Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening Firefox for Privacy and Security

Hardening Firefox for Privacy and Security

The Web can be a hostile place, full of deceptive and malicious sites trying to install software on your computer or steal your personal information. However, you have a friend on your side: your user agent (also called your web browser).

This talk will examine some of the hidden or advanced settings and extensions that Firefox offers to users who are concerned about their security and privacy. While we at Mozilla strive to bring these features to all of our users, the reality is that it's sometimes challenging to balance the need for maximum web compatibility and standards compliance with the desire to phase out harmful practices. With a little bit of context on the benefits and risks that some of these features provide, you should be able to make informed decisions and tweak your favorite user agent.

https://osem.seagl.org/conference/seagl2016/program/proposal/188

Francois Marier

November 11, 2016
Tweet

More Decks by Francois Marier

Other Decks in Technology

Transcript

  1. Hardening Firefox
    for Privacy & Security
    François Marier

    View full-size slide

  2. enable
    disable
    restrict

    View full-size slide

  3. enable
    disable
    restrict

    View full-size slide

  4. eliminating all fingerprinting

    View full-size slide

  5. eliminating all fingerprinting

    View full-size slide

  6. eliminating all traffic to Mozilla

    View full-size slide

  7. eliminating all traffic to Mozilla
    support.mozilla.org/kb/how-stop-firefox-making-automatic-connections

    View full-size slide

  8. eliminating all traffic to Mozilla
    ● auto-updates

    View full-size slide

  9. eliminating all traffic to Mozilla
    ● auto-updates
    ● add-on blocklist

    View full-size slide

  10. eliminating all traffic to Mozilla
    ● telemetry

    View full-size slide

  11. eliminating all traffic to Mozilla
    ● telemetry
    wiki.mozilla.org/Firefox/Data_Collection

    View full-size slide

  12. disabling features with big perf impact
    ● prefetching
    ● speculative connections

    View full-size slide

  13. disabling useful features
    ● WebGL
    ● WebRTC
    ● DOM Storage

    View full-size slide

  14. disabling features that:
    ● disabled by default
    ● prompt you first

    View full-size slide

  15. features to enable

    View full-size slide

  16. privacy.trackingprotection.enabled

    View full-size slide

  17. feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox

    View full-size slide

  18. Do Not Track

    View full-size slide

  19. privacy.donottrackheader.enabled

    View full-size slide

  20. privacy.donottrackheader.enabled

    View full-size slide

  21. features to disable

    View full-size slide

  22. media.eme.enabled

    View full-size slide

  23. device.sensors.enabled

    View full-size slide

  24. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }

    View full-size slide

  25. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }

    View full-size slide

  26. BatteryManagery {
    charging: false,
    chargingTime: Infinity,
    dischargingTime: 8940,
    level: 0.59,
    onchargingchange: null,
    onchargingtimechange: null,
    ondischargingtimechange: null,
    onlevelchange: null
    }

    View full-size slide

  27. dom.battery.enabled

    View full-size slide

  28. removed
    in 52
    dom.battery.enabled

    View full-size slide

  29. www.fsf.org
    www.eff.org

    View full-size slide

  30. www.fsf.org
    www.eff.org
    www.netflix.com
    store.steampowered.com

    View full-size slide

  31. layout.css.visited_links_enabled

    View full-size slide

  32. Simple Service
    Discovery Protocol

    View full-size slide

  33. browser.casting.enabled

    View full-size slide

  34. pdfjs.disabled

    View full-size slide

  35. network information

    View full-size slide

  36. navigator.connection.type;

    View full-size slide

  37. navigator.connection.type;
    bluetooth, cellular, ethernet, none,
    wifi, wimax, other, mixed, unknown

    View full-size slide

  38. navigator.connection.type;
    bluetooth, cellular, ethernet, none,
    wifi, wimax, other, mixed, unknown
    navigator.connection.downlinkMax;

    View full-size slide

  39. dom.netinfo.enabled

    View full-size slide

  40. media.video_stats.enabled

    View full-size slide

  41. webgl.enable-debug-renderer-info

    View full-size slide

  42. dom.enable_performance

    View full-size slide

  43. features to restrict

    View full-size slide

  44. network.cookie.cookieBehavior = 0
    network.cookie.thirdparty.sessionOnly = true
    privacy.clearOnShutdown.cookies = false
    network.cookie.lifetimePolicy = 3
    network.cookie.lifetime.days = 5
    feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox

    View full-size slide

  45. network.http.referer.XoriginPolicy = 1

    View full-size slide

  46. network.http.referer.XoriginPolicy = 1
    network.http.referer.XOriginTrimmingPolicy = 2
    feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox
    new
    in 52

    View full-size slide

  47. pre-downloaded lists
    of URL hash prefixes

    View full-size slide

  48. feeding.cloud.geek.nz/

    View full-size slide

  49. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6

    View full-size slide

  50. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6

    View full-size slide

  51. 5b31c2702efc7c81e4d197cd80113396
    54da10d3315636cccbb536e868ff82a6
    feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

    View full-size slide

  52. .exe
    .com
    .bat
    .apk
    .dmg
    .pl
    .py
    .sh
    .deb
    .rpm

    View full-size slide

  53. .exe
    .com
    .bat
    .apk
    .dmg
    .pl
    .py
    .sh
    .deb
    .rpm
    toolkit/components/downloads/ApplicationReputation.cpp

    View full-size slide

  54. filename and size
    URLs
    hash of contents
    locale
    toolkit/components/downloads/ApplicationReputation.cpp

    View full-size slide

  55. browser.safebrowsing.downloads.remote.enabled
    feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox

    View full-size slide

  56. revealing non-VPN IP address
    leaking internal IP address

    View full-size slide

  57. revealing non-VPN IP address
    leaking internal IP address
    fixed
    in 51

    View full-size slide

  58. media.peerconnection.ice.default_address_only = true
    50 or earlier:

    View full-size slide

  59. media.peerconnection.ice.no_host = true
    51 or later:
    media.peerconnection.ice.default_address_only = true
    50 or earlier:

    View full-size slide

  60. other things to
    keep in mind

    View full-size slide

  61. user_pref("privacy.trackingprotection.enabled",true);
    user_pref("privacy.donottrackheader.enabled", true);
    user_pref("device.sensors.enabled", false);
    user_pref("media.eme.enabled", false);
    user_pref("pdfjs.disabled", true);
    user_pref("browser.casting.enabled", false);
    user_pref("layout.css.visited_links_enabled", false);
    user_pref("dom.battery.enabled", false); // Fx < 52
    user_pref("dom.netinfo.enabled", false);
    user_pref("media.video_stats.enabled", false);
    user_pref("dom.enable_performance", false);
    user_pref("webgl.enable-debug-renderer-info", false);
    user_pref("media.peerconnection.ice.default_address_only", true); // Fx < 51
    user_pref("media.peerconnection.ice.no_host", true); // Fx >= 51
    user_pref("security.pki.sha1_enforcement_level", 2); // Fx < 52
    user_pref("network.http.referer.XOriginPolicy", 1);
    user_pref("privacy.clearOnShutdown.cookies", false);
    user_pref("network.cookie.cookieBehavior", 0);
    user_pref("network.cookie.lifetimePolicy", 3);
    user_pref("network.cookie.lifetime.days", 5);
    user_pref("network.cookie.thirdparty.sessionOnly", true);
    user_pref("browser.urlbar.trimURLs", false);
    ?
    @fmarier

    View full-size slide

  62. Photo Credits:
    shooting star: https://www.flickr.com/photos/funcrush/9496927983/
    yellow triangle: https://www.flickr.com/photos/tillwe/2974932670/
    jail cell: https://www.flickr.com/photos/mikecogh/5997920696
    speedbump: https://www.flickr.com/photos/jputnam/9078451876/
    cookie: https://www.flickr.com/photos/amagill/34754258/
    chromecast: https://www.flickr.com/photos/medithit/10165535814/

    View full-size slide