Latest posts

Forum Statistics

Threads
27,575
Posts
541,619
Members
28,555
Latest Member
pbtom

Security tweaks for Firefox

hoodlum

hoodlum

MuscleHead
Jan 3, 2012
903
172
I can't take credit for this, it came from AnonA9 but it contained some very useful things I wasn't aware of, too good not to post, there is no reason people shouldn't enact these settings... These affect you even if your using the TOR bundle and has some potentially serious data leaks

########## UPDATED ########## READ ########## INFO ########## BELLOW ##########

>>> READ!!! THESE SETTINGS ARE NOT CONFIGURED IN TOR BY DEFAULT! :

Cookies are Enabled
Referer is not Hidden
Javascript is Enabled
Tab History is Enabled
Local Storage is Enabled
Fonts are Enabled

browser.cache.disk.capacity
browser.cache.offline.capacity
network.http.sendRefererHeader
network.http.referer.XOriginPolicy
network.http.referer.spoofSource
network.http.referer.trimmingPolicy
dom.storage.enabled
webgl.disabled
browser.sessionhistory.max_total_viewers
breakpad.reportURL
browser.send_pings.require_same_host
beacon.enable
dom.event.clipboardevents.enabled

security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha

Here's the Screenshot I took showing the Tor Default Settings > http://tinyurl.com/TorDefault
Here's the Screenshot I took showing Tor after my Security Tweaks > http://tinyurl.com/TorAnonA9

----------------------------------------------------------------

- About:Config -

Your browser/computer might be leaking DNS queries, you can save some kilobytes of transfer by disabling DNS-Prefetching and Link-Prefetching (network.dns.disablePrefetch - True). One very important option is to disable Canvas support > https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

CanvasBlocker | About:Addons > CanvasBlocker Options > Block Mode: Block Everything

----------------------------------------------------------------

Recommended User Agent:
New String > general.useragent.override > Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0

----------------------------------------------------------------

WebRTC can be used to check your local IP address, so for privacy and security reasons you might want to disable it: media.peerconnection.enabled (False)

----------------------------------------------------------------

There is a built-in module in Firefox that improves your security, but steals your privacy and anonymity. The module reports what you download to Google servers to check if the file is infected with any kind of malware.

browser.safebrowsing.appRepURL (Blank)
browser.safebrowsing.downloads.enabled (False)
browser.safebrowsing.enabled (False)
browser.safebrowsing.gethashURL (Blank)
browser.safebrowsing.malware.enabled (False)
browser.safebrowsing.malware.reportURL (Blank)
browser.safebrowsing.reportErrorURL (Blank)
browser.safebrowsing.reportGenericURL (Blank)
browser.safebrowsing.reportMalwareErrorURL (Blank)
browser.safebrowsing.reportMalwareURL (Blank)
browser.safebrowsing.reportPhishURL (Blank)
browser.safebrowsing.reportURL (Blank)
browser.safebrowsing.updateURL (Blank)
services.sync.prefs.sync.browser.safebrowsing.enabled (False)
services.sync.prefs.sync.browser.safebrowsing.malware.enabled (False)

As for Google’s services in Firefox > Set the value of geo.wifi.uri to http://127.0.0.1 (or blank). Firefox uses Google Location Service to determine your physical location, disable it by changing geo.enabled to false.

----------------------------------------------------------------

You shouldn't save any data for caching on your drive, it can be easily recovered even after a long time.

browser.cache.disk.enable (False)
browser.cache.offline.enable (False)
browser.cache.disk.capacity (0)
browser.cache.offline.capacity (0)

----------------------------------------------------------------

- Hiding your referrers -

network.http.sendRefererHeader | Determines when to send the Referer HTTP header.

0: Never send the referring URL
1: Send only on clicked links
2 (default): Send for links and images

^ Set it to 1, or to 0 ^ (0 is the better option but may break a few websites)

----------------------------------------------------------------

network.http.referer.XOriginPolicy

0 (default): Always send
1: Send if base domains match
2: Send if hosts match

^ Set it to 1 ^

----------------------------------------------------------------

network.http.referer.spoofSource:

false (default): real referer
true: spoof referer (use target URI as referer)

^ Set it to true ^

----------------------------------------------------------------

network.http.referer.trimmingPolicy:

0 (default): send full URI
1: scheme+host+port+path
2: scheme+host+port

^ Set it to 2 ^

################ Updated Here ################

Add-ons I use:

HTTPS Everywhere - HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure. Download: https://www.eff.org/https-everywhere

NoScript Security Suite - The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. Download: https://addons.mozilla.org/en-US/firefox/addon/noscript

SSleuth - How strong is your HTTPS connection? SSleuth ranks an established SSL/TLS connection and gives a brief summary of the cipher suite, certificate and other SSL/TLS parameters. Download: https://addons.mozilla.org/en-US/firefox/addon/ssleuth

Cookie Controller - Buttons for managing site cookie permissions, switching global cookie permissions on and off, browsing cookies, and removing cookies. The same functions are included for local and session storage. Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-controller

CanvasBlocker - Blocks the JS-API for modifying <canvas> to prevent Canvas-Fingerprinting.</canvas>. Download: https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

################ Updated Here ################

DOM storage has become a much bigger threat to our privacy than the dreaded cookies were. Unfortunately this technology is certainly set to leave cookies in the dust, so changing the default value of this configuration to false is strongly recommended for security reasons. However, please note that it may cause a few web sites not to work properly at the same time.

dom.storage.enabled (False)

----------------------------------------------------------------

By setting network.prefetch-next to false, we are controlling the following:

Link prefetching, is when a web page hints to the browser that certain pages are likely to be visited, so the browser downloads them immediately so they can be displayed immediately when the user request.

network.prefetch-next (False)

----------------------------------------------------------------

webgl.disabled (True)

network.http.pipelining (True)
network.http.pipelining.ssl (True)
network.http.proxy.pipelining (True)
network.http.pipelining.maxrequests (10)

devtools.cache.disabled (True)

----------------------------------------------------------------

Browser.sessionstore.privacy_level

0 = Store extra session data for any site.
1 = Store extra session data for unencrypted
2 = Never store extra session data.

----------------------------------------------------------------

################ Updated Here ################

Reduce the amount of RAM Firefox uses for its cache feature:
browser.sessionhistory.max_total_viewers (0)

Reduce RAM usage to 10MB when Firefox is minimized:
New -> Boolean | config.trim_on_minimize | True

Don't cache HTTP or HTTPS files:
network.http.use-cache (False)

Disable crash reporting to Mozilla:
breakpad.reportURL (Blank)

Disable sending pings to 3rd party content hosts:
browser.send_pings.require_same_host (True)

Disable navigator.sendBeacon:
beacon.enable (False)

Disable letting websites know if you have info from them in your clipboard:
dom.event.clipboardevents.enabled (False)

----------------------------------------------------------------

################ Updated Here ################

Disable the least secure encryption protocols:

(Search RC4 in About:Config)

security.ssl3.ecdhe_ecdsa_rc4_128_sha (False)
security.ssl3.ecdhe_rsa_rc4_128_sha (False)
security.ssl3.rsa_rc4_128_md5 (False)
security.ssl3.rsa_rc4_128_sha (False)

Setting the above modified values disables RC4 in Firefox. RC4 is the least secure encryption protocol and even Microsoft recommends to disable it. Until recently, this was not possible without Youtube breaking.

################ Updated Here ################

Google Disconnect - Stop Google from tracking the webpages you go to. Download: https://addons.mozilla.org/en-US/firefox/addon/gdc

Facebook Disconnect - Stop Facebook from tracking the webpages you go to. Download: https://addons.mozilla.org/en-US/firefox/addon/fbdc/

Twitter Disconenct - Stop Twitter from tracking the webpages you go to. Download: https://addons.mozilla.org/en-US/firefox/addon/twdc/
 
hoodlum

hoodlum

MuscleHead
Jan 3, 2012
903
172
Here is a guide from Gh0ster, I use most of this one but in conjunction with the above

---

Secure Firefox Configuration
===============================

/Download Firefox: https://www.mozilla.org/en-US/

/Download other versions of Firefox [Nightly, Aurora, Firefox Beta] from here:

https://www.mozilla.org/en-US/firefox/channel/

/Things marked with "**" are essential for security and privacy.




.::EXTENSIONS::.
==================


.::privacy::.
==================

-> **[NoScript]
Download: https://addons.mozilla.org/en-us/firefox/addon/noscript/
Features: Protects you from XSS and clickjacking attacks, also enables click to load Flash and Java.

-> **[HTTPS-Everywhere]
Download: https://www.eff.org/https-everywhere
Features: Forces HTTPS whenever possible.

-> **[AdBlock Edge]
Download: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge
Features: Blocks intrusive and non-intrusive ads on all websites. It also does not have the "Acceptable Ads" feature.

-> **[Random Agent Spoofer]
Download: https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer
Features: Provides many user agent spoofing options. Over 100 different browsers, has the option to send spoofed headers and much more.

-> **[RequestPolicy]
Download: https://addons.mozilla.org/en-us/firefox/addon/requestpolicy/
Features: Protects you against CSRF attacks and allows you to be in control of all cross-site requests.

-> **[Cookie Controller]
Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-controller/
Features: Browse, manage and remove cookies from sites.

-> **[FoxyProxy Standard]
Download: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
Features: Advanced proxy management tool for Firefox, way better than the one included with Firefox.

-> **[Disconnect]
Download: https://addons.mozilla.org/en-US/firefox/addon/disconnect
Features: Stops tracking by about 2000 third party websites, makes loading pages about 27% faster.

-> **[Privacy Badger]
Download: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger-firefox
Features: Protects privacy by blocking spying ads and invisable trackers.


.::Tools::.
==================

-> [HackBar]
Download: https://addons.mozilla.org/en-US/firefox/addon/hackbar
Features: A toolbar to help you intesting SQL injections, XSS holes and site security.

-> [FireBug]
Download: https://addons.mozilla.org/en-US/firefox/addon/firebug
Features: Allows you to edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.

-> [FxIF]
Download: https://addons.mozilla.org/en-US/firefox/addon/fxif
Features: Allows you to view EXIF data when you right click on a image.

-> [iMacros]
Download: https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox
Features: Allows you to automate Firefox with macros. Anything you do on your browser can be automated.

-> [Web Developer]
Download: https://addons.mozilla.org/en-US/firefox/addon/web-developer
Features: A toolbar that adds verious web developer tools to the browser.

-> [Live HTTP Headers]
Download: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers
Features: Allows you to view HTTP headers of a page and while browsing.

-> [EPUB Reader]
Download: https://addons.mozilla.org/en-US/firefox/addon/epubreader
Features: Allows you to open and read .epub files within your browser.

-> [DOM Inspector]
Download: https://addons.mozilla.org/en-US/firefox/addon/dom-inspector-6622
Features: Inspect/edit live DOM of any webpage or XUL application.

-> [ColorZilla]
Download: https://addons.mozilla.org/en-us/firefox/addon/colorzilla
Features: Advanced eyedropper, color picker, gradient generator and DOM viewer.

-> **[Modify Headers]
Download: https://addons.mozilla.org/En-us/firefox/addon/modify-headers
Features: Add/Modify/Filter HTTP headers. Useful for mobile development, HTTP testing and privacy.

-> [FlagFox]
Download: https://addons.mozilla.org/en-US/firefox/addon/flagfox
Features: Displays a country flag depicting the location of the current website's server and provides a multitude of tools such as site safety checks, whois, translation, similar sites, validation, URL shortening, and more.

-> [Video Download Helper]
Download: https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper
Features: Downloads videos and audio from YouTube and other similar sites.

-> [Wappalyzer]
Download: https://addons.mozilla.org/en-us/firefox/addon/wappalyzer
Features: A browser extension that identifies software on websites.

-> **[CrytoCat]
Download: https://addons.mozilla.org/en-US/firefox/addon/cryptocat
Features: Instant encrypted conversations, open source, private, safer communications. Uses the OTR encrypted messaging protocol.

-> [SSleuth]
https://addons.mozilla.org/en-US/firefox/addon/ssleuth
Features: SSleuth ranks an established SSL/TLS connection and gives a brief summary of the cipher suite, certificate and other SSL/TLS parameters.


.::Customizability::.
======================

-> [Stylish]
Download: https://addons.mozilla.org/en-US/firefox/addon/stylish
Features: Customize pages with CSS styles.

-> [GreaseMonkey]
Download: https://addons.mozilla.org/en-US/firefox/addon/greasemonkey
Features: Customize pages with JS scripts.




.::ABOUT:CONFIG SETUP::.
=========================

You can access these configurations by typing in "about:config" in the URL bar, click .

-> Turn off the new tab page, and makes it about:blank:
browser.newtab.url => about:blank

-> **Turn off Geolocation:
geo.enabled => false
geo.wifi.uri => 127.0.0.1

-> **Override the useragent to most common useragent [Not needed with UA Switcher]:
New > string: general.useragent.override =>
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

-> Force installation of non-updated add-ons:
New > boolean: extensions.checkCompatibility.[version #] => false

-> **Disable DNS prefetching:
network.prefetch-next => false
network.dns.disablePrefetch => false
webgl.disabled => true
devtools.cache.disabled => true
browser.sessionstore.privacy_level => 2

-> **Disable referer headers:
network.http.sendRefererHeader => 0
network.http.sendSecureXSiteReferrer => false
network.http.referer.XOriginPolicy => 1
network.http.referer.spoofSource => true
network.http.referer.trimmingPolicy => 2

-> **Enable HTTP pipelineing regularly, on SSL pages, and on proxies, respectively:
network.http.pipelining => true
network.http.pipelining.ssl => true
network.http.proxy.pipelining => true
network.http.pipelining.maxrequests => 10

-> View page source in your favorite editor:
view_source.editor.external => true
view_source.editor.path => X:\EnterPath\To\Program\Here

-> **Prevent child windows/tabs from spawning:
dom.disable_window_open_feature.resizable => false

-> **Disable insecure RC4 encryption protocol:
security.ssl3.ecdhe_ecdsa_rc4_128_sha => false
security.ssl3.ecdhe_rsa_rc4_128_sha => false
security.ssl3.rsa_rc4_128_md5 => false
security.ssl3.rsa_rc4_128_sha => false

-> Increase the amount of connections/requests Firefox will make:
network.http.pipelining.maxrequests => 64
network.http.max-connections => 512
network.http.max-persistent-connections-per-server => 32

-> **Disable Firefox telemetry:
toolkit.telemetry.enabled => false

-> Speed up the security delay when installing add-ons:
security.dialog_enable_delay => 500

-> Disable tab animations:
browser.tabs.animate => false

-> **Allow cookies only from the originating server [Not needed with Cookie Manager]:
network.cookie.cookieBehavior => 1
network.cookie.lifetimePolicy => 2

-> **Reduce RAM usage for Firefox cache feature:
browser.sessionhistory.max_total_viewers => 0

-> Set RAM usage to 10MB when Firefox is minimized:
New => boolean: config.trim_on_minimize => true

-> Reduce page loading delay:
New => integer: nglayout.initialpaint.delay => 0
New => boolean: content.interrupt.parsing => true
New => boolean: content.notify.ontimer => true
New => integer: content.max.tokenizing.time => 100000
New => integer: content.notify.backoffcount => -1
New => integer: content.notify.interval => 100000
New => integer: content.switch.threshold => 2000000

-> Remove submenu slide delay:
New > integer: ui.submenuDelay => 0

-> **Set a "do-not-track" header to tell sites not to track browsing habits:
privacy.donottrackheader.enabled => true
privacy.donottrackheader.value => 1

-> **Disable Google Blacklists and Safebrowsing:
browser.safebrowsing.enabled => false
browser.safebrowsing.maleware.enabled => false
browser.safebrowsing.appRepURL => blank
browser.safebrowsing.downloads.enabled => false
browser.safebrowsing.gethashURL => blank
browser.safebrowsing.malware.reportURL => blank
browser.safebrowsing.reportErrorURL => blank
browser.safebrowsing.reportGenericURL => blank
browser.safebrowsing.reportMalwareErrorURL => blank
browser.safebrowsing.reportMalwareURL => blank
browser.safebrowsing.reportPhishURL => blank
browser.safebrowsing.reportURL => blank
browser.safebrowsing.updateURL => blank
services.sync.prefs.sync.browser.safebrowsing.enabled => false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled => false

-> **Disable pings:
browser.send_pings => false
browser.send_pings.require_same_host => true

-> **Disable Firefox health report:
datareporting.healthreport.uploadEnabled => flase

-> **Disable DOM storage:
dom.storage.enabled => false

dom.event.clipboardevents.enabled => false

-> Disable suggestions on searchbar:

browser.search.suggest.enabled => false

-> **Disable keywords:
keyword.enabled => false

-> Disable certificates:
browser.ssl_override_behavior => 2

-> **Disable DNS proxy bypass:
network.proxy.socks_remote_dns => true

-> **Disable crash reporting:
breakpad.reportURL => blank
In application.ini in the Firefox folder,
[Crash Reporter]Enabled=1 => [Crash Reporter]Enabled=0

-> **Disable caching on hard drive:
browser.cache.disk.enable => false
browser.cache.offline.enable => flase
browser.cache.disk.capacity => 0
browser.cache.offline.capacity => 0

-> **Do not cache HTTP or HTTPS files:
network.http.use-cache => false

-> **Disable navigator.sendBeacon:
beacon.enable => flase

-> **Disable WebRTC:
media.peerconnection.enabled => false
 
Who is viewing this thread?

There are currently 0 members watching this topic

Top