How to Harden firefox

[mikeslr]

I found this post which appears to be very thorough:https://chrisx.xyz/blog/yet-another-fir ... ing-guide/. One of the things I liked about the post was the explanations for the recommendations.

Chris Xiao, the author, recommends the addon uBlock origin. Consistent with his providing the reasons for his advice he add, "If you want to customize it, please refer to the official wiki: https://github.com/gorhill/uBlock/wiki".

I have a couple of question, mostly about whether some recommendations may be "too thorough". These have to do with whether I will be so successful that my bank won't recognize me. But I need to take a break so I'll get back probably tomorrow.

In the meantime, if you try to implement the recommendations you may find it helpful to open one firefox browser tab to the article and another to "about:config". One thing had me stumped for a while. The recommendation may be to change something from "false" to "true" or vice-versa; but the display was to "boolean" and two other choices. Click the "+" at the far right.

One of the reasons I think the article was thorough is because even though I had made some choices using "preferences" I was surprised that when examining the settings thru about:config, that my choices hadn't made changes --or all relevant changes-- I had expected.

If you're using a firefox portable, it's easy to setup two instances: one for general browsing and the other for secure transactions. Portables are started via a script "ff" within firefox's folder, which creates (if absent) a folder named profile within firefox's own folder and will subsequently use settings, addons, etc. stored in that folder. The script reads:

#LAUNCHDIR="$(cd "$(dirname "$0")"; pwd)"
LAUNCHDIR="$(dirname "$(readlink -f "$0")")"
mkdir "$LAUNCHDIR/profile" 2> /dev/null
LD_LIBRARY_PATH=$LAUNCHDIR/:$LAUNCHDIR/extralibs${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH} "$LAUNCHDIR/firefox" "$@" -profile "$LAUNCHDIR/profile"

Create a duplicate of that script under a different name, maybe "ffx", and change the above words in blue to, maybe, secured.
With a little more work, you can create usr/share/applications/firefox.desktop files for both profiles: i.e., one named firefox which will call "ff"; the other named, maybe, firefox-secured which will call "ffx". desktop files are what generate menu entries; but can also be dragged to the desktop or added to a panel launcher.

[bigpup]

About has more than about:config

Try using->
about:about in the address
That brings up a clickable listing of all the about pages.

[mikeslr]

The settings recommended by Chris Xiao which I was concerned about preventing me from engaging in online financial matters are:

Disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it: Research suggest that this relates to transmission of media, only.

Change media.peerconnection.enabled to false
Change media.navigator.enabled to false

Disable geolocation support

This prevents websites from accessing your location information. Change geo.enabled to false. This one in particular --like using tor or a vpn-- might, by disguising my identity cause problems.

webgl.disabled to true. Same as above.
network.http.sendRefererHeader to 0. ditto
Install Decentraleyes -- "prevents you against tracking though "free" CDN providers by serving common static files (such as the ones from Google Hosted Libraries) from your local device."

At any rate, I figured the best way to find out 'what can go wrong' was to build a hardened firefox -run-as-spot sfs following the recommendations and use it. I'm posting from it now. But this is my first usage. I had no problem logging in. But some setting I made prevents some of the icons used on the forum's toolbar from displaying. They work; just no identifiable image.

Toolbar.png (850 Bytes) Viewed 2104 times

Tomorrow I'll see what happens when I try to log in to mediafire, amazon and my bank.
Well, that's curious. When previewing this post the attached image is just a purple box. After exiting, I'll open this post using firefox with the other, not-hardened, profile and see if it's only the display under the hardened profile which is effected.
Nope. The image, itself, was affected. It should have looked like this

Toolbar2.png (7.02 KiB) Viewed 2103 times

which I've uploaded using the 'non-hardened' profile.
I wonder if "icons" and "pngs" fall within the category of the "media" transmission handled by WebRTC,

[s243a]

Maybe a javascript library is being blocked from being downoaded.

[mikeslr]

@ s243a: Thanks for the suggestion. I hope its a WebRTC problem and not a javascript one. IIRC --still haven't had 2nd cup of coffee-- turning on WebRTC only exposes one to 'the potential' of being fingerprinted; while javascript is one of the vectors which can be used to inject junk into a system.

Otherwise just some testing notes:

Was able to download skype4linux from Mike Walsh's google-drive, albeit it may have been necessary to use the 'download all' trick and the download took quite awhile. I may have panicked trying to just download the SFS and gave up too soon.
On the other hand, trying to download TWeather, http://murga-linux.com/puppy/viewtopic. ... h&id=63046 --chosen because it was small-- produced a report that the site wasn't https despite that it is and the URL displays it as such. I do have the hardened profile configured to https everywhere.
[Dissenter had no problem downloading Tweather].
I'm thinking of trying to log in to those sites I occasionally do log into and note all problems before trying to figure out workarounds, modifications or decide that other web-browsers just do a better job without all the hassle.
Be back after breakfast.

[8Geee]

All that I saw in the previous posts in about config are highly recomended. I will say this, that some important websites in the USA like the VAMS site might not load the registration page. Although 'you' are being thoughtful and private with sensitive data... our gov't might not like it. Shame, as that info should only be between gov't and you: third-parties need not know anything. As it is, I have to keep both FF66 and FF27 ready at hand, some pages load with one but not the other... on the same website- especially US and State gov sites. Whadda nitemare!

Chris's list is a good start, but mozilla phones home A LOT. In addition to the top-level falses, also include references to a website by changing to 127.0.0.0 (If anything else is better let us know in this thread). There has been selections for the default search engine, and all should be deleted exept DuckDuckGo. There are also certain 'canvas' settings, and autocomplete (of ANY kind) that must be falsed. Autocomplete is notorious even in FF. Last I knew 'pdfjs' was also bad.

If you REALLY get into it over 400 changes. But I DO recomend falsing autocomplete, and removing web-addresses. Final pooint... FFesr's are generally cleaner than the general release (example is FF78.8esr vs. FF86).

8Geee

[8Geee]

Because my last post was long, I have divided it.

Find a uBlock 'Light' version that does not store the inflatable binary-blob.
Clear URL's is highly recomended- it removes tracking elements IN the URL itself.
CSS exfil is a good third one, it cleans up CSS violations (especially XSS back-door attacks).

Note: I see the recent uBo claims easy on memory and resources. Thats a great claim not made in several earlier versions. I'm using AdBlock Lite, which is uBo without the binary-blob. So, maybe, the 'inflatable binary-blob' is gone.

IMHO these three combine to make the web a safer place... but nothing is perfect.

YOMV/YRMV

8Geee

[mikeslr]

Thanks, 8Geee for the recommendations.
Shortly after your post the publishers of LibreWolf issued a new version. Exploration revealed that the setting they use are almost identical with Chris Xiao and your recommendations. So, at least for now, I'm putting further work on hardening firefox, itself, aside. It's just far less time consuming to make a few modifications to LibreWolf than to start from scratch with firefox.
The only downside are that LibreWolf is only 64-bit; and perhaps there exists an inability to build one application with both a 'regular use' and 'very hardened' profile. I pick up the exploration of hardening here, viewtopic.php?p=19570#p19570
[Edit February 2, 2021. The original link above and the next link were broken. I think the above link was the 'continuation'.]
Edit March 11, 2021:
My final recommendation as between hardening firefox and using LibreWolf, for the reasons set forth in detail here, https://puppylinux.rockedge.org/viewtop ... 570#p19570 is basically a toss-up if you run multiple Puppies or frequently update the browser. Profiles under LIbreWolf are not transferable. Building a portable using Mike Walsh's technique eliminates the need to. Profiles under firefox are transferable; but customizing a profile to your liking will take much longer. If you only have one Puppy, chose LIbreWolf. If you're starting from scratch to build a hardened firefox, follow 8Geee's advice and use firefox-esr as your source.

[GMBudwrench]

Might not apply in Puppy based FF, but I found this while looking at privacy settings. There’s one dev who has two user.js files configured for privacy. One is lenient and the other is almost a total lockdown. You can edit these and put them in the profile folder. They bypass the need to browse the about:config if I’m not mistaken. I’ve played with them in windows versions but I’m no expert in what all the settings are.

https://github.com/Tenmag/FirefoxPrivacyConfig

The link that started it https://ownyourbits.com/2018/09/08/cust ... m-user-js/