Hardening Firefox for Privacy and Security

Transcript

1. Hardening Firefox for Privacy & Security François Marier <[email protected]>

2. None
3. None
4. None

5. enable disable restrict

6. enable disable restrict

7. None

8. eliminating all fingerprinting

9. eliminating all fingerprinting

10. eliminating all traffic to Mozilla

11. eliminating all traffic to Mozilla support.mozilla.org/kb/how-stop-firefox-making-automatic-connections

12. eliminating all traffic to Mozilla • auto-updates

13. eliminating all traffic to Mozilla • auto-updates • add-on blocklist

14. eliminating all traffic to Mozilla • telemetry

15. eliminating all traffic to Mozilla • telemetry wiki.mozilla.org/Firefox/Data_Collection

16. disabling features with big perf impact • prefetching • speculative

    connections

17. disabling useful features • WebGL • WebRTC • DOM Storage

18. disabling features that: • disabled by default • prompt you

    first

19. features to enable

20. None

21. privacy.trackingprotection.enabled

22. None

23. feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox

24. Do Not Track

25. privacy.donottrackheader.enabled

26. privacy.donottrackheader.enabled

27. features to disable

28. None

29. media.eme.enabled

30. None
31. None
32. None
33. None

34. device.sensors.enabled

35. None

36. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }

37. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }

38. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }

39. dom.battery.enabled

40. removed in 52 dom.battery.enabled

41. www.fsf.org www.eff.org

42. www.fsf.org www.eff.org www.netflix.com store.steampowered.com

43. layout.css.visited_links_enabled

44. None

45. Simple Service Discovery Protocol

46. browser.casting.enabled

47. None

48. pdfjs.disabled

49. network information

50. navigator.connection.type;

51. navigator.connection.type; bluetooth, cellular, ethernet, none, wifi, wimax, other, mixed, unknown

52. navigator.connection.type; bluetooth, cellular, ethernet, none, wifi, wimax, other, mixed, unknown

    navigator.connection.downlinkMax;

53. dom.netinfo.enabled

54. media.video_stats.enabled

55. webgl.enable-debug-renderer-info

56. dom.enable_performance

57. features to restrict

58. None

59. network.cookie.cookieBehavior = 0 network.cookie.thirdparty.sessionOnly = true privacy.clearOnShutdown.cookies = false network.cookie.lifetimePolicy

    = 3 network.cookie.lifetime.days = 5 feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox
60. None

61. network.http.referer.XoriginPolicy = 1

62. network.http.referer.XoriginPolicy = 1 network.http.referer.XOriginTrimmingPolicy = 2 feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox new in 52

63. None
64. None
65. None
66. None

67. pre-downloaded lists of URL hash prefixes

68. feeding.cloud.geek.nz/

69. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6

70. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6

71. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6 feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

72. None

73. .exe .com .bat .apk .dmg .pl .py .sh .deb .rpm

74. .exe .com .bat .apk .dmg .pl .py .sh .deb .rpm

    toolkit/components/downloads/ApplicationReputation.cpp

75. filename and size URLs hash of contents locale toolkit/components/downloads/ApplicationReputation.cpp

76. None

77. browser.safebrowsing.downloads.remote.enabled feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

78. None
79. None
80. None

81. revealing non-VPN IP address leaking internal IP address

82. revealing non-VPN IP address leaking internal IP address fixed in

    51

83. media.peerconnection.ice.default_address_only = true 50 or earlier:

84. media.peerconnection.ice.no_host = true 51 or later: media.peerconnection.ice.default_address_only = true 50

    or earlier:

85. other things to keep in mind

86. p@ssW0rd5

87. None
88. None
89. None
90. None
91. None
92. None
93. None
94. None
95. None

96. user_pref("privacy.trackingprotection.enabled",true); user_pref("privacy.donottrackheader.enabled", true); user_pref("device.sensors.enabled", false); user_pref("media.eme.enabled", false); user_pref("pdfjs.disabled", true); user_pref("browser.casting.enabled",

    false); user_pref("layout.css.visited_links_enabled", false); user_pref("dom.battery.enabled", false); // Fx < 52 user_pref("dom.netinfo.enabled", false); user_pref("media.video_stats.enabled", false); user_pref("dom.enable_performance", false); user_pref("webgl.enable-debug-renderer-info", false); user_pref("media.peerconnection.ice.default_address_only", true); // Fx < 51 user_pref("media.peerconnection.ice.no_host", true); // Fx >= 51 user_pref("security.pki.sha1_enforcement_level", 2); // Fx < 52 user_pref("network.http.referer.XOriginPolicy", 1); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("network.cookie.cookieBehavior", 0); user_pref("network.cookie.lifetimePolicy", 3); user_pref("network.cookie.lifetime.days", 5); user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("browser.urlbar.trimURLs", false); ? @fmarier

97. Photo Credits: shooting star: https://www.flickr.com/photos/funcrush/9496927983/ yellow triangle: https://www.flickr.com/photos/tillwe/2974932670/ jail cell:

    https://www.flickr.com/photos/mikecogh/5997920696 speedbump: https://www.flickr.com/photos/jputnam/9078451876/ cookie: https://www.flickr.com/photos/amagill/34754258/ chromecast: https://www.flickr.com/photos/medithit/10165535814/