Hardening Firefox for Privacy and Security

Transcript

1. Hardening Firefox
   for Privacy & Security
   François Marier
   

   View Slide

2. View Slide

3. View Slide

4. View Slide

5. enable
   disable
   restrict
   

   View Slide

6. enable
   disable
   restrict
   

   View Slide

7. View Slide

8. eliminating all fingerprinting
   

   View Slide

9. eliminating all fingerprinting
   

   View Slide

10. eliminating all traffic to Mozilla
    

    View Slide

11. eliminating all traffic to Mozilla
    support.mozilla.org/kb/how-stop-firefox-making-automatic-connections
    

    View Slide

12. eliminating all traffic to Mozilla
    ● auto-updates
    

    View Slide

13. eliminating all traffic to Mozilla
    ● auto-updates
    ● add-on blocklist
    

    View Slide

14. eliminating all traffic to Mozilla
    ● telemetry
    

    View Slide

15. eliminating all traffic to Mozilla
    ● telemetry
    wiki.mozilla.org/Firefox/Data_Collection
    

    View Slide

16. disabling features with big perf impact
    ● prefetching
    ● speculative connections
    

    View Slide

17. disabling useful features
    ● WebGL
    ● WebRTC
    ● DOM Storage
    

    View Slide

18. disabling features that:
    ● disabled by default
    ● prompt you first
    

    View Slide

19. features to enable
    

    View Slide

20. View Slide

21. privacy.trackingprotection.enabled
    

    View Slide

22. View Slide

23. feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox
    

    View Slide

24. Do Not Track
    

    View Slide

25. privacy.donottrackheader.enabled
    

    View Slide

26. privacy.donottrackheader.enabled
    

    View Slide

27. features to disable
    

    View Slide

28. View Slide

29. media.eme.enabled
    

    View Slide

30. View Slide

31. View Slide

32. View Slide

33. View Slide

34. device.sensors.enabled
    

    View Slide

35. View Slide

36. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }
    

    View Slide

37. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }
    

    View Slide

38. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }
    

    View Slide

39. dom.battery.enabled
    

    View Slide

40. removed
    in 52
    dom.battery.enabled
    

    View Slide

41. www.fsf.org
    www.eff.org
    

    View Slide

42. www.fsf.org
    www.eff.org
    www.netflix.com
    store.steampowered.com
    

    View Slide

43. layout.css.visited_links_enabled
    

    View Slide

44. View Slide

45. Simple Service
    Discovery Protocol
    

    View Slide

46. browser.casting.enabled
    

    View Slide

47. View Slide

48. pdfjs.disabled
    

    View Slide

49. network information
    

    View Slide

50. navigator.connection.type;
    

    View Slide

51. navigator.connection.type;
    bluetooth, cellular, ethernet, none,
    wifi, wimax, other, mixed, unknown
    

    View Slide

52. navigator.connection.type;
    bluetooth, cellular, ethernet, none,
    wifi, wimax, other, mixed, unknown
    navigator.connection.downlinkMax;
    

    View Slide

53. dom.netinfo.enabled
    

    View Slide

54. media.video_stats.enabled
    

    View Slide

55. webgl.enable-debug-renderer-info
    

    View Slide

56. dom.enable_performance
    

    View Slide

57. features to restrict
    

    View Slide

58. View Slide

59. network.cookie.cookieBehavior = 0
    network.cookie.thirdparty.sessionOnly = true
    privacy.clearOnShutdown.cookies = false
    network.cookie.lifetimePolicy = 3
    network.cookie.lifetime.days = 5
    feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox
    

    View Slide

60. View Slide

61. network.http.referer.XoriginPolicy = 1
    

    View Slide

62. network.http.referer.XoriginPolicy = 1
    network.http.referer.XOriginTrimmingPolicy = 2
    feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox
    new
    in 52
    

    View Slide

63. View Slide

64. View Slide

65. View Slide

66. View Slide

67. pre-downloaded lists
    of URL hash prefixes
    

    View Slide

68. feeding.cloud.geek.nz/
    

    View Slide

69. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6
    

    View Slide

70. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6
    

    View Slide

71. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6
    feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox
    

    View Slide

72. View Slide

73. .exe
    .com
    .bat
    .apk
    .dmg
    .pl
    .py
    .sh
    .deb
    .rpm
    

    View Slide

74. .exe
    .com
    .bat
    .apk
    .dmg
    .pl
    .py
    .sh
    .deb
    .rpm
    toolkit/components/downloads/ApplicationReputation.cpp
    

    View Slide

75. filename and size
    URLs
    hash of contents
    locale
    toolkit/components/downloads/ApplicationReputation.cpp
    

    View Slide

76. View Slide

77. browser.safebrowsing.downloads.remote.enabled
    feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox
    

    View Slide

78. View Slide

79. View Slide

80. View Slide

81. revealing non-VPN IP address
    leaking internal IP address
    

    View Slide

82. revealing non-VPN IP address
    leaking internal IP address
    fixed
    in 51
    

    View Slide

83. media.peerconnection.ice.default_address_only = true
    50 or earlier:
    

    View Slide

84. media.peerconnection.ice.no_host = true
    51 or later:
    media.peerconnection.ice.default_address_only = true
    50 or earlier:
    

    View Slide

85. other things to
    keep in mind
    

    View Slide

86. [email protected]
    

    View Slide

87. View Slide

88. View Slide

89. View Slide

90. View Slide

91. View Slide

92. View Slide

93. View Slide

94. View Slide

95. View Slide

96. user_pref("privacy.trackingprotection.enabled",true);
    user_pref("privacy.donottrackheader.enabled", true);
    user_pref("device.sensors.enabled", false);
    user_pref("media.eme.enabled", false);
    user_pref("pdfjs.disabled", true);
    user_pref("browser.casting.enabled", false);
    user_pref("layout.css.visited_links_enabled", false);
    user_pref("dom.battery.enabled", false); // Fx < 52
    user_pref("dom.netinfo.enabled", false);
    user_pref("media.video_stats.enabled", false);
    user_pref("dom.enable_performance", false);
    user_pref("webgl.enable-debug-renderer-info", false);
    user_pref("media.peerconnection.ice.default_address_only", true); // Fx < 51
    user_pref("media.peerconnection.ice.no_host", true); // Fx >= 51
    user_pref("security.pki.sha1_enforcement_level", 2); // Fx < 52
    user_pref("network.http.referer.XOriginPolicy", 1);
    user_pref("privacy.clearOnShutdown.cookies", false);
    user_pref("network.cookie.cookieBehavior", 0);
    user_pref("network.cookie.lifetimePolicy", 3);
    user_pref("network.cookie.lifetime.days", 5);
    user_pref("network.cookie.thirdparty.sessionOnly", true);
    user_pref("browser.urlbar.trimURLs", false);
    ?
    @fmarier
    

    View Slide

97. Photo Credits:
    shooting star: https://www.flickr.com/photos/funcrush/9496927983/
    yellow triangle: https://www.flickr.com/photos/tillwe/2974932670/
    jail cell: https://www.flickr.com/photos/mikecogh/5997920696
    speedbump: https://www.flickr.com/photos/jputnam/9078451876/
    cookie: https://www.flickr.com/photos/amagill/34754258/
    chromecast: https://www.flickr.com/photos/medithit/10165535814/
    

    View Slide