Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • 3000003: Firefox – additional security, telemetry and privacy tweaks

    Home Forums Knowledge Base 3000003: Firefox – additional security, telemetry and privacy tweaks

    Tagged: 

    This topic contains 27 replies, has 10 voices, and was last updated by  Microfix 1 week, 1 day ago.

    • Author
      Posts
    • #94462 Reply

      woody
      Da Boss

      AKB3000003: Firefox – additional security, telemetry and privacy tweaks

      By @microfix

      Published 15 Feb 2017 rev 1.1

      These tweaks are for both Windows and Linux firefox browsers:

      Edit by NightOwl:

      Forgot the 1st rule in computing..backup, backup before making changes.

      Thanks PKCano, Can you put your backup comment at the start of the tweak tutorial?

      The Firefox profile is in C:\Users\”UserID”\AppData\Roaming\Mozilla\Firefox\Profiles\”an arbitrary numeric string”\ – it contains bookmarks, settings, add-ons, extensions, features, etc.

      You need to backup your FireFox pre-changes Profile before making changes, in case something unexpected goes wrong when making changes, so you can restore your pre-changes Profile if something has gone wrong!

      Open up firefox and in the address bar type: about:config
      A popup will appear ‘Here be Dragons’ accept the risks and proceed.
      Then in the filter search either copy and paste the string or edit value.
      To change string values, double click the string to change.

      Security: Additional browser security
      For the LOGJAM vulnerability follow the steps below:
      1) Type: security.ssl3.dhe_rsa_aes_128_sha set to FALSE
      2) Type security.ssl3.dhe_rsa_aes_256_sha set to FALSE

      Disable SSL 3.0 to be immune from the POODLE attack:
      1) Type: security.tls.version.min set to 1 to enforce TLS.
      2) Type: security.tls.version.max set to 3, which enables TLS 1.1 and 1.2 (default in FF v50+)

      Telemetry blocking:
      1) Type: toolkit.telemetry.unified set to FALSE
      2) Type: toolkit.telemetry.archive.enabled set to FALSE
      3) Type: toolkit.telemetry.enabled set to FALSE
      4) Type: datareporting.policy.dataSubmissionEnabled set to FALSE
      5) Type: datareporting.policy.dataSubmissionEnabled.v2 set to FALSE (Pre v50 firefox)
      6) Type: datareporting.healthreport.uploadEnabled set to FALSE

      Additional Privacy Tweaks:
      1) Type: browser.privatebrowsing.autostart set to TRUE (if you prefer private browsing all the time)
      2) Type: dom.event.clipboardevents.enabled set to FALSE (hides Copy & Paste from Website tracking)
      3) Type: dom.storage.enabled set to FALSE (prevent DOM Storage tracking by websites) Refer to #95310 for caution
      4) Type: geo.enabled set to FALSE (geolocation prevention via websites, explicit or not)
      5) Type: geo.wifi.uri set to 127.0.0.1 (Loopback related to geolocation and not to google host)
      6) Type: privacy.trackingprotection.enabled set to TRUE (enables a blocklist via disconnect on cross site tracking)

      Disclaimer: I am not reponsible for borking your firefox, try these at your own risk.
      I can assure you that they all work on our live and VM systems.

      • This topic was modified 2 months, 1 week ago by  woody.
      • This topic was modified 2 months, 1 week ago by  Kirsty.
      • This topic was modified 2 months, 1 week ago by  NightOwl.
      1 user thanked author for this post.
      bjm
    • #94469 Reply

      Kirsty
      AskWoody MVP

      Is there a way to backup/restore for the current settings before making adjustments, and is there a “factory reset” option, to return to default settings, should things go awry?

      • #94472 Reply

        JNP
        AskWoody Lounger

        Kirsty, I don’t know if there is a formal way to backup the config. but what you can certainly do is go into the Mozilla/Firefox Profiles folder, make a copy of your profile and then, if things go off, you can simple use this “copy” to go back to your previous state.

        5 users thanked author for this post.
        • #94475 Reply

          ch100
          AskWoody MVP

          That is the official way.

          2 users thanked author for this post.
        • #94561 Reply

          Kirsty
          AskWoody MVP

          There is an add-on (of course) for backing up profiles.
          I’ve not tested just reinstalling one part of the profile, even though I do use it at work.

          1 user thanked author for this post.
          bjm
      • #94535 Reply

        PKCano
        AskWoody MVP

        The Firefox profile is in C:\Users\”UserID”\AppData\Roaming\Mozilla\Firefox\Profiles\”an arbitrary numeric string”\ – it contains bookmarks, settings, add-ons, extensions, features, etc.
        This is one of the MANY reasons for backing up the AppData folder (hidden by default, unfortunately). When people do backups, they often just do Documents, Pictures, Music (the things that are not hidden). But the AppData folder is SO important as well.
        When PCs are taken to shops to retrieve data from failing HDDs or non-bootable computers, this data is often not saved.

        • This reply was modified 2 months, 1 week ago by  PKCano.
        4 users thanked author for this post.
        • #94543 Reply

          Microfix
          AskWoody Lounger

          Thanks PKCano,
          Can you put your backup comment at the start of the tweak tutorial?
          Forgot the 1st rule in computing..backup, backup before making changes.(been a long day..)

          | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
            No problem can be solved from the same level of consciousness that created IT - AE
    • #94470 Reply

      Jayendra
      AskWoody Lounger

      hello n.n

      i have a question… what about plug ins like Privacy Settings from firefox addons, it’s useful?
      thanks n.n

      • This reply was modified 2 months, 1 week ago by  Kirsty.
      • #94523 Reply

        Microfix
        AskWoody Lounger

        It’s a matter of personal preference really, not fond of extensions in Firefox.
        If any of the tweaks are duplicated, Privacy Settings will just enforce it again so no harm done there.
        The top two security tweaks are the most important LOGJAM & POODLE even if they are set correctly without changing them, it’s better to check anyway.

        | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
          No problem can be solved from the same level of consciousness that created IT - AE
        2 users thanked author for this post.
      • #95659 Reply

        anonymous

        this plugin sets network.http.sendSecureXSiteReferrer to false what breaks aliexpress login
        removing this plugin dont turn settings back, they must done by hand

        • #95672 Reply

          Microfix
          AskWoody Lounger

          Which is why I’m not fond of plugins or extensions 😉

          | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
            No problem can be solved from the same level of consciousness that created IT - AE
    • #94480 Reply

      anonymous

      ? says:
      Thanks for the heads up everyone appreciates all the extra security we can get these days…
      I’m running persistent live cd usb’s so i’m not too worried about any more borking than I already do for myself. I ran all the telemetry blocking after you let us know about it the other day and no problems, so far.
      Check with our security loving German compatriot Martin Brinkmann’s Ghacks.net for three more:

      http://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/

      the way i’m running (on purpose) makes worries about viruses non existent
      the big eye in the sky can look all it wants (it is going to anyway) so when i’m feeling extra frisky and bored i will lead it back onto itself… kinda like the endless loop (yes i did) on the old mainframe arpanet… see:https://en.wikipedia.org/wiki/ARPANET if interested.
      anyway, enough from me (for now) and thanks again for having my back whilst on our journey riding the wild interweb today…

    • #94520 Reply

      anonymous

      I followed all the suggestions and it seems that all but one of my dozens of open tabs work normally. However, feedly.com gave me the dreaded “Oops. Something went wrong!” page. As feedly is my most accessed site, I may have to copy back my saved profile. Bummer! BTW, it is not that feedly is coincidentally having problems, as it shows up OK in Chrome.
      Any ideas which of the many settings may have borked feedly?
      kk

      • #94530 Reply

        Microfix
        AskWoody Lounger

        It’s more than likely a Additional Privacy Tweak, just default the settings for
        2 TRUE, 3 TRUE & 6 FALSE then try again.
        Implement one at a time and check it works (process of elimination)

        | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
          No problem can be solved from the same level of consciousness that created IT - AE
        • #94539 Reply

          anonymous

          Thank you so much! I switched #2 with no effect, then tried #3 and it worked! I went back and put #2 back to the suggested security setting, and feedly still worked. Thanks again. Time for a visit to PayPal.
          kk

          2 users thanked author for this post.
          • #94546 Reply

            Kirsty
            AskWoody MVP

            Thks kk – much appreciated!
            🙂

    • #94536 Reply

      anonymous

      It might also be worth unticking ‘play drm content’ if you’re not using it. I also unticked the ‘block dangerous and deceptive content’ option under security because that communicates back to the google mothership – https://support.mozilla.org/t5/Protect-your-privacy/How-does-built-in-Phishing-and-Malware-Protection-work/ta-p/9395 – i have enough other protections in place for me not to be too concerned with this but ymmv.

      -T

    • #94549 Reply

      Noel Carboni
      AskWoody MVP

      Nice job. For those of us not intimately familiar with FireFox it’s nice to have a targeted list with some explanations.

      -Noel

      1 user thanked author for this post.
    • #94587 Reply

      Jayendra
      AskWoody Lounger

      The top two security tweaks are the most important LOGJAM & POODLE even if they are set correctly without changing them, it’s better to check anyway.

      thanks for the advise n.n/
      i’m using FF ESR and logjam “problem” is present, now is fixed (yeah).
      (somebody maybe ask… why im using esr? it’s because i feel more stable tan “normal” version)

    • #94763 Reply

      rc primak
      AskWoody Lounger

      Backing Up Firefox Profiles both when Firefox and its Extensions are Available and when Firefox and its Extensions are Not Available:

      For Windows, Mac and Linux, these instructions look good:
      https://www.howtogeek.com/255587/how-to-find-your-firefox-profile-folder-on-windows-mac-and-linux/

      What differs is the exact location of the Mozilla or Firefox Profile Directories, and the kinds of permissions and hidden attributes which need to be considered for a successful copy-paste backup procedure.

      Good storage options include a separate partition, a USB device, or an external drive. Preferably with an extra copy on an external drive just in case.

      Both backing up and restoring are simple copy-paste operations.

      BTW, Firefox and Chrome, Edge and Internet Explorer, all by default now exclude the insecure cipher sets which logjam and poodle relied on. No internal tweaking is required unless you are using a site which still relies on older, insecure cipher suites. Which no one should be doing now. The same applies to the TLS and SSL settings involved in these attacks.

      I personally do use Ghostery, Abine Blur, HTTPS Everywhere and an extension to block HTML autoplay, for security and privacy. If NoScript is added, pretty much all telemetry and DOM and persistent cookie tracking can be blocked. (This involves using some Extension settings which are not set by default. Also, Click And Clean Extension has some settings panels, but these are more useful for Chrome — see below — than for Firefox.)

      Tweaking the Firefox config. settings may bork the browser or make some sites unusable, so this is not my recommended action. It’s a lot easier to reset, suspend or disable an extension than to reconfigure a borked config. file.

      RELATED ABOUT CHROME SETTINGS:
      We should develop a KB article here about the changes in Chrome 57 with regard to Flash Player and Plugins controls. Most former Chrome Plugins have been moved to Extensions. There are also security settings which have been moved into little icons in the Location Bar in Chrome 57.

      These changes have caused a lot of finger-pointing, false accusations of loss of user controls and general confusion among Chrome users. I am still sorting through these Chrome changes. And unlike Firefox, if you mess with the Chrome configuration settings, you have no easy way to back up and restore these settings. Which is why the Chrome://Plugins page is no longer available to users.

      -- rc primak

      • This reply was modified 2 months, 1 week ago by  rc primak. Reason: add specific details
    • #94807 Reply

      Jayendra
      AskWoody Lounger

      hello n.n
      what about “about:telemetry” option? does help in something?
      sorry for many questions…

      • #94813 Reply

        Microfix
        AskWoody Lounger

        about:telemetry is a checklist of all telemetry data within Firefox being sent to Mozilla.
        Ideally (as I have), all the fields have (no data collected) indicating nothing being sent.

        There are many other informative about protocols listed below:

        about:about takes you directly to all of these in link form.

        about: Displays version and build information and links to the contributors, licensing information and build configuration
        about:accounts Page used by the Sync feature
        about:addons Add-ons Manager
        about:app-manager App Manager
        about:buildconfig Displays the configuration and platform used to build Firefox
        about:cache Displays information about the memory, disk, and appcache
        about:compartments Displayed information about compartments; since Firefox 26, that information can be found in the “Other Measurements” section of about:memory.
        about:config Provides a way to inspect and change Firefox preferences and settings
        about:crashes Lists all crashes, which happened during the runtime of Firefox (in case the user enabled the crash reporter)
        about:credits Lists all contributors to the Firefox project
        about:customizing Switches to the customization page, which allows to customize Firefox’ UI
        about:downloads Displays all downloads done within Firefox
        about:healthreport Displays performance information of Firefox (in case the user enabled the health report)
        about:home Start page of Firefox when opening a new window
        about:license Displays licensing information
        about:logo Firefox logo
        about:memory Provides a way to display memory usage, save it as report and run the GC and CC
        about:mozilla Special page showing a message from “The Book of Mozilla”
        about:networking Displays networking information
        about:newtab Start page when opening a new tab
        about:permissions Provides a way to display and manage website permissions. Removed in Firefox 45 (bug 933917)
        about:plugins Displays information about installed plugins
        about:preferences Firefox settings (also available through Firefox menu > Options)
        about:privatebrowsing Start page when opening a private window
        about:reader Indicates a web page has Firefox Reader View turned on. See Firefox Reader View for clutter-free web pages
        about:rights Displays rights information
        about:robots Special page showing notes about robots
        about:sessionrestore Session restoration (displayed after a Firefox crash)
        about:support Troubleshooting information (also available through Firefox menu > ? (question mark) > Troubleshooting Information)
        about:sync-log Displays a synchronization protocol related to the Sync feature
        about:sync-progress Page displayed after the Sync feature got set up
        about:sync-tabs Lists tabs available for synchronization related to the Sync feature
        about:telemetry Displays telemetry data collected and sent to Mozilla while Firefox is running (in case the user enabled telemetry)
        about:webrtc Information about WebRTC usage
        about:welcomeback Information page displayed after Firefox is reset

        | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
          No problem can be solved from the same level of consciousness that created IT - AE
        • This reply was modified 2 months, 1 week ago by  Microfix.
        • This reply was modified 2 months, 1 week ago by  Microfix.
        • This reply was modified 2 months, 1 week ago by  Microfix. Reason: formatting and more info
        3 users thanked author for this post.
    • #95278 Reply

      Kirsty
      AskWoody MVP

      Re: Additional Privacy Tweaks #5

      geo.wifi.uri set to 127.0.0.1

      My setting is [http://localhost:8888/]
      Does this need to be changed?

    • #95310 Reply

      Microfix
      AskWoody Lounger

      Additional Privacy Tweaks Note 3):
      Setting the ‘dom.storage.enabled’ entry to false can “break” some websites as they are reliant on DOM storage tracking.
      Changing this setting should therefore be done with caution.
      If you have done this and find website does not display, revert setting back to default.

      | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
        No problem can be solved from the same level of consciousness that created IT - AE
      • This reply was modified 2 months, 1 week ago by  Microfix.
    • #109333 Reply

      Microfix
      AskWoody Lounger

      An additional security tweak for a link issue which has recently resurfaced using language coding for weblinks.

      The problem: Some letters in other languages like Cyrillic are different but look almost identical. You can get identical-looking versions of “a”, “B”, “c”, “i”, “l”, “O” and “p,” among others.

      So by combining the codes for these other letters with non-coded letters you can appear to spell out a word like “apple,” therefore tricking people into visiting a different website from the one they think they are visiting.

      To avoid this go to:

      about:config

      set the following string to TRUE

      network.IDN_show_punycode

      Source: Here

      In depth info: Link

      | x64 Group B: W7 Pro & W8.1 Pro | | x64 Group W: 3 x Linux Hybrids |
        No problem can be solved from the same level of consciousness that created IT - AE
      • This reply was modified 1 week, 1 day ago by  Microfix.
      • This reply was modified 1 week, 1 day ago by  Microfix. Reason: in depth info link added
      2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: 3000003: Firefox – additional security, telemetry and privacy tweaks

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.