Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

iceweasel firefox security settings

Tips and Instructional topics. Not for support questions.

Re: iceweasel firefox security settings

Postby nadir » Tue Sep 03, 2013 6:48 am

With this in mind:
https://panopticlick.eff.org/
it seems that the following three things may help you reduce your identifying information

1) general.useragent.override Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
seems clear, user agent

2) capability.policy.default.Navigator.plugins noAccess
if you see a lot of information in fonts (at the panoptclick.eff.org site, try this and start the test again. This could help

3) As soon you enable scripts you seem to be much more easy to identify. It won't help much to disable javascript at panoptclick and enable it while browsing sites which need it. Obviously. If you usually use javascript then it is probably better to test at panoptclick with javascript enabled, to know with what you have to deal.

There might be better ideas. The above might be wrong.
I can't find good tips about the problem. The above is what i could figure out in weeks. Using useragent-plugin makes the problem worse, it seems. Then i found the entry for about:config. Then i realized that fonts is a big problem and found said setting via a search.
It's all a big ****. Giving up the idea of any way to gain privacy might be an idea (or restrict the usage of the Web to a degree which is insane. You can read a lot. You can't post yourself).
I am happy to be corrected. I am also happy to hear about experiences with said problem.
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby thwak » Tue Sep 03, 2013 7:59 am

More (plenty) reading material available for you at wilderssecurity.com
The site contains 3 subforums dedicated to "privacy" -related issues.

Although related, in my book "security" is a separate consideration from "privacy".
Through the years, I've probably checked out every blessed "privacy" firefox addon to come down the pike.

I recommend:
Ghostery
AdblockPlus (or "AdblockEdge") along with "EasyPrivacy" blocklist subscription
requestPolicy (for occasional, on-demand use in testing)

I do not use, nor recommend NoScript. For me, "throwing the baby out with the bath water" is not an sensible option.
(and continually tweaking per-site to fixor the pages it "breaks" is quite a nuisance)
NoScript's greatest merit (feature) IMO is "surrogate scripts", but Ghostery has also begun to utilize surrogates.

Also (if you're comfortable understanding/editing javascript) consider installing the Scriptish addon
then head over to userscripts.org to find task/problem -specific scripts (use 'em as is, or modify 'em to suit your bent).
Here are a few good, ready-to-use userscripts:
"GoogleFix 8"
"googlePrivacy"
"Google Hit Hider by Domain"
"Resurrect Google Cache + Related Links 1.0"
thwak
 
Posts: 172
Joined: Tue Nov 20, 2012 3:58 am

Re: iceweasel firefox security settings

Postby nadir » Tue Sep 03, 2013 9:17 am

I removed ghostery for several reasons:
It is proprietary.
The way it phones home was considered a security risk by a couple of people
(i didn't fully understand, had to do with switching from dark to clearnet and vice versa).
Both didn't fully convince me, but enough to stop using it
(security and proprietary don't seem to fit well with each other).

NoScript works fine for me. On the few sites where i need scriptsi enable them (while i need them and disable them before i leave the site).

I don't know Scriptish (i heard of Greasemonkey, but it was above me). I don't speak javascript.
Anyway it is a good idea, i think (It looks a lot as if i would need to invest way more time in the subject. A pity the Web is like that).
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby nadir » Tue Sep 03, 2013 9:37 am

I am slightly confused why there is no "firefox security edition" out there. Or a user.js, which you can just copy and paste. This is nothing you can expect anyone to get done in a reasonable time (most things will probably make it rather worse than better, as the user makes errors in those tons of settings which make his browser pretty unique).
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby nadir » Wed Sep 04, 2013 1:32 pm

Let me try what i am best at: Leave the circle where people speak the speak to avoid revealing how little they know themselves.

Here it is how it looks to me:
1) Some people care for privacy, for several reasons, while browsing the web.
1.1 ) They use settings and add-ons
1.2 ) They use darknets like tor
1.3 ) They use other options, say VPN

2) Let's say i make my settings and use a darknet. I think:
In clearnet i am protected by my settings, at least a littel bit. In darknet i am protected as far possible right now.

3) Now comes browser fingerprinting. First of all: it is easy to bork the settings, and be unique. Let's assume you figured it out and your settings are fine. Someone links to a site which needs javascript, you enable it, and your browser is identificable.

4) Let's assume (we are entering the paranoid world) that big companies work together. They store fingerprints of browsers _and_ share them among each other (to a certain degree). As 75% of the Web is google anyway, there is not much companies which need to share, btw ...

5) Same same people monitor darknets. You use any service in darknet which needs javascript, you enable it and log in, have your say. Your browser is identificalbe. You clearnet and darknet identities can be related to each other.


That is what i have come to think.
That might be wrong.
No one seems to be able to (or willing to) speak clear about the problem.
I didn't speak of more leet things, like deep packet inspection. This is really just common sense chat, the way it looks to me (who has no clue whatsoever).
"Don't use javascript! " ? It is the same like saying: "Don't use the web _active_, just use it to read".
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby nadir » Wed Sep 04, 2013 1:44 pm

What i mean is this:
1) Mr-I-know-it-all: " Use x (or x and y and z) and you are secure" Doesn't help
2) Mr-Win-XP: "All is lost, i don't care" doesn't help
3) Mr-Wannabee: " But this is low latency and the node is redirecting towards.... blah blah blah" doesn't help.
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby nadir » Thu Sep 05, 2013 5:38 am

The following settings is the best i could get at panoptclick without breaking several sites:
If you run the test: To me it seems obvious that the remaining problem are the system fonts
(Or at least that it is the biggest problem).



add-ons
-------------------------------------------------------------------------
apt-get install xul-ext-adblock-plus
apt-get install xul-ext-noscript

menu -> tools -> addons -> search for cookiemonster, install it
menu -> edits -> preferences -> privacy: use custom setting for history:
enable: do not track
don't remember history
don't remember search form history
don't accept cookies
enable: do not track
clear when iceweasel closes: clear everything (perhaps leave preferences)
now enable cookies by cookiemonster

install https-everywhere https://www.eff.org/https-everywhere


general settings:
----------------------------------------------------------------------------
menu -> edit -> preferences -> security
disable block reported attack sites
disable block reported web forgeries
disable remember passwords
menu -> edit -> preferences -> general
when iceweasel starts show a blank page
set home page to:
http://3g2upl4pq6kufc4m.onion/




searchengines toolbox:
----------------------------------------------------------------------------
replace google with
https://duckduckgo.com/html
or:
https://www.ixquick.com/index.html
remove the searchengines: google, yahoo, bing


about:config
----------------------------------------------------------------------------
bidi.support to 0
browser.xul.error_pages.expert_bad_cert to true
network.prefetch-next to false
network.http.sendRefererHeader to 0
network.proxy.socks_remote_dns to true
right click in about:config, new -> string and
general.useragent.override Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
more useragent:
Variable: Value:

general.useragent.override Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
general.appname.override Netscape
general.appversion.override 5.0 (Windows)
general.oscpu.override Windows NT 6.1
general.platform.override Win32
general.productSub.override 20100101
general.buildID.override 0
general.useragent.vendor [enter variable - but leave value blank]
general.useragent.vendorSub [enter variable - but leave value blank]
intl.accept_languages en-us,en;q=0.5
network.http.accept.default text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
network.http.accept-encoding gzip, deflate


more about:config
---------------------------------
---disable browser cache:
browser.cache.disk.enable:false
browser.cache.disk_cache_ssl:false
browser.cache.offline.enable:false
browser.cache.memory.enable:false
browser.cache.disk.capacity:0
browser.cache.disk.smart_size.enabled:false
browser.cache.disk.smart_size.first_run:false
browser.cache.offline.capacity:0
dom.storage.default_quota:0
dom.storage.enabled:false
dom.indexedDB.enabled:false
dom.battery.enabled:false
---disable history & localization
browser.search.suggest.enabled:false
browser.sessionstore.resume_from_crash:false
geo.enabled:false
---misc other tweaks:
keyword.enabled:false
network.dns.disablePrefetch:true
network.dns.disablePrefetchFromHTTPS:true
dom.disable_window_open_feature.menubar:true
dom.disable_window_open_feature.personalbar:true
dom.disable_window_open_feature.scrollbars:true
dom.disable_window_open_feature.toolbar:true
browser.identity.ssl_domain_display:1
browser.urlbar.autocomplete.enabled:false
browser.urlbar.trimURL:false
privacy.sanitize.sanitizeOnShutdown:true
network.http.sendSecureXSiteReferrer:false
network.http.spdy.enabled:false ---> use http instead of google's spdy
plugins.click_to_play:true ---> also check each drop-down-menu under "preferences"->"content"
security.enable_tls_session_tickets:false ---> disable https-tracking
security.ssl.enable_false_start:true ---> disable https-tracking
extensions.blocklist.enabled:false ---> disble Mozilla's option to block/disable your addons remotely
webgl.disabled:true ---> disable WebGL (http://security.stackexchange.com/quest ... ty-concern)

tor
----------------------------------------------------------------------------
/etc/privoxy/config
# tor, onion and i2p
forward-socks5 / 127.0.0.1:9050 .
forward-socks5 .onion 127.0.0.1:9050 .
forward .i2p localhost:4444

iceweael -> menu -> edit ->preferences -> advanced -> network -> settings:
manual proxy configuration: host 127.0.0.1 port 8118
use for all protocols (important)
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: iceweasel firefox security settings

Postby thwak » Fri Sep 06, 2013 12:43 am

ghostery is "proprietary" ?

addons are downloaded as *.xpi files
which are, by nature, are easily accessible and human-readible, if not outright "open source".
They are zipped archives. You can rename an addon file to .zip and click to open it with unzip.

Rather than "read about it" or take someone else's word for it, I audit the (javascript) code contained within each addon, prior to installing it.
As of my last reading (July 2013) Ghostery is CLEAN. See for yourself ~~ it's a quick, easy, read (only about 980 lines)
When I say "easy read", I mean the code contains comments and I expect it would be comprehensible, even to a "non-programmer".

Unless you OPT IN to participating in "ghostRank", the addon only ever "calls home" in order to check for updates
(which is NEVER, if you have selected "no" for autoupdate)(unless you manually perform an update check)

If you elect to participate in ghostRank (I do not)
the datastream which is sent (via json, in plaintext) amounts to nothing more than
a string of name+data pairs:
advertiserNameID:timesBlocked
thwak
 
Posts: 172
Joined: Tue Nov 20, 2012 3:58 am

Re: iceweasel firefox security settings

Postby thwak » Fri Sep 06, 2013 2:01 am

why there is no "firefox security edition" out there

I hope that was a typo, and that YOU are not caught up in the sheeple privacy/security "mixed metaphor".
Sheeple are being learnt (the reputed necessity) to trade privacy for security.
In my book, PRIVACY is privacy. Security is... a separate consideration.

I'll agree that SafeBrowsing telemetry and CertAuthority revocation list check/update telemetry
and "Duh, has the googleapis.com -hosted copy of the eternally-static jquery-1.2.1-min.js
changed since my user-agent requested it 12340 milliseconds ago?" telemetry
is a good thing, an arguably necessary thing in terms of security...
...but I'll insist that any telemetry that we can't opt-out of is a bad, BAD thing in terms of privacy.


Referring to a local copy of the firefox 23 source code, "mozilla-release" directory totals 742Mb and contains
78,552 files
5,528 subdirectories

? "open source"
How, in this lifetime, are you (or I) gonna audit that wad of source code ?
and what a wad it is ~~ good luck trying to trace the Nth level deep function call chains.
^----- I'm sayin that's Why #1

Considering that "across billions of users, there are only a handful of different browsers in use"
(popular/widespread browsers, let's not nitpick eh)
the spooks have a most likely 'planted' a developer within the core of each of these (relatively few) browser development teams.

^----- I'm saying that's Why #2
To clarify the rationale as to "why" (why not) ~~ I expect that the code has been cleverly wired so that "fixing" a given anti-privacy behavior will break functionality of one, or several, other parts the code, probably to the extent of rendering the app unusable overall.

am slightly confused why there is no "firefox security edition" out there. Or a user.js, which you can just copy and paste. This is nothing you can expect anyone to get done in a reasonable time (most things will probably make it rather worse than better, as the user makes errors in those tons of settings which make his browser pretty unique).
Sad fact:
In the Debian realm, many of the distro maintainers (mint, ubuntu, and most of the maintainer of "distros" derived from them) are adding insult to injury ~~ shipping installed/preconfigured browsers after tainting the code further (in terms of privacy, and fingerprinting).
Related "sad fact":
fanboi sheeple proclaiming "muh distro's daBomb. even presets duckAndGo as the default search engine for me".

Yeah, hteeteepee://duckAndGo...&partnerID=daBomb

it's true! I read it on da innernet -- duckAndGo is da bestest!1101!
thwak
 
Posts: 172
Joined: Tue Nov 20, 2012 3:58 am

Re: iceweasel firefox security settings

Postby nadir » Fri Sep 06, 2013 2:16 am

ghostery is one search away:
https://addons.mozilla.org/en-US/firefo ... ense/2.9.5
or:
https://www.ghostery.com/terms
" OWNERSHIP OF GHOSTERY AND LIMITED LICENSE TO USE
Ghostery and all other Evidon intellectual property is protected by copyright, trademark, or patent laws, and is owned exclusively by Evidon. Intellectual property, includes, but is not limited to, computer or software code, scripts, design elements, graphics, interactive features, artwork, text communication, and any other content that may be found on or in Ghostery or the Website. All trademarks, service marks and trade names are owned, registered and/or licensed by Evidon. Evidon grants to you a limited worldwide, non-exclusive, royalty-free, revocable, and non-commercial license to: download Ghostery to a computer via a web browser; use Ghostery as herein set forth in the following section; copy and store Ghostery in your web browser cache memory; and print pages from Ghostery for your own personal and non-commercial use. Evidon does not grant you any other rights whatsoever in relation to Ghostery. All other rights are expressly reserved by Evidon. "

Privacy is privacy and security is security.
And without security there is no privacy.
If your LAN is not secure, how on earth would you want to create privacy?
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 1160
Joined: Wed Mar 09, 2011 4:18 am
Location: here

PreviousNext

Return to How-to

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred