LibreWolf AppImage 64-bit Only: Privacy Hardened Firefox

[mikeslr]

Hi All,

Edit: Skip down to here, viewtopic.php?p=11448#p11448 for what may be a version working OOTB. Then come back for an understanding why I built it.

Accidentally stumbled into a couple* of web-pages rating web-browsers from a privacy prospective. Firefox, itself, was recommended with the proviso that it be hardened. Tor, of course. Palemoon was mentioned as having mixed reviews; as was Brave.
The only one which was recommended that I previously hadn't tried but could run OOTB under Bionicpup64 was the LibreWolf.AppImage. Although there is more to LibreWolf, the over-all take-away was a security hardened firefox without having to spend time accomplishing that.

But, do your own reading. https://restoreprivacy.com/browser/secure/ doesn't mention LibreWolf, but does express a concern about my favorite, opera. I think I stumbled upon LIbreWolf on the Slant website, https://www.slant.co/topics/14528/~priv ... b-browsers

Just thought you should have notice of its existence and this link, https://gitlab.com/librewolf-community/ ... -/releases

*Well, stumbled into one, then based on its criticism of opera and did some further exploring.

[WoodLark]

I downloaded the appimage, and copied my firefox profile to ~/.librewolf. So far everything appears to work.

[taersh]

It doesn't seem to store its window size and coordinates. Instead it opens repeatedly with some predefined hard-coded size and coordinates. That's a NO-GO for me.

[mikewalsh]

It doesn't seem to store its window size and coordinates. Instead it opens repeatedly with some predefined hard-coded size and coordinates. That's a NO-GO for me.

Rainer:-

I believe that's to do with this business of "if you start NOT full-screen, the user-agent trackers can't guess what you're running". I've never quite got my head round that one, I'll be honest. It also appears to be another of these hyper-security versions that won't remember anything, and wants you to re-enter all your information every time you fire it up.

But that's what some people want.....TOTAL anonymity. Doesn't work for me, though; as far as I'm concerned, that's a complete waste of time. I can't get anything done if I spend all my time re-logging in, and resetting everything up the way I want it..!

---------------------------------------

HOWEVER; I know some Puppians take online security extremely seriously. In line with my policy of maximum choice, and for ease of use, here's a 'portable' version of LibreWolf.....just for them:-

https://drive.google.com/file/d/1mBObgp ... sp=sharing

Usual instructions apply. D/l, unzip, locate where you want. Click to enter, click 'LAUNCH' to start.

Mike.

[s243a]

It doesn't seem to store its window size and coordinates. Instead it opens repeatedly with some predefined hard-coded size and coordinates. That's a NO-GO for me.

You are probably aware of this but anyway, that is so snoopers don't use the window size as one of the pieces of information to uniquely identify a person.

[taersh]

You are probably aware of this but anyway, that is so snoopers don't use the window size as one of the pieces of information to uniquely identify a person.

Perhaps I misunderstood this information, but this is a bit paranoid, isn't it?
I mean, how many possible unique window sizes and coordinates are available on a screen to identify a person?
And how big are the chances they all are used uniquely and repeatedly by a single person?
Are there any information available that exact those users don't post public information about their fake lives on e.g. Facebook etc.?

I think those guys really shouldn't use the internet at all.

[s243a]

You are probably aware of this but anyway, that is so snoopers don't use the window size as one of the pieces of information to uniquely identify a person.

Perhaps I misunderstood this information, but this is a bit paranoid, isn't it?

That's a matter of opinion

I mean, how many possible unique window sizes and coordinates are available on a screen to identify a person?

This likely depends on the screen resolution. As an upper bound is perhaps the number of pixels on the monitor determine the number of unique window sizes. This is just a guess and I suppose, you can't shrink you window down to one pixel.

And how big are the chances they all are used uniquely and repeatedly by a single person?

My guess is that it's only valid for a short time period. Say, I visit two sites, shortly after each other and I have the same window size on each site. What is the probability that I'm the same person?

Let's try this. Say someone knows you always visit a non-https website and there was recently a tor honeypot that they just visited and shortly after they visited a non-https site that they visit on clearnet. Since the clearnet site isn't using encryption perhaps they can man in the middle the traffic and capture the window size. Maybe they do this by dns cache poisoning. Alternatively, perhaps some javascript in a third party advertisement captures the window size.

Are there any information available that exact those users don't post public information about their fake lives on e.g. Facebook etc.?

They would have to correlate it with some public information about you such as your ip address or information that you post on facebook.

I think those guys really shouldn't use the internet at all.

I heard once that in Russia intelligence agencies started using typewriters more due to the ability of adversaries to hack online information. Anyway, whether you think this is paranoid or not, the tor browser also takes the same precaution and warns against resizing the browser window.

[taersh]

What a waste of time to hunt always after the browser with most privacy and all those so-called security tools etc.
I prefer not to store relevant information on my computer, and if I would need to do so, I would store it on external drives not being connected to the computer when being online.

I don't do online-banking, I don't own Paypal or any other online payment services and none of my activities on the web are hooked to something that needs to be hidden to governments and/or companies etc. I would be more concerned on what criminals would find out about me from hacking local community servers etc. as they seem to know much more about myself than I do, perhaps.

[WoodLark]

My interest in trying librewolf is less from a security viewpoint than my annoyance with Mozilla. It seems tha Firefox constantly nags me to update to the latest version (if I do update, it only takes a short while before they issue another version and start nagging again). I used to be able to stop the nagging by editing about:config, but they took that right away from me around version 63. Hopefully the nagging is either gone, or stoppable in librewolf.

[taersh]

Yes, I'm also using Firefox and I don't like that constant info messages of updates available.
I close that message repeatedly -takes only one second- and just don't update to each new version.
Just don't know what's the latest version. Still running 80.0. Automatic update is disabled.
I updated to 80 from 77 and before that from 74.

[mikeslr]

Maybe someone else can. But I couldn't find a downloadable deb, tar.gz or other format. However, an AppImage is just a compressed file and UExtract could decompress it, at least running Bionicpup64. [Not sure why I couldn't running fossapup64]. fredx181 published an application which can generate AppImages from directories. My original idea was to see if I could figure out how to work-around the problem taersh mentioned, then repack it. Once having decompressed it I Left-Clicked the extracted folder expecting to see its contents. Instead it started the application. [Right-Click>Look inside does file-browse into the folder].
Typing the command about:config does open settings and, I think, changes can be made. But I don't know which settings does what so I didn't play with it. Once modified you can either re-package it alla fredx181's create portable AppImage, http://murga-linux.com/puppy/viewtopic. ... da#1011814 or just run it as a portable.

I wouldn't use it as a general purpose web-browser; just for engaging in online financial matters. So the display annoyance isn't obvious. Frankly, I want it always to be in a pristine condition and a AppImage will be just that. I don't even want it to keep bookmarks, and certainly not user names and passwords. It suffices that I can just type my bank's name into the URL box, then cut and paste my User name --which isn't easily identified as me-- and password which is a not easily memorized randomly generated string of 16 symbols.
Woodlark, if you go into firefox's folder and rename the 4 files with 'update' in their names --e.g. just add a 0 at the beginning: updater > 0updater-- I think just updating is broken. I know I did that once with some browser. But I don't recall if I still got nagged. Now I just go into settings and can select 'ask' rather than 'automatic'.

[mikeslr]

This exploration began as an attempt to work-around the problem taersh reported. I understood that to be that LibreWolf always opened with dimensions that appeared to be hard-coded. Maybe I misunderstood the problem.

When run, AppImages mount thru /tmp. AFAIK the contents of /tmp --even on Full Installs-- are cleared on shutdown/reboot. But /tmp is not a folder isolated from your system like, for example, Spot. It's just a different mount point. Obviously, an AppImage of LIbreOffice would be particularly useless if you couldn't save the datafiles you create. The same is true of web-browsers which perform uploads and downloads. That a Listing for Setting appeared on Librewolf's menu suggested that its publishers hadn't removed those components from the firefox base. As indicated by this screenshot, changes you make aren't ignored. Librewolf reopened reflecting the changes I made to the theme, the start-page, the location and its dimensions. [Note, this was done using the AppImage itself; not the version created by extraction].

LibreWolf-Customized.png (267.43 KiB) Viewed 3247 times

Like the default firefox build, LibreWolf creates and maintains its profile as a hidden file in root, to wit: /root/.librewolf. It also downloads files to /root/Downloads and stores data in /root/.cache. Hence, while running Librewolf you and any hacker have access to your entire system.
It's nice that it starts out as a hardened firefox without your having to spend a lot of time. It's also nice that youtube videos produced sound OOTB. But, if I were to continue using it I would:
(a) Extract it and run it from the extraction folder after,
(b) Portablizing it as fredx181 has done with firefox --i.e. profiles and cache kept within its folder, and
(c) run it as Spot.

[user1111]

Just some of the things that your browser/system might reveal for the purpose of fingerprinting/associating activity ...

OS
Browser and version
Browser plugins/fonts/media players
Colour depth
CPU
GPU
Battery and status
Connection
download speed
Compass/orientation
Window size
Language/locale

From a multi-user at a single home (IP) perspective just a small subset is usually more than enough to associate to a single individual. Google can also associate typing/mouse activity speed/pattern.

Such 'surveillance' is in breach of British Article 8 of the Human Rights Act and Google and its subsidiaries should rightfully be banned from the UK.

[s243a]

Just some of the things that your browser/system might reveal for the purpose of fingerprinting/associating activity ...

OS
Browser and version
Browser plugins/fonts/media players
Colour depth
CPU
GPU
Battery and status
Connection
download speed
Compass/orientation
Window size
Language/locale

From a multi-user at a single home (IP) perspective just a small subset is usually more than enough to associate to a single individual. Google can also associate typing/mouse activity speed/pattern.

Such 'surveillance' is in breach of British Article 8 of the Human Rights Act and Google and its subsidiaries should rightfully be banned from the UK.

If google can fingerprint you based on typing/mouse activity speed/pattern, then they can probably fingerprint you at their tor honey pot provided that you have javascript turned on. That said, I don't know if google has a tor honeypot.

[mikewalsh]

Just some of the things that your browser/system might reveal for the purpose of fingerprinting/associating activity ...

OS
Browser and version
Browser plugins/fonts/media players
Colour depth
CPU
GPU
Battery and status
Connection
download speed
Compass/orientation
Window size
Language/locale

From a multi-user at a single home (IP) perspective just a small subset is usually more than enough to associate to a single individual. Google can also associate typing/mouse activity speed/pattern.

Such 'surveillance' is in breach of British Article 8 of the Human Rights Act and Google and its subsidiaries should rightfully be banned from the UK.

Eeee, it's "official", guys'n'gals. Ruffers HATES Google!

But with Google having more money (and clout!) than God, and with the way successive UK governments have always 'deferred' to our American cousins - viz, the so-called "special relationship", well.....I can't ever see your final wish happening, mate. And our lot, like any other official ruling body, are very good at ignoring (or at least bending) their own laws.....WHEN it suits them.

A case of one rule for the rulers, and another one for everybody else..?

(*sigh*)

Mike.

[mikeslr]

Well, I thought of it, viewtopic.php?p=11202#p11202. Unfortunately I have this quirk. Once I've thought of problem worth solving I can put it aside, but I can't put it away. Years later something will trigger 'Oh, yah. That still bugs me.' This morning, still not having even been able to put it away, I thought let's see if it can be done:

Step 1: UExtract the LibreWolf.AppImage. Rename the extracted folder to something simpler (LibreWolf-version-number-portable.
Step 2: Right-Click>Look inside.
Step 3. As reported previously Left-Clicking the folder runs the application. So it didn't come as a surprise that within the folder was a file named "AppRun". Open AppRun in a text editor.
Step 4. Compare AppRun's arguments to those use by fredx181, Mike Walsh, rockedge to (a) run as spot and (b) store profiles within the applications folder.
Step 5. Add those arguments to AppRun.
The result is an AppRun file which now reads [Sections in Blue are what's been added]:

#!/bin/sh
SELF=$(readlink -f "$0")
HERE=${SELF%/*}
export PATH="${HERE}:${HERE}/usr/bin/:${HERE}/usr/sbin/:${HERE}/usr/games/:${HERE}/bin/:${HERE}/sbin/${PATH:+:$PATH}"
export LD_LIBRARY_PATH="${HERE}/usr/lib/:${HERE}/usr/lib/i386-linux-gnu/:${HERE}/usr/lib/x86_64-linux-gnu/:${HERE}/usr/lib32/:${HERE}/usr/lib64/:${HERE}/lib/:${HERE}/lib/i386-linux-gnu/:${HERE}/lib/x86_64-linux-gnu/:${HERE}/lib32/:${HERE}/lib64/${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
export PYTHONPATH="${HERE}/usr/share/pyshared/${PYTHONPATH:+:$PYTHONPATH}"
export MOZ_LEGACY_PROFILES=1 # Prevent per installation profiles
export XDG_DATA_DIRS="${HERE}/usr/share/${XDG_DATA_DIRS:+:$XDG_DATA_DIRS}"
export PERLLIB="${HERE}/usr/share/perl5/:${HERE}/usr/lib/perl5/${PERLLIB:+:$PERLLIB}"
export GSETTINGS_SCHEMA_DIR="${HERE}/usr/share/glib-2.0/schemas/${GSETTINGS_SCHEMA_DIR:+:$GSETTINGS_SCHEMA_DIR}"
export QT_PLUGIN_PATH="${HERE}/usr/lib/qt4/plugins/:${HERE}/usr/lib/i386-linux-gnu/qt4/plugins/:${HERE}/usr/lib/x86_64-linux-gnu/qt4/plugins/:${HERE}/usr/lib32/qt4/plugins/:${HERE}/usr/lib64/qt4/plugins/:${HERE}/usr/lib/qt5/plugins/:${HERE}/usr/lib/i386-linux-gnu/qt5/plugins/:${HERE}/usr/lib/x86_64-linux-gnu/qt5/plugins/:${HERE}/usr/lib32/qt5/plugins/:${HERE}/usr/lib64/qt5/plugins/${QT_PLUGIN_PATH:+:$QT_PLUGIN_PATH}"
#
mkdir "$HERE/spot" 2> /dev/null
mkdir "$HERE/spot/.config" 2> /dev/null
chown -R spot:spot "$HERE/spot"
mkdir "$HERE/profile" 2> /dev/null
#

EXEC=$(grep -e '^Exec=.*' "${HERE}"/*.desktop | head -n 1 | cut -d "=" -f 2 | cut -d " " -f 1)
exec run-as-spot "${EXEC}" "$@" -profile "$HERE/profile"

The above does create both a profile folder and a spot folder within the LibreWolf folder and LibreWolf does start when its folder is Left-Clicked. But as I've previously tried to make clear I know as much about bash scripting as a six year old playing with blocks.
So, perhaps someone who actually knows what they are doing can examine the above, make suggestions and advise how to test the results.
Edit: Mommy, my blocks fall down. It starts once. Then apparently doesn't close properly as any effort to restart it generates a notice that "it's already running". Restart-X, doesn't kill it.

Starting from the terminal reveals:
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.

(librewolf:6662): Gtk-WARNING **: 14:42:35.577: Error loading theme icon 'dialog-warning' for stock: Icon 'dialog-warning' not present in theme ubuntu-mono-dark
JavaScript error: resource://gre/modules/XULStore.jsm, line 66: Error: Can't find profile directory.

And, anyway, shouldn't the profile directory be within the /spot directory?

In a stage whisper to the crew: "I'm beginning to suspect starting with firefox & hardening it would be easier."

[user1111]

Eeee, it's "official", guys'n'gals. Ruffers HATES Google!

Indeed, hate peeping toms. Vile. But we live in a 'look at me' world/era, where many like being goggled, seemingly opining it makes them a 'celebrity'.

[mikeslr]

"Eeee, it's "official", guys'n'gals. Ruffers HATES Google!" What's not to hate. Google started out as a better 'Altavista'; figured out how to make money by selling the information users unknowingly provide and now has an annual income larger than all but the top 25 nations. Contrary to the misrepresentation by the majority of the U.S. Supreme Court --even before Trump's picks-- money isn't Speech; it is Power. Finding and providing publicly available --intentionally disclosed-- information is a valuable service for which the provider is entitled to reasonable compensation. Finding personal information unknowingly or accidentally revealed and selling it is rarely in the public interest. It shouldn't be sufficient that you disclose the practice 'in the fine print'. In a slightly different commercial setting it would be analogous to a 'contract of adhesion' which would not be enforceable as 'against the public interest'. So, Google has obtained unimaginable power by acting against the public interest.

Well, at least one problem with the previous revision of AppRun is that the location of where librewolf looks for its profile is set by librewolf.cfg. Of course, under Puppies that means it will be in a location which is exposed, to wit: /root/.librewolf.

The following seems to work, again blue shows modification of original AppRun

#!/bin/sh
SELF=$(readlink -f "$0")
HERE=${SELF%/*}
mkdir "$HERE/profile" 2> /dev/null
export PATH="${HERE}:${HERE}/usr/bin/:${HERE}/usr/sbin/:${HERE}/usr/games/:${HERE}/bin/:${HERE}/sbin/${PATH:+:$PATH}"
export LD_LIBRARY_PATH="${HERE}/usr/lib/:${HERE}/usr/lib/i386-linux-gnu/:${HERE}/usr/lib/x86_64-linux-gnu/:${HERE}/usr/lib32/:${HERE}/usr/lib64/:${HERE}/lib/:${HERE}/lib/i386-linux-gnu/:${HERE}/lib/x86_64-linux-gnu/:${HERE}/lib32/:${HERE}/lib64/${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}"
export PYTHONPATH="${HERE}/usr/share/pyshared/${PYTHONPATH:+:$PYTHONPATH}"
export MOZ_LEGACY_PROFILES=1 # Prevent per installation profiles
export XDG_DATA_DIRS="${HERE}/usr/share/${XDG_DATA_DIRS:+:$XDG_DATA_DIRS}"
export PERLLIB="${HERE}/usr/share/perl5/:${HERE}/usr/lib/perl5/${PERLLIB:+:$PERLLIB}"
export GSETTINGS_SCHEMA_DIR="${HERE}/usr/share/glib-2.0/schemas/${GSETTINGS_SCHEMA_DIR:+:$GSETTINGS_SCHEMA_DIR}"
export QT_PLUGIN_PATH="${HERE}/usr/lib/qt4/plugins/:${HERE}/usr/lib/i386-linux-gnu/qt4/plugins/:${HERE}/usr/lib/x86_64-linux-gnu/qt4/plugins/:${HERE}/usr/lib32/qt4/plugins/:${HERE}/usr/lib64/qt4/plugins/:${HERE}/usr/lib/qt5/plugins/:${HERE}/usr/lib/i386-linux-gnu/qt5/plugins/:${HERE}/usr/lib/x86_64-linux-gnu/qt5/plugins/:${HERE}/usr/lib32/qt5/plugins/:${HERE}/usr/lib64/qt5/plugins/${QT_PLUGIN_PATH:+:$QT_PLUGIN_PATH}"
EXEC=$(grep -e '^Exec=.*' "${HERE}"/*.desktop | head -n 1 | cut -d "=" -f 2 | cut -d " " -f 1)
exec run-as-spot "${EXEC}" "$@"

However, immediately before starting librewolf the first time I manually copied librewolf.cfg into the profile folder. Note that there is no longer an argument to create a /spot folder within the /librewolf folder nor set its permissions. Although I did not manually change the Download location, examination of preferences shows it to be /spot/Downloads. Also notice that the final "exec" line does not include an argument to use the librewolf.cfg within the /profile folder. Yet, I was able to change the opening page

Screenshot.png (52.84 KiB) Viewed 3174 times

Close librewolf and reopen librewolf and (a) neither /root/.librewolf nor /root/.cache/librewolf were created and (b) SwissCows remained my opening page.

There remain a couple of problems. Rather than manually, copying librewolf.cfg to /profile should be an argument within AppRun but only executed if that hasn't already been done. In other words, on the first startup but not thereafter otherwise your setting will be overwritten by the default librewolf.cfg. I'm not sure how to write that code.
Even though librewolf now defaults to using /.spot/Download, I'm not sure if --like most portables-- it will actually honor the spot restriction that it can not access other than a spot folder.

[mikeslr]

Told you I had a quirk. Thought of running Librewolf as spot from /home/spot. So I built it as an SFS. It's available here, http://www.mediafire.com/folder/bv4txu82oxwa6/Librewolf. MD5 and other check in the folder. Interesting, only 57 MBs. It's Home Page is Swisscows and default Search Engine is metager. Qwant and other search engines are included.

Normally Librewolf locates cache and profiles in /root. But run as Spot from a folder in /home/spot they are written to /spot.

LibreOffice -home_spot.png (54.44 KiB) Viewed 3160 times

Cache & browsing history, etc. are configured to clear on closing. And you'll remember that in a Frugal Puppy, in order to preserve anything in /home/spot you have to execute a Save. So you may be able to make configuration changes by Saving before closing Librewolf.

This application honor's spots restriction. Downloads other than to /home/spot/Downloads fail. Mike Walsh's task-bar wiget to convert & move files is builtin. [It will show up twice if it was already present when you SFS-Load librewolf. Restart-x reduces that to one].

I'm not sure if uploads works, even from /home/spot/Uploads. Under Bionicpup64 uploading to mediafire failed. But it also failed from firefox. So maybe I just didn't wait long enough. Under fossapup, trying to upload to this Forum crashed Librewolf. Test before you depend on uploading something important. [In the future I'll try to figure out what goes wrong].

Librewolf is a firefox-fork inspired by ungoogled-chromium. It may not be the best web-browser for general use, but the privacy features it incorporates may --if I read slant community's post correctly-- make it second only to tor for privacy:
"Features

Latest Version of Firefox: LibreWolf is compiled directly from the latest build of Firefox Stable. You will have the the latest features, and security updates.
Completely Independent Build: LibreWolf uses a completely independent build from Firefox and has its own settings, profile folder and installation path. As a result, it can be installed alongside Firefox or any other browser.
Extensions firewall: limit internet access for extensions.
IJWY (I Just Want You To Shut Up): embedded server links and other calling home functions are removed. In other words, zero unauthorized or background connections by default.
User settings updates: gHacks/pyllyukko base is kept up to date.
Settings protection: important settings are enforced/locked within librewolf.cfg and policies.json, those settings cannot be changed by addons/updates/LibreWolf itself or unwanted/accidental manipulation; To change those settings you can easily do it by editing librewolf.cfg and policies.json.
LibreWolf-addons: set of optional LibreWolf extensions
Statistics disabled: telemetry and similar functions are disabled
Tested settings: settings are performance aware
Multi-platform (Windows/Linux/Mac/and soon Android)
Dark theme (classic and advanced)
Recommended and code reviewed addons list
Community-Driven
And much more... https://librewolf.readthedocs.io/en/latest/#features
However, those privacy feature --as noted in the above posts-- also make customization difficult, and sometimes impossible.

The first feature mentioned above doesn't apply to this build: It's at firefox 83 and will remain there. But unless Librewolf changes its publication system, building newer versions may not be difficult. I'm describe how in my next post.
By the way, it seems reasonably fast.

Edit: The SFS was build under Bionicpup64. But when first SFS-loaded in fossapup64, the setting changes I made were not present. However, after making them again and executing a Save, on reboot they were. Ergo, customization is possible but have to be Saved. The Saved Customization will also survive unloading the Librewolf sfs, Saving that condition, rebooting and reloading: the profile written to /home/spot/.librewolf is independent of those copied to /home/spot when librewolf is sfs-loaded.

But the fact that under fossapup it used the publisher's default setting (and especially as the metager search engine isn't in that build but was OOTB in my build) is strange. I built the SFS in /mnt/home/temp. During the build process I tried to figure out where profiles were being kept. I had to drop the procedure used in firefox to localize profiles in Librewolf's folder as it then wouldn't run generating either a 'profile not found' 'librewolf is already running' error. I know they weren't being written to /root as, in another window, I had that folder open with 'show hidden files'. Perhaps they were already being written to /home/spot. But I was shutting down without Saving which should have cleared any newly written files in /spot. Yet, on reboot, I could start librewolf from the /mnt/home/temp folder with my customizations intact. So where profiles were being stored during the build remains a mystery.

[mikeslr]

Edited March 10, 2021.
Text to follow.

LibreWolf64-xx.tar.gz

(403.09 KiB) Downloaded 86 times

See here for instruction, viewtopic.php?p=19449#p19449 except to note that the attached file has been modified to work-around the problem that the previous version was built expecting /root/spot to be a symbolic link to /home/spot and the permission changer I 'borrowed' from Mike Walsh would fail if that was not the case. The replacement works even if it is not.

Instructions are found here: https://puppylinux.rockedge.org/viewtop ... 449#p19449

[mikewalsh]

@mikeslr :-

Mike:-

Just a thought; you could try building it as a self-contained portable, and, along the same lines as the way I've built the Chrome-portables, you could include its own mini-spot directory within the portable directory. Then point it at that.

Take a look at the way I've built the launcher and wrapper-script. At every stage where it creates/ reads an existing directory (i.e., /spot), the script re-enforces spot permissions by chowning it again.

I'm not going to do this for you. I could, but this'll be good practice for you...!

Even doing it this way, it'll still make use of /home/spot for downloads/uploads.

Study my scripts & other stuff, and have a careful think about how you want to do it....

Mike.

[geo_c]

This browser is nice! Between this and Falkon I have two nice alternatives to the 'big-two.' They're both fast and functional, and with LibreWolf I can use the 'black-code' theme.

[mikeslr]

The LibreWolf organization has updated to the firefox-86 binaries. So I guess it's time for me to do the same and finally get around to providing the instructions so that you can as well.

1. Download the LibreWolf64-xx.tar.gz from here, viewtopic.php?p=11676#p11676. Extract it. Within you'll find a folder named 'LibreWolf64-xx'. Rename it, substituting the current version number for 'xx'. For example, using LibreWolf-86...AppImage, your folder would then be named 'LibreWolf64-86'. Edit: Before proceeding, see Note below.
2. File-browse into that folder until you open /LibreWolf64-86/home/spot/LibreWolf. Leave that window open.
2. Download the latest Librewolf.AppImage. Currently it can be found here, https://gitlab.com/librewolf-community/ ... -/releases. Right-Click the AppImage, select UExtract and extract it. [Extracted, it can function as a rox-app which you'll notice if you Left-Click it]. Right-Click the folder and select "Look Inside". Left-Click 'rox's Eye' or otherwise cause your file-manager to 'Show hidden files'.
3. Copy the contents of the extracted Librewolf.AppImage folder (not the folder) into the /LibreWolf64-86/home/spot/LibreWolf. Using rox, the easiest way is to Left-Click an empty space in the extracted folder [to focus rox on that folder] then press Ctrl-A. This will select all the files. Then Left-Press, Hold, then drag any file from the extracted folder into the .../spot/LibreWolf folder. All the other files will be dragged along as well. Select copy.
4. File-browse up until you again see only the LibreWolf64-86. If your OS supports it, Right-Click that folder and from the pop-up menu select either dir2sfs or 'create a pet package'. If that Right-Click is not supported then, Right-Click an empty space next to the LibreWolf64-86 folder and from the pop-up window select Window>terminal here. When the terminal opens enter either the command:
dir2pet LibreWolf64-86 or dir2sfs LibreWolf64-86. These will, respectively, create a pet or an SFS.

Clean up you work files.
-=-=-=-=-=--
Note: LibreWolf64-xx.tar.gz from here, https://puppylinux.rockedge.org/viewtop ... 676#p11676 was modified on March 10, 2021 for the reasons explained in that post. The work-around included in the March 10, 2021 version only involved a change in arguments of two bash-script files. If you have the older version and your /root/spot is a symbolic link to /home/spot, you don't have to do anything; if it is NOT, you don't have to start from scratch. If you're not sure, no harm is done by doing this: Download the attached, extract it, and follow the instructions of the included text file.

Changes.tar.gz

(1.03 KiB) Downloaded 44 times

[mikeslr]

Following up on my previous post:
I generally prefer portables. But getting Librewolf to locate its profile in its own folder was a hassle. See posts earlier in this thread. Running from /home/spot profiles will be contained in /home/spot/.librewolf. Remember, a Save will be required to preserve changes.
When portables are not available my preference is for SFSes. But if you are running Xenialpup64 in a container under EasyOS, you won't be able to mount SFSes [nor use an AppImage]. You can, however, install a LibreWolf pet which you created following the instructions of the previous post.
The instructions of that post were lengthy, mostly because I provided details a newbie could follow. But they're mostly 'cut & paste' and will actually take just a couple of minutes to execute. Far easier than then trying to harden a default firefox as I did in this thread. viewtopic.php?f=90&t=2335. If nothing else, that exploration provided the opportunity to learn about firefox's weaknesses and what can be done to overcome them.
That thread explored Chris Xiao's recommendations. I think 8Geee's replies provide some good additions. Implementing Chris Xiao's recommendations took several hours. Creating a LibreWolf running from /home/spot just a couple of minutes. I will, however, be exploring --and perhaps changing-- LibreWolf's default setting against those Chris and 8Geee recommend and a couple of my own.
One nice thing about running LibreWolf from /home/spot is that you have to execute a Save to preserve changes. When you execute a Save, those changes are written to your /spot/home folder in storage and will automatically be copied into RAM on bootup but --if I understand it correctly-- are compressed into Puppy's Cache, thus only having a minuscule effect on available RAM unless LibreWolf is loaded, opened, and put to use. However, they are now part of your operating system. Consequently, if you later upgrade LibreWolf, the new version will use your settings rather than the default provided by the LibreWolf organization.

[mikewalsh]

@mikeslr :-

With regard to running LibreWolf as 'spot' in portable format, I've built a 'run-as-spot' portable with the updated AppImage. Here's the all-important info:-

The portable directory:-

Inside it:-

....and inside 'librewolf64':-

----------------------------------------

Scripts:-

'LAUNCH':-

Code: Select all

#!/bin/sh
#
# Launcher for 'portable' LibreWolf browser
#
HERE="$(dirname "$(readlink -f "$0")")"
chown -R spot:spot "$HERE/librewolf64"
#
"$HERE/librewolf64/librewolf" "$@"

.....and the 'librewolf' launcher itself:-

Code: Select all

#!/bin/sh
#
# Wrapper to launch LibreWolf as 'spot' - © Mike Walsh Mar 2021 (with thanks to fredx181)
#
HERE="$(dirname "$(readlink -f "$0")")"
#
mkdir "$HERE/spot" 2> /dev/null
mkdir "$HERE/spot/profile" 2> /dev/null
chown -R spot:spot "$HERE/spot"
#
LD_LIBRARY_PATH=$LAUNCHDIR/apulse${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} run-as-spot "$HERE/LibreWolf64" "$@" -profile "$HERE/spot/profile" https://forum.puppylinux.com/index.php

----------------------------------------

And a wee demo for you, of it firing-up, along with a view of what's happening in the directories "as it happens". Sorry for the 'jerkiness' when moving the directories; SimpleScreenRecorder doesn't render this very well with older Puppies that only show an 'outline' when moving directories around the desktop.....!

In this mode, just as when running the AppImage by itself, it doesn't save your settings, but.....it proves it'll run like this. You can change the forum URL to open it up with SwissCows if ya wanted to...

Your 'run-as-spot' SFS is probably the better option for preserving settings, from the sound of things...

Mike.

[mikeslr]

I've been exploring too many odd web-browsers. I do actually have a librewolf portable. But when I saw that a new version was available I remembered the hassle but not that I had overcome it.

But thanks, Mike, for the code for LAUNCH & the Launcher, itself. These may be slightly different than the ones I came up with. They seem to sometimes generate a problem when running LibreWolf from /home/spot. If /home/spot didn't already exist with /root/spot being merely a symbolic link to it, profiles and cache would be created/located in /root/spot and my inclusion of your permission changer fails as it is configured to work with /home/spot/Upload & Download.

I'll substitute your codes and see if the problem is resolved. Thanks again.

By the way, LibreWolf's default setting are almost exactly identical to the recommendations of Chris Xiao which I referenced here, https://puppylinux.rockedge.org/viewtop ... 203#p19203. See my next post for the mods I've made to bring them in line with those recommendations, 8Geee's recommendations, my 'best guess'.

But, first I have to break for lunch. Well, lunch has come and gone. And so has dinner. So, wait for tomorrow. 'The Sun will come up tomorrow.'

[mikeslr]

The Good News:
As I mentioned previously, there was very little difference between LibreWolf’s default settings and the changes Chris Xiao recommends in order to harden the default firefox-quantum settings.

Chris advises after entering ‘about:config’ in the URL box: “Referrers tell websites how you came to their sites, which can be used to track you. To prevent referrer headers from being sent, change network.http.sendRefererHeader to 0.” LibreWolf was set to 2. I changed that to 0.

He also recommends “change privacy.firstparty.isolate to true.” I don’t recall if I had to make that change, or merely forgot to delete my note to check that setting.

8Geee suggests, "include references to a website by changing to 127.0.0.0". If I read LIbreWolf’s setting correctly, that is its default setting.

Excluding managing Addons, that at most is three changes you have to make thru about:config.
Both Chris and 8Geee recommend some version of uBlock origin. It comes with LibreWolf. [I’ve returned to employing it rather than AdGuard. Although there haven’t been reports of abuses, AdGuard is now published by an advertising agency. There have, however, been reports that AdGuard is more RAM-demanding than uBlock].

Chris recommends changing the default search engine from google to DuckDuckGo because it protects your privacy. I changed it to Qwant for the same reason. Qwant is run by a French organization and must comply with EU standards which are stricter than US standards. I also set Qwant.com as my ‘Home Page’.

8Geee recommends two Addons: Clear URL and CSS Exfil Protection.
Chris recommends Decentraleyes and HTTP Everywhere.

That’s it. Maybe 10 minutes of set-up time not counting configuring uBlock, discussed below.

Recommendations not followed:
Chris recommend installing, then configuring "Cookie AutoDelete" because "This extension automatically deletes cookies and site data from closed tabs, which prevents most websites from tracking you with cookies. If you set Firefox to delete all cookies and site data on exit, you might not need this." I did not install it because I do have that setting and LibreWolf, running from /home/spot
will, in any event, not preserve cookies on shutdown/reboot unless you execute a Save. Additionally, I installed the “Clear Cache” Addon.

Chris recommends installing the ‘privacy setting’ addon. Supposedly it enables you to access some privacy settings from a drop down menu, thus without having to open about:config. I installed then uninstalled it as it did not seem to function under LibreWolf. IIRC, it did under firefox.

My other addons:
privacy badger --automatically learns to block invisible trackers.
metager search --another Search Engine which protects privacy under EU (German) standards.
Clear Cache – As my versions will store web-cache in /home/spot, thus occupying RAM, it provides an easy method of clearing cache.
Bitwarden – I may not use this as I have my own method of conveniently managing sensitive data. But I thought it worth examining.

It is recommended that the default settings of uBlock be changed to comment out (#):
chrome-extension-scheme
chrome-scheme
edge-scheme
opera-scheme
vivaldi-scheme

I don’t know to what those settings refer to: what are included in the various ‘schemes’. But I don’t think I have any need for them except, perhaps, the ‘moz-extension-scheme’. So I commented the above out immediately. Then after after installing any trusted moz extensions commented out the moz-extension-scheme.

The bad news: There’s some configuration in LibreWolf which insists on creating its own profile the first time you start it. As far as I can tell it even disregard’s the argument “mkdir "$LAUNCHDIR/profile" 2> /dev/null”, at least when running from /home/spot. Profiles you create under LibreWolf run-as-spot from /home/spot are not transferable; e.g. if you create one under fossapup64, you can’t copy it into your setup under Bionicpup64 or vice-versa. LibreWolf run-as-spot from /home/spot doesn’t upgrade. So you can’t preserve your profile and copy it into an updated version. Accordingly, I recommend Mike Walsh’s portable version if you have multiple puppys. And, perhaps from a location other than /spot you will be able to substitute newer LibreWolf files for older while preserving the profile.

Under my setup –multiple Puppys, with often updated web-browsers-- utilizing firefox created as described here, viewtopic.php?f=90&t=2335 with the setting discussed in this post is just more efficient in the long run. However, were I to start building a hardened firefox from scratch I would follow 8Geee’s recommendation and employ firefox-esr since the need to update in order to remain current is much less frequent.

[mikeslr]

@ puppytrue,

What makes you think that anything google does is for the benefit of consumers rather than its own financial interest?
What makes you think that a file uploaded by a member of this Forum in a compressed format (AppImage, pet, SFS) with accompanying md5sum was unsafe when uploaded or has been modified thereafter?

[geo_c]

I've been running @mikewalsh 's portable build of LibreWolf 83, which I'm posting from currently. It runs great, but I'm realizing there are appimages of version 91. So which should I be using? aarch64 or x86?

And if I don't want to run as spot, I should be able to just start it up from Apprun, correct?

@geo_c

I just ran x86 and now I'm posting from it!

[mikewalsh]

@puppytrue :-

This is going to sound harsh. But if you have to ask HOW to perform pen-testing, then you will never have the mind-set & focus of those who perform this for a living, day in, day out.

It's not something you can impart to someone in a few forum posts. And there aren't exactly easily-accessible "public" tutorials that anyone can watch or read whenever they want, either. The info-sec community are, from what I understand, quite a tightly-knit one.....and they don't take kindly to unproven 'outsiders' trying to muscle their way in.

I told you you wouldn't like it..!

(shrug...)

Mike.