How to Secure Firefox

bodhi.zazen · 03:25 PM

How to Secure Firefox

Intro: What we are going to do is secure Firefox by blocking cookies and Java, then adding only trusted sites via a "White List" (White list = exceptions).

bodhi.zazen: Updated 1/12/1010

Contents:

Adblock.
Cookies.
Customize Google.
Java/Flash (NoScript).
Phishing.
Secure private data.
Write an Apparmor Profile.
Using Firefox, ie how to generate white lists.

Appendix:

Surf Anonymously ~ Privoxy/TOR
Other Privacy issues

Adblock

We have three options here, Hosts file, Firefox extensions, or proxy servers.

Hosts file. I prefer a hosts file as it protects more then just Firefox.

Here is how I do a hosts file : http://ubuntuforums.org/showthread.php?t=241460#2

Direct link to hosts file
Firefox extension : Adblock Plus
Proxy servers. Proxy servers may be used to increase privacy as well (see TOR) and come in several flavors, caching and non-caching. In general, caching is not needed as Firefox uses it's own cache. Configuration of each and every proxy server and configuring a firewall so that a proxy as "transparent" is beyond this post (transparent means you have configured your network so that users do not have to manually configure Firefox and in general involve a hardware firewall + a squid server).

As an example See here

IMHO, for single user desktops, I advise Adblock Plus.
IMHO, in a multi user environment or on a LAN, I advise a proxy server.
1. Privoxy is a very popular option.
  Code:
```
sudo apt-get install privoxy
```
  Privoxy is fast, light, and has adblocking "built in". See "bfilter" below for how to configure Firefox to use a proxy.
2. Bfilter. As of Ubuntu 9.10 bfilter is no longer supported in the ubuntu repositories. You may still install bfilter using Autopackage. Autopackage installs the bfilter-gui.
  
  Bfilter runs on windows as well (portable, nice when you are using a guest computer).
  
  Bfilter is easy to install and configure.
  Code:
```
sudo apt-get install bfilter
```
  To configure, open Firefox preferences -> Advanced tab -> Network tab -> now click the "settings" box. Use 127.0.0.1 port 8080 as a proxy (see screen shot)
3. Squid. Squid can be used for adblocking and has several advanced features. See also DansGuardian.

If you need a few pointers on Dansguardian or configuring an invisible proxy, see also :

How to transparent proxy

Web content filtering made easy

Cookies

Go to your Firefox menu -> Preferences -> Privacy Tab

UNSELECT "Accept cookies from sites"

All cookies are now blocked.

Flash manages cookies directly. To manage flash cookies : http://www.macromedia.com/support/do...manager02.html

~ Thanks benny bronx

Javascript/Flash

Javascript/Flash are a cross platform programing languages commonly used on the web. They add functionality, but also allow browser hijacks.

Install NoScript

To configure, right click on the NoScript icon (lower right) and select options.

Optimize Google

That's right, google is feeding you adds

Install this extension.

Optimize Google

Then :

Tools -> Optimize Google Options

Go through each category on the Left and tic off "Remove Adds" (and anything else you might like).

Another great extension (IMO) is googleefree . This is not really an extension, it is a google search bar that excludes Expert Exchange (that annoying service you have to join to see solutions).

Phishing

Phishing is, in a nut shell, spoofing a web site or an attempt to fool users to divulge personal information.

Wikipedia Phishing

There are several Firefox extensions to consider, Web of Trust is one example.

Web of Trust

Secure Private Data

Go to your Firefox menu -> Preferences -> Security Tab

Set a "Master Password". This will protect others from displaying your passwords. If you have a sensitive password like to the Ubuntu Forums or your Bank, BEST NOT TO STORE IT AT ALL.

Hey, while you are there, check out the password strength meter.
Install SafeHistory.

Safe History functionality is built into Firefox 3.5.x and is configured under Options -> Privacy tab -> use custom settings (select this option from the pull down menu).

You may also configure Firefox , in about:config, to disable the use of an offline cache.

browser.cache.offline.capacity 0
browser.cache.offline.enable false
Install SafeCache to be safer against CSRF attacks.
As of Firefox 3.5 there is an option for Private browsing

~ Thanks FaBi3ttO

How to Whitelist

OK, now you will likely find Firefox somewhat restrictive. The goal here is to allow "normal" functioning. In order to log into forums or your banking sites we need to allow Cookies and Java. We will do this ONLY for specific sites we trust via white lists.

Cookies - Firefox options -> Privacy tab

Copy the Ubuntu url from your browser : http://ubuntuforums.org/

Go to "Cookies" -> click the "Exceptions" button -> paste ubuntu url -> click "Allow for session"

For secure sites like Banking you will need to allow multiple url (https), usually one from the home page, then one from the log in page, and sometimes from the next page as well. So if you are having problems, keep adding url to the white list.
Java - Right click on the NoScript icon -> Allow Ubuntu.com

Repeat these steps until you have added your sites and have the functionality you need.

Use Apparmor Profile

As of Ubuntu 9.10 there is now a profile for Firefox. It is disabled by default, to enable it use the command :

Code:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

The default profile may be a bit too permissive in allowing access to home directories so I advise you review it.

Firefox profiles for older versions of Ubuntu can be found here

Apparmor is beyond this thread, but see these two threads :

[all variants] Introduction to AppArmor - Ubuntu Forums

Share your AppArmor Profiles

How to Surf Anonymously ~ Privoxy/TOR

Privoxy / TOR can significantly increase your privacy, but at a cost of reduced speed. Please note however, that these services DO NOT offer complete anonymity.

Ubuntu wiki TOR

http://wiki.noreply.org/noreply/TheO...er/TorOnDebian

If you use TOR and have the capacity, consider contributing a TOR server (a few more servers would speed things up for everyone).

http://en.linuxreviews.org/HOWTO_setup_a_Tor-server

Tor is not the only option, there are other privacy proxies available to a google search.

Privacy

Privacy is a separate but related issue and I added a page on my blog to get you stared:

Internet Privacy

Peace be with you,

bodhi.zazen

nikoPSK

very nice. I like it. There a bunch of speed tweaks as well I'm planning on writing about.

limac · 08:19 PM

great post bodhi, sure is going to be helpful around here! Especially the "Secure Private data" part. really helpful

regards,
limac

FaBi3ttO

Really good post.
I also use SafeCache
to be safer against CSRF attacks.

bodhi.zazen

Quote:

Originally Posted by FaBi3ttO

Really good post.
I also use SafeCache
to be safer against CSRF attacks.

Thanks I will add that link to the list.

nowshining · 11:02 PM

all safe cache does is disable cache - it makes it where each time u download something u'll have to re-download it..

as for others

u can also

about:config
find:

A: network.http.sendRefererHeader > set this to 0 to disable referell - note some sites may require it - but few sites do - if u get probs, just reset it, and keep the tab open, do what u need and re-set it to 0. What this does is keep sites from knowing what sites u last visited.

B: network.http.sendSecureXSiteReferrer > set to false

C: network.jar.open-unsafe-types > make sure this is set to false

D: Download Contrle de scripts from the add-on site, this allows easier acces to only allow certain pop-ups, clicks, etc.. in other words certain pop-up types, go into prefs of the program and set the following:

Under allow scripts to - uncheck all,

go to the popups tab

Under allowed events only the following should be: click. dblclick, submit

Then press ok.

E: in about:config find browser.preferences.advanced.selectedTabIndex > set this to 2

Determines which tab in the Advanced section of the preferences is visible.
0 (default): General
1: Update
2: Security

bodhi.zazen

Thanks nowshining , keep the tips coming

SOULRiDER

I especially liked the Tor part, i had been wondering how to use Tor for a while but never really bothered to look for info on how to do it

nikoPSK

Quote:

Originally Posted by SOULRiDER

I especially liked the Tor part, i had been wondering how to use Tor for a while but never really bothered to look for info on how to do it

using tor seems a bit over the edge, but I guess that's how bad some things are... :[

Pyre_Vulpimorph

Concerning master passwords, how do you rate the FireFox Add-On, Password Maker, the one with the LotR-esque catchphrase "one password to rule them all"?

It claims to be uncrackable, but I'm sceptical about such claims.

January 18th, 2008	#1
bodhi.zazen Ubuntu Guru Join Date: Apr 2006 Location: Montana My beans are hidden! Xubuntu Development Release	How to Secure Firefox How to Secure Firefox Intro: What we are going to do is secure Firefox by blocking cookies and Java, then adding only trusted sites via a "White List" (White list = exceptions). bodhi.zazen: Updated 1/12/1010 Contents: Adblock. Cookies. Customize Google. Java/Flash (NoScript). Phishing. Secure private data. Write an Apparmor Profile. Using Firefox, ie how to generate white lists. Appendix: Surf Anonymously ~ Privoxy/TOR Other Privacy issues Adblock We have three options here, Hosts file, Firefox extensions, or proxy servers. Hosts file. I prefer a hosts file as it protects more then just Firefox. Here is how I do a hosts file : http://ubuntuforums.org/showthread.php?t=241460#2 Direct link to hosts file Firefox extension : Adblock Plus Proxy servers. Proxy servers may be used to increase privacy as well (see TOR) and come in several flavors, caching and non-caching. In general, caching is not needed as Firefox uses it's own cache. Configuration of each and every proxy server and configuring a firewall so that a proxy as "transparent" is beyond this post (transparent means you have configured your network so that users do not have to manually configure Firefox and in general involve a hardware firewall + a squid server). As an example See here IMHO, for single user desktops, I advise Adblock Plus. IMHO, in a multi user environment or on a LAN, I advise a proxy server. Privoxy is a very popular option. Code: sudo apt-get install privoxy Privoxy is fast, light, and has adblocking "built in". See "bfilter" below for how to configure Firefox to use a proxy. Bfilter. As of Ubuntu 9.10 bfilter is no longer supported in the ubuntu repositories. You may still install bfilter using Autopackage. Autopackage installs the bfilter-gui. Bfilter runs on windows as well (portable, nice when you are using a guest computer). Bfilter is easy to install and configure. Code: sudo apt-get install bfilter To configure, open Firefox preferences -> Advanced tab -> Network tab -> now click the "settings" box. Use 127.0.0.1 port 8080 as a proxy (see screen shot) Squid. Squid can be used for adblocking and has several advanced features. See also DansGuardian. If you need a few pointers on Dansguardian or configuring an invisible proxy, see also : How to transparent proxy Web content filtering made easy Cookies Go to your Firefox menu -> Preferences -> Privacy Tab UNSELECT "Accept cookies from sites" All cookies are now blocked. Flash manages cookies directly. To manage flash cookies : http://www.macromedia.com/support/do...manager02.html ~ Thanks benny bronx Javascript/Flash Javascript/Flash are a cross platform programing languages commonly used on the web. They add functionality, but also allow browser hijacks. Install NoScript To configure, right click on the NoScript icon (lower right) and select options. Optimize Google That's right, google is feeding you adds Install this extension. Optimize Google Then : Tools -> Optimize Google Options Go through each category on the Left and tic off "Remove Adds" (and anything else you might like). Another great extension (IMO) is googleefree . This is not really an extension, it is a google search bar that excludes Expert Exchange (that annoying service you have to join to see solutions). Phishing Phishing is, in a nut shell, spoofing a web site or an attempt to fool users to divulge personal information. Wikipedia Phishing There are several Firefox extensions to consider, Web of Trust is one example. Web of Trust Secure Private Data Go to your Firefox menu -> Preferences -> Security Tab Set a "Master Password". This will protect others from displaying your passwords. If you have a sensitive password like to the Ubuntu Forums or your Bank, BEST NOT TO STORE IT AT ALL. Hey, while you are there, check out the password strength meter. Install SafeHistory. Safe History functionality is built into Firefox 3.5.x and is configured under Options -> Privacy tab -> use custom settings (select this option from the pull down menu). You may also configure Firefox , in about:config, to disable the use of an offline cache. browser.cache.offline.capacity 0 browser.cache.offline.enable false Install SafeCache to be safer against CSRF attacks. As of Firefox 3.5 there is an option for Private browsing ~ Thanks FaBi3ttO How to Whitelist OK, now you will likely find Firefox somewhat restrictive. The goal here is to allow "normal" functioning. In order to log into forums or your banking sites we need to allow Cookies and Java. We will do this ONLY for specific sites we trust via white lists. Cookies - Firefox options -> Privacy tab Copy the Ubuntu url from your browser : http://ubuntuforums.org/ Go to "Cookies" -> click the "Exceptions" button -> paste ubuntu url -> click "Allow for session" For secure sites like Banking you will need to allow multiple url (https), usually one from the home page, then one from the log in page, and sometimes from the next page as well. So if you are having problems, keep adding url to the white list. Java - Right click on the NoScript icon -> Allow Ubuntu.com Repeat these steps until you have added your sites and have the functionality you need. Use Apparmor Profile As of Ubuntu 9.10 there is now a profile for Firefox. It is disabled by default, to enable it use the command : Code: sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5 The default profile may be a bit too permissive in allowing access to home directories so I advise you review it. Firefox profiles for older versions of Ubuntu can be found here Apparmor is beyond this thread, but see these two threads : [all variants] Introduction to AppArmor - Ubuntu Forums Share your AppArmor Profiles How to Surf Anonymously ~ Privoxy/TOR Privoxy / TOR can significantly increase your privacy, but at a cost of reduced speed. Please note however, that these services DO NOT offer complete anonymity. Ubuntu wiki TOR http://wiki.noreply.org/noreply/TheO...er/TorOnDebian If you use TOR and have the capacity, consider contributing a TOR server (a few more servers would speed things up for everyone). http://en.linuxreviews.org/HOWTO_setup_a_Tor-server Tor is not the only option, there are other privacy proxies available to a google search. Privacy Privacy is a separate but related issue and I added a page on my blog to get you stared: Internet Privacy Peace be with you, bodhi.zazen __________________ A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999 Last edited by bodhi.zazen; January 6th, 2011 at 03:25 PM..

January 18th, 2008	#2
nikoPSK Chocolate-Covered Ubuntu Beans Join Date: Sep 2007 Location: Victoria, BC Beans: 2,265 Ubuntu 8.04 Hardy Heron	Re: How to Secure Firefox very nice. I like it. There a bunch of speed tweaks as well I'm planning on writing about.

January 18th, 2008	#3
limac Ubuntu Extra Shot Join Date: Oct 2007 Location: USA Beans: 354	Re: How to Secure Firefox great post bodhi, sure is going to be helpful around here! Especially the "Secure Private data" part. really helpful regards, limac Last edited by limac; January 18th, 2008 at 08:19 PM..

January 28th, 2008	#4
FaBi3ttO 5 Cups of Ubuntu Join Date: Jul 2005 Location: Sprawl Beans: 21 Ubuntu 7.10 Gutsy Gibbon	Re: How to Secure Firefox Really good post. I also use SafeCache to be safer against CSRF attacks.

January 28th, 2008	#6
nowshining Chocolate Ubuntu Mocha Blend Join Date: Apr 2006 Location: No Comment Beans: 1,733 Kubuntu 7.10 Gutsy Gibbon	Re: How to Secure Firefox all safe cache does is disable cache - it makes it where each time u download something u'll have to re-download it.. as for others u can also about:config find: A: network.http.sendRefererHeader > set this to 0 to disable referell - note some sites may require it - but few sites do - if u get probs, just reset it, and keep the tab open, do what u need and re-set it to 0. What this does is keep sites from knowing what sites u last visited. B: network.http.sendSecureXSiteReferrer > set to false C: network.jar.open-unsafe-types > make sure this is set to false D: Download Contrle de scripts from the add-on site, this allows easier acces to only allow certain pop-ups, clicks, etc.. in other words certain pop-up types, go into prefs of the program and set the following: Under allow scripts to - uncheck all, go to the popups tab Under allowed events only the following should be: click. dblclick, submit Then press ok. E: in about:config find browser.preferences.advanced.selectedTabIndex > set this to 2 Determines which tab in the Advanced section of the preferences is visible. 0 (default): General 1: Update 2: Security Last edited by nowshining; January 28th, 2008 at 11:02 PM..

January 29th, 2008	#7
bodhi.zazen Ubuntu Guru Join Date: Apr 2006 Location: Montana My beans are hidden! Xubuntu Development Release	Re: How to Secure Firefox Thanks nowshining , keep the tips coming __________________ A person with ubuntu is open and available to others, affirming of others, does not feel threatened that others are able and good, for he or she has a proper self-assurance that comes from knowing that he or she belongs in a greater whole and is diminished when others are humiliated or diminished, when others are tortured or oppressed. ~ Archbishop Desmond Tutu, 1999

January 29th, 2008	#8
SOULRiDER May the Ubuntu Be With You! Join Date: Aug 2006 Location: Uruguay Beans: 1,645	Re: How to Secure Firefox I especially liked the Tor part, i had been wondering how to use Tor for a while but never really bothered to look for info on how to do it

February 22nd, 2008	#10
Pyre_Vulpimorph 5 Cups of Ubuntu Join Date: Feb 2008 Location: California Beans: 19 Ubuntu 7.10 Gutsy Gibbon	Re: How to Secure Firefox Concerning master passwords, how do you rate the FireFox Add-On, Password Maker, the one with the LotR-esque catchphrase "one password to rule them all"? It claims to be uncrackable, but I'm sceptical about such claims.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode