPv6 = true
    network.http.sendRefererHeader = 0
    
    If people have more info about what else needs to be configured in about:config then feel free to mention it. So anyone who wishes to harden their browser will only need to look up in one place and not missing/forgetting any manual configuration.

    Note: The browser.send_pings is set to "false" by default in Pale Moon. I don't know how is it in Firefox and other derivative browsers, I mentioned it just for the sake of notification.

    WARNING!
    Keep in mind that some of these tweaks may cause problems in your browsing experience. For example, network.http.sendRefererHeader set to 0 may give you problems when accessing your Outlook Mail account in your web browser. Try to set it to 1 and see if it fixes your problem.
     
    Last edited by a moderator: Sep 10, 2014
  2. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Code:
    plugin.expose_full_path  false  // websites can't see the full path via navigator.plugins
    plugins.notifyMissingFlash  false  //  block Flash notifications from appearing in the browser
    permissions.default.image 3  // loading images from original server only
    dom.battery.enabled  false  // fingerprinting due to differing OS implementations
    dom.network.enabled  false  // fingerprinting due to differing OS implementations
    dom.storage.enabled  false  // can store per-session or domain-specific data as name/value pairs
    on the client using DOM Storage.
    
     
    Last edited: Sep 9, 2014
  3. guest

    guest Guest

    Two options from RequestPolicy addon which you can configure within the browser itself:

    Code:
    network.dns.disablePrefetch = true
    network.prefetch-next = false
    
     
    Last edited by a moderator: Sep 10, 2014
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Do you know what setting(s) Request Policy uses to "not send" any HTTP authentication data to third-party sites?
    (third party tracking by authenticated headers)
    I don't think this is configurable through browser (about:config) settings without using something like Request Policy.
     
  5. guest

    guest Guest

    I'm not sure, but I also don't think it's possible. Browser configurations never really allow such flexibility.
     
  6. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    According to kb.mozillazine.org when setting network.http.sendSecureXSiteReferrer (default is true)
    then network.http.sendRefererHeader must be set to 1 or 2 for this preference to have an effect.

    network.http.sendSecureXSiteReferrer; false = Don't send the Referer header when navigating from a https
    site to another https site.
    Those concerned with privacy can set this to false, realizing that this may adversely affect some sites.

    network.http.sendRefererHeader (default is 2 - send the Referer header)
    Those concerned with privacy can set this to 0, realizing that this may adversely affect some sites.
    Disabling Referer headers may cause some functionality on some sites to no longer work.
     
  7. guest

    guest Guest

    IMO the inter-HTTPS referer should be fine to left at its default state.
     
  8. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    RP extension doesn't rely on any native (about:config) settings. It observes the on-modify-request event
    https://developer.mozilla.org/en/docs/Setting_HTTP_request_headers#Observers
    and (per rules you've setup) achieves "not send" by killing/cancelling any HTTP request intended for 3rd-party destination.

    By the way, RP has been recently "reborn" & is being actively developed: https://github.com/RequestPolicyContinued/requestpolicy
     
  9. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Well what can I say. I guess I like to go all out on HTTPS.

    Code:
    security.enable_tls_session_tickets; false  // disable https-tracking
    security.ssl.enable_false_start; true  // disable https-tracking
    
    NOTE: Default setting for _tickets is true and default setting for _start is false.

    Code:
    browser.cache.disk_cache_ssl;  // default true
    allows the caching of secure web pages in your browser disk cache, but you may want to set this to false.

    I also checked into Pale Moon RC4 encryption ciphers. Of the 6 listed 2 are set to false
    and 4 are set to true. This may need to be addressed in Firefox and all Mozilla based forks.
     
    Last edited: Sep 14, 2014
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Thanks for info. I take it though that if one is not using Request Policy authenticated header tracking is taking
    place, but the data will be deleted once browser is closed.
    Of couse that doesn't solve the problem when one has a browser session open and is sending data to third-party destinations.
     
  11. guest

    guest Guest

    But the two options (disable DNS prefetching and disable link prefecthing) in the advanced tab rely on about:config, right?
     
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    When you install Request Policy -> Advanced tab yes link prefetching and DNS prefetching are disabled
    on startup and restored back to default when Request Policy is uninstalled.

    (about:config)
    Code:
    extensions.requestpolicy.prefetch.dns.disableOnStartup; true
    extensions.requestpolicy.prefetch.link.disableOnStartup; true
    
    (about:config)
    network.prefetch-next; false // disable link prefetching
    network.dns.disablePrefetch; true // disable DNS prefetching
    network.dns.disablePrefetchFromHTTPS; true (NOTE: creating this preference and setting it to FALSE
    will enable DNS prefetching for secure links and objects)

    NOTE: Don't know if Request Policy handles HTTPS DNS prefetching.
     
    Last edited: Sep 12, 2014
  13. WeAreAllHacked

    WeAreAllHacked Registered Member

    Joined:
    May 22, 2014
    Posts:
    28
    If you are a bit paranoid you will touch all the things that you don't need. Such as webgl, a lot of the things under media: wave, opus, ogg and probably more. WebGL for instance has a bad security history and its very likely it could contain more issues that can help an attacker compromise your privacy and security. You should also consider sacrifice usability and disable javascript totally, the javascript code is constantly changing to offer better performance and its high risk that holes that aren't there today get added as well

    Have the browser identify itself like some other browser. If it looks like something else it might confuse an attacker a bit add a new string with the Preferance Name: general.useragent.override will do that to some extent, then look up what some phone or other browser use as useragent and add that value, this will make pages look odd but that's because a lot of sites relay on what browser you are identifying yourself as to serve you specific code, the idea here is that an attacker doing the same might end up not using the latest Firefox exploit against you when he thinks its a chrome user.

    css is something used for layout. And it has been security issues with it before, Firefox has some options in about config that let you disable some of the (mostly new) things css can do, you most likely want to do that if your goal is preventing zerodays.

    Custom fonts also has a history with security, it can be argued that you don't have to worry about this but I would disable downloadable fonts, I don't think this will affect the look on most pages you visit.
    browser.frames.enabled is also worth to maybe disable, it lets sites include other sites, so while you visit somesite.com it could make sure to load someothersite.com/funnyfish.html, it has legitimate uses but it can also be used for tracking or lunching bad code from a third party.

    browser.cache.offline.enable
    browser.cache.memory.enable
    These are stuff that you most likely won't need to browse around but they can store added information about you, suggestion keep it disabled.

    There is so much more you can do, you can do various things to make SSL a bit more restrictive in what it considers good encryption and change various sizes allowed. Its too much to go through here and I'm no expert on the area. But I think you have to consider sacrificing some functionality if your goal is a somewhat secure browser, that's usually what you do when you have a server or something, you don't keep on this and that function if you can do without it (because holes targeting those functions might have been found by an attacker already).
     
  14. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    // disable short URL keyword guessing: set to false NOTE: default true
    Code:
    browser.fixup.alternate.enabled  false 
    keyword.enabled  false 
    
    NOTE: Do search on typosquatting (URL hijacking) which is a form of cybersquatting which relies on mistakes
    such as typographical errors made by the user inputting a website address into the browser.
    Firefox also should not be guessing which websites you want to go to when inputting short words into
    the URL address bar.

    Another area you might want to check is social. Open about:config and type in social (Search bar)
    Pale Moon by default has social.enabled set to false. (disabled) Firefox may be set to true.
    You can change the other (social.) preferences here to as well if you want.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Attached is a list of 375 preferences, in alphabetical order, with no suggested values. I think the vast majority of these would be of interest to someone wanting to lock down their browser. Some preferences on the list are loosely coupled to the subject. Some are on the list for other reasons.

    A tiny number of the preferences won't be found in about:config because they aren't set by default or checked into release yet. These aren't marked.

    I small number of the preferences may no longer be applicable. The ones I know to question are marked with // Defunct?

    You can search for preferences via https://mxr.mozilla.org/. Most would want to search the release branch. Nearly all preferences will show up as complete strings. However, sometimes the code uses a separate prefix and you'll have to search for fragments of the preference string. You can also search for info at bugzilla.mozilla.org, support.mozilla.org, etc.

    It is hard to keep up with FF changes. I doubt the list is perfect.

    Worth considering: autoconfig and user.js

    Edit: Added a few more
     

    Attached Files:

    Last edited: Sep 14, 2014
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    That's quite the list. I noticed some users are using 'localhost' as the string value in preferences
    such as:
    browser.geolocation.warning.infoURL
    browser.contentHandlers.types...
    gecko.handlerService.schemes...

    Some more about:config tweaks to consider.

    Code:
    breakpad.reportURL  // default=https://crash-stats.mozilla.com/report/index/ 
    Disable Firefox crash error reporting to Mozilla by deleting URL string (leave blank)
    Code:
    browser.urlbar.trimURL; false
    Don't trim "http://" prefix in location bar - you want all parts of url to show.
    Code:
    browser.send_pings.require_same_host; true
    Disable sending pings to 3rd party content hosts.
     
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    That was my attempt at a "short list" too :( Already found a few more I know I'll want to look at. BTW, I'm pretty sure dom.network.enabled -> dom.netinfo.enabled.
     
  18. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Please Note: There are some about:config preferences that are enabled by default in Firefox, but are
    disabled by default in Pale Moon. Thought I would try to compare both browsers preferences.
    IMO both browsers can be "locked down" tighter than their default settings.
    TOR browser does change a lot of these settings and probably JonDonym as well.

    Also some preferences may not exist. (different developers and things keep changing in builds)
    Some may need to be created, but be aware not all may work because of coding changes.
    As TheWindBringeth noted some are to question. // defunct.
     
    Last edited: Sep 15, 2014
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Ah, I forget you guys are talking about Pale Moon. You currently have these?

    // Network API
    pref("dom.network.enabled", true);
    pref("dom.network.metered", false);

    Mozilla Release has these:

    #if defined(MOZ_WIDGET_GONK) || defined(MOZ_WIDGET_ANDROID)
    // Network Information API
    pref("dom.netinfo.enabled", true);
    #else
    pref("dom.netinfo.enabled", false);
    #endif

    https://bugzilla.mozilla.org/show_bug.cgi?id=960426
     
    Last edited: Sep 15, 2014
  20. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    FWIW: http://cat-in-136.github.io/
    Note: Linux x86_64
     
  21. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    RP simply toggles the pref.
    AFAIK, the browser refrains from performing DNSprefetch, period (including https scheme), while network.dns.disablePrefetch=true
     
  22. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Thanks for the link. Lot's of info to digest.

    Currently examining TorBrowser - Firefox 24.8.0ESR (about:config) TBB version 3.6.5 (Windows)
    Looking at preferences in the browser, dom, extensions, media, network, privacy and
    security sections. Have used Linux also.
     
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Thanks for info.
     
  24. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    How are you carrying out the comparison? Manually? With the help of a tool?

    That diffs website got me thinking. Perhaps one way to approach the problem would be to write an extension which a) works with Firefox and derivatives, b) dumps all preferences and values to a file. Then that extension, or another tool, could be used to compare/review preference dump files. I think such a tool could make it much easier to look for (run-time) preference differences in two Firefox versions, Firefox vs PaleMoon, Firefox vs TorBrowser, whatever. Perhaps export prefs from N browsers and programmatically create one column-sortable table showing the results for each.

    I'm going to pursue this at some point in the future and see if it works. Thought I'd mention it in case someone wants to look for an existing extension that does this and/or wants to pursue it themselves.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Perhaps NirSoft SysExporter used on about:config window would be helpful.
     
Loading...