Hardening Firefox for Privacy and Security

Hardening Firefox for Privacy and Security

The Web can be a hostile place, full of deceptive and malicious sites trying to install software on your computer or steal your personal information. However, you have a friend on your side: your user agent (also called your web browser).

This talk will examine some of the hidden or advanced settings and extensions that Firefox offers to users who are concerned about their security and privacy. While we at Mozilla strive to bring these features to all of our users, the reality is that it's sometimes challenging to balance the need for maximum web compatibility and standards compliance with the desire to phase out harmful practices. With a little bit of context on the benefits and risks that some of these features provide, you should be able to make informed decisions and tweak your favorite user agent.

https://osem.seagl.org/conference/seagl2016/program/proposal/188

0110e86fdb31486c22dd381326d99de9?s=128

Francois Marier

November 11, 2016
Tweet

Transcript

  1. Hardening Firefox for Privacy & Security François Marier <francois@mozilla.com>

  2. None
  3. None
  4. None
  5. enable disable restrict

  6. enable disable restrict

  7. None
  8. eliminating all fingerprinting

  9. eliminating all fingerprinting

  10. eliminating all traffic to Mozilla

  11. eliminating all traffic to Mozilla support.mozilla.org/kb/how-stop-firefox-making-automatic-connections

  12. eliminating all traffic to Mozilla • auto-updates

  13. eliminating all traffic to Mozilla • auto-updates • add-on blocklist

  14. eliminating all traffic to Mozilla • telemetry

  15. eliminating all traffic to Mozilla • telemetry wiki.mozilla.org/Firefox/Data_Collection

  16. disabling features with big perf impact • prefetching • speculative

    connections
  17. disabling useful features • WebGL • WebRTC • DOM Storage

  18. disabling features that: • disabled by default • prompt you

    first
  19. features to enable

  20. None
  21. privacy.trackingprotection.enabled

  22. None
  23. feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox

  24. Do Not Track

  25. privacy.donottrackheader.enabled

  26. privacy.donottrackheader.enabled

  27. features to disable

  28. None
  29. media.eme.enabled

  30. None
  31. None
  32. None
  33. None
  34. device.sensors.enabled

  35. None
  36. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }
  37. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }
  38. BatteryManagery { charging: false, chargingTime: Infinity, dischargingTime: 8940, level: 0.59,

    onchargingchange: null, onchargingtimechange: null, ondischargingtimechange: null, onlevelchange: null }
  39. dom.battery.enabled

  40. removed in 52 dom.battery.enabled

  41. www.fsf.org www.eff.org

  42. www.fsf.org www.eff.org www.netflix.com store.steampowered.com

  43. layout.css.visited_links_enabled

  44. None
  45. Simple Service Discovery Protocol

  46. browser.casting.enabled

  47. None
  48. pdfjs.disabled

  49. network information

  50. navigator.connection.type;

  51. navigator.connection.type; bluetooth, cellular, ethernet, none, wifi, wimax, other, mixed, unknown

  52. navigator.connection.type; bluetooth, cellular, ethernet, none, wifi, wimax, other, mixed, unknown

    navigator.connection.downlinkMax;
  53. dom.netinfo.enabled

  54. media.video_stats.enabled

  55. webgl.enable-debug-renderer-info

  56. dom.enable_performance

  57. features to restrict

  58. None
  59. network.cookie.cookieBehavior = 0 network.cookie.thirdparty.sessionOnly = true privacy.clearOnShutdown.cookies = false network.cookie.lifetimePolicy

    = 3 network.cookie.lifetime.days = 5 feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox
  60. None
  61. network.http.referer.XoriginPolicy = 1

  62. network.http.referer.XoriginPolicy = 1 network.http.referer.XOriginTrimmingPolicy = 2 feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox new in 52

  63. None
  64. None
  65. None
  66. None
  67. pre-downloaded lists of URL hash prefixes

  68. feeding.cloud.geek.nz/

  69. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6

  70. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6

  71. 5b31c2702efc7c81e4d197cd80113396 54da10d3315636cccbb536e868ff82a6 feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

  72. None
  73. .exe .com .bat .apk .dmg .pl .py .sh .deb .rpm

  74. .exe .com .bat .apk .dmg .pl .py .sh .deb .rpm

    toolkit/components/downloads/ApplicationReputation.cpp
  75. filename and size URLs hash of contents locale toolkit/components/downloads/ApplicationReputation.cpp

  76. None
  77. browser.safebrowsing.downloads.remote.enabled feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

  78. None
  79. None
  80. None
  81. revealing non-VPN IP address leaking internal IP address

  82. revealing non-VPN IP address leaking internal IP address fixed in

    51
  83. media.peerconnection.ice.default_address_only = true 50 or earlier:

  84. media.peerconnection.ice.no_host = true 51 or later: media.peerconnection.ice.default_address_only = true 50

    or earlier:
  85. other things to keep in mind

  86. p@ssW0rd5

  87. None
  88. None
  89. None
  90. None
  91. None
  92. None
  93. None
  94. None
  95. None
  96. user_pref("privacy.trackingprotection.enabled",true); user_pref("privacy.donottrackheader.enabled", true); user_pref("device.sensors.enabled", false); user_pref("media.eme.enabled", false); user_pref("pdfjs.disabled", true); user_pref("browser.casting.enabled",

    false); user_pref("layout.css.visited_links_enabled", false); user_pref("dom.battery.enabled", false); // Fx < 52 user_pref("dom.netinfo.enabled", false); user_pref("media.video_stats.enabled", false); user_pref("dom.enable_performance", false); user_pref("webgl.enable-debug-renderer-info", false); user_pref("media.peerconnection.ice.default_address_only", true); // Fx < 51 user_pref("media.peerconnection.ice.no_host", true); // Fx >= 51 user_pref("security.pki.sha1_enforcement_level", 2); // Fx < 52 user_pref("network.http.referer.XOriginPolicy", 1); user_pref("privacy.clearOnShutdown.cookies", false); user_pref("network.cookie.cookieBehavior", 0); user_pref("network.cookie.lifetimePolicy", 3); user_pref("network.cookie.lifetime.days", 5); user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("browser.urlbar.trimURLs", false); ? @fmarier
  97. Photo Credits: shooting star: https://www.flickr.com/photos/funcrush/9496927983/ yellow triangle: https://www.flickr.com/photos/tillwe/2974932670/ jail cell:

    https://www.flickr.com/photos/mikecogh/5997920696 speedbump: https://www.flickr.com/photos/jputnam/9078451876/ cookie: https://www.flickr.com/photos/amagill/34754258/ chromecast: https://www.flickr.com/photos/medithit/10165535814/