Firefox - Change These For Better Privacy - Security

Here are some things I'd like to discuss to help improve Firefox security and privacy.

1. Firefox feature - 'Tell websites I do not want to be tracked' - (good feature?)

2. HTTP Authentication Headers - (What can we do to change this?)

3. Cache E-tags - (What can we do to change this?)

4. HTTP Session - (What can we do to change this?)

5. User-Agent - (What can we do to change this?)


Share what you know...


THANKS

 

This setting sets the variable HTTP_DNT=1 in your browser's HTTP header. I'd say it's a good feature for compliant websites that actually obey the rule, but it certainly won't protect you from the majority of rogue sites that simply choose to ignore it.

Not sure what the specific threat is here... please elaborate.

Nothing, unfortunately... other than perhaps disabling the Firefox cache altogether (which would be impractical for the majority of users). But as long as you make a habit of emptying your browser cache regularly, those E-Tags will not persist for too long.

See #2

You can manually set the preference "general.useragent.override" in about:config. Or, you can use an add-on such as User Agent Switcher to accomplish this task. Keep in mind, the goal should be to have a generic User Agent, so as to blend in with everyone else. What you don't want to do is set an unusual or unique User Agent, because that will make you stick out like a sore thumb (which defeats the purpose entirely). In my case, I already have a very common OS and browser version, so I just prefer to leave this setting alone.

 

HTTP Authentication Headers - Many browsers allow web sites to send hidden authentication data to third party sites. We want to protect against tracking from third party HTTP authentication headers. By the way Tor resolves this problem, so there must be a way for people to do the same in Firefox.

Cache E-tags - We don't want to cache any third party content. Tor has resolved this, so I say there must be a way to do this also in Firefox.

HTTP Session - The longer the session lasts, the easier it is to identify you. Tor changes your identity to resolve this, so there must be a way to do this also in Firefox.


THANKS

 

For issues #1 and 3 you might want to try the add-on anonymoX. I've tried it for selected sites and its performance is okay. I'm not sure if it takes care about e-tags. However, Modify Headers is reported to be able to remove e-tags - I haven't checked that, though.

EDIT: Other measures/add-ons have been often mentioned in other threads. Using Noscript is also recommended if it comes to privacy. Other examples are Refcontrol, Cookie Monster and Better Privacy.

 

Or, you could use TAILS (The Amnesia Incognito Live System).

You could even swap some of the TAILS definitions of the Iceweasel (Firefox) profile prefs.js file (regarding your about:config values) if you are willing to do the work, and then change your everyday Firefox profile in that way.

-- Tom

 

DasFox have you tried the open source JonDoFox browser? It can address many of your concerns unless your focus is determine how to about:config any FF to do the same.

https://anonymous-proxy-servers.net/en/jondofox.html

If you want to see what information your browser is leaking http://ip-check.info/?lang=en is one of the best browser tests out there.

 

Sorry for any confusion, I was looking for ways to edit these things within Firefox, not use addons or any other software....

I just thought all of these things could be taken care of in about:config


THANKS

 

I said in post #4 that Modify Headers is reported to be able to remove etags - but this is definitely NOT true. Modify Headers can only modify/add/filter request headers but NOT response headers like ETags.

According to its developer the addon BetterCache checks or modifies Etags and other response headers. However, I have no idea how exactly BetterCache does that and if it's really able to remove ETags. The same applies to another FF addon, Tamperdata.

 

While we're on this subject here are some things I have figured out how to do, to improve things. Number 2 by the way takes care of the E-Tags...

1. How to edit the User Agent string

To change the User Agent string, just enter about:config as an address in the address bar of FireFox, the location where you normally enter a URL (link). I recommend to preserve the original value, which you can get when you enter just about: in the address bar.

Now press the right mouse button to get the context menu and select "String" from the menu entry "New". Enter the preference name "general.useragent.override", without the quotes. Next, enter the new User Agent value you want Mozilla Firefox to use. Check the new value by entering about: in the address bar.


2. How to completely disable FireFox cache

Web caching is great, there's no doubt about it. Even in the days of 50Mb broadband, caching stuff still speeds things up no end.

Here's how to disable FireFox's browser cache completely.

Fire up FireFox
Type about:config in your address bar
Type `cache' in the search bar, and look for network.http.use-cache, and double click it to set it to false. Double clicking it again will set it to true and re-enable the cache


3. You can enable or disable the referrer from being reported to web sites that you visit with this Firefox tweak.

1. Type about:config in the address bar and press Enter.

2. Find the entry that says Network.http.sendRefererHeader and double-click on it.

3. Set the entry to one of the following:

0 - Disable referrer.
1 - Send the Referer header when clicking on a link, and set document.referrer for the following page.
2 - Send the Referer header when clicking on a link or loading an image.

 

@DasFox:

regarding 1: Yes, modifying User Agent can be done via about:config or via several addons. I doubt, though, that adding your name and your website really enhances privacy

regarding 2: Disabling caching seems to be a solution for ETags but it reduces speed. That's why I'm reluctant to do that. There are addons (SaferCache and SaferMemory) but, unfortunately, they are incompatible with newer FF versions.

regarding 3: Controlling Referrers via about:config is possible but I prefer RefControl as it's more flexible. I only block 3rd party requests as recommended on that site - allowing them for selected sites is easy if necessary. Generally blocking referrers breaks too many sites.

 

The way I deal with referrers is simply not to click on certain hyperlinks. If need be, I'll just do a "Copy Link Location" and manually paste the URL into the address bar--which effectively breaks the "referrer" functionality altogether. Most of the time it doesn't really matter though, especially if the hyperlink(s) are on a public site (such as this one)--in which case the privacy issue befalls on the owner of the originating web site, not the end user. The only example I can think of where referrers may be an issue is if the URL string of the originating web site contains some client-specific data, such as the address of your personal webmail account.

In most circumstances, however, I find that there's generally little or nothing to be gained (from a privacy standpoint) by blocking or obfuscating the real referrer.

 

tlu the name and your website for the user agent, actually someone mentioned that, my bad for not editing that out, I personally don't do this...

Yeah I'm not sure if hiding the referrer really improves anything CasperFace....


THANKS

 

Im running IE6 (MyIE2) and its as easy as opening my registry and going to that key and changing it

 

The problem with RefControl is that it's on a per-site basis...

To much work involved with this...

I'd rather have something that simply disables to all sites and simply enable it when needed....

 

But if you configure RefControl in such a way that it only blocks 3rd party requests (which is the critical thing regarding privacy) this doesn't break 99% of all websites. Thus, the exception list can be kept rather short in my experience.

 

This doesn't apply on HTTPS sites btw, you can switch network.http.sendSecureXSiteReferrer to false if you want to turn that off as well.

 

When I configure RefControl the "default for sites not listed" is "Block". No need to list specific sites. Wouldn't this provide the solution you are looking for or am I missing something?

 

So http.sendRefererHeader and network.http.sendSecureXSiteReferrer might be a good thing to do?

I was reading about that, forgot to ask, sounds like a catch all for everything not listed, so then we don't need to make up any rules if you just want a default that takes care of everything?

 

Yes. And from what I see on the help page for RefControl, you can "block all sites not listed" and then add the sites that need to have a referral to work to the list as "Normal". I have a few sites that do not work, but it is usually Ghostery blocking trackers rather than RefControl.

 

Now I'm trying to decide if it's really worth using, hehe...

 

I use the two addons for this:

Random User Agent (Changes user agent on open)

RefControl default send nothing.

 

Yeah RefControl quite easy and seems effective, just default and nothing...

 

I'm trying to get Firefox as close as possible in terms of security and privacy, like Tor, without the Tor network...

I'm using the JonDonym IP check for this;

http://ip-check.info/?lang=en

At this point in time I'm not sure if this is a good test or snake oil, but it does seem to be ok...

Here is Firefox on the test;

http://i.imgur.com/HEWnu.png

Here is Tor on the test;

http://i.imgur.com/95jsu.png

For Firefox I'm still trying to figure out how to get these green; (I'm not sure how Tor is doing this).

Signature
User-Agent
Language
Charset
Content types


THANKS

 

Hi DasFox,

The difference between, e.g. TAILS (which uses Tor in the Firefox Debian derivative named IceWeasel and Firefox) is in the prefs.js file which exists in the Firefox profile directory. For Linux, the profile directory is in /home/<account>/.mozilla in the subdirectory:
~<account>/.mozilla/firefox/*.default

For Windows or Mac OS X, you will have to consult the Firefox Knowledge database for information at: https://support.mozilla.com/en-US/kb/Profiles to find its location.

-- Tom

 

Hello DasFox, I understand you completely.

In order to get green at ip-check.info anonymity check you may enter the following strings into about:config ;

For User-Agent search: general.useragent.override enter Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 into string value.

For Language search: intl.accept_languages enter en-us
into string value.

For Content types search: network.http.accept.default enter text/html,application/xml,*/*
into string value.

I'm still trying to figure out the others for ya. Good luck