bigbrosbitch 65 Posted ... /********* ULTIMATE HARDENED FIREFOX USER.JS* Combines changes outlined in ghacks.net and GitHub's hardened FF profiles as at October 2015. The GHacks version was used as the base profile,with additional Github privacy/settings inserted (marked with 'GITHUB' label). * Successfully tested with Linux FF 41.0.2 (Youtube etc).* All credits to the primary authors and many contributors from Github, GHacks Forums and Wilders Security Forums who did the hard yards.* Minor changes have been made by this author to further increase privacy and convenience e.g. no OCSP checks due to third parties involved,changes to cookie policies/behaviours, disabling of spdy, using all privacy options to clear data/cookies etc upon FF shutdown, enabling fullnative HTML5 support by default (and several others).* This entire text block should be saved to a new file named user.js********//********** The two original user.js profiles used to create this 'ultimate' privacy/security profile can be found here:* url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/* url: https://github.com/pyllyukko/user.js* This is NOT a "comprehensive" list of ALL things privacy/security-related, otherwise it would be enormous.* It is actually a long list of settings that generally differ from their defaults, and is aimed at improving security, privacy, a "quieter" FF,fingerprinting, and tracking - while allowing (most) functionality. There will be trade-offs and conflicts between these.* IMPORTANT STEPS:* Note: user.js - this OVER-WRITES any corresponding about:config entries on Firefox start if accidentally stored in the default folder!see: http://kb.mozillazine.org/User.js_file To avoid this problem, carefully follow the steps below:1. Create a new FF profile and directory to store this new version of user.js for testing purposes.* To create a new profile in GNU/Linux, the FF profile manager can be accessed via the terminal (Alt-F2): firefox -P* Create a new profile, give it a suitable name, and then shutdown FF.* To access the FF profile manager in other O/S and create new profiles, see simple Mozilla notes online.3. This entire text file should be saved as user.js and moved to the new profile directory you just created.* In GNU/Linux, run in terminal: ls .mozilla/firefoxYou will see that FF profiles are stored (hidden) under your home directory: ./mozilla/firefox* In Windoze, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_new_profile_name.* Do NOT touch the 'XXXXXX.default' profile directory or dump your new user.js in the default folder! You will lose all your current 'default' settings, bookmarksand other data!4. Restart Firefox and select your new profile at start-up. Voila! You now have a 'secure' profile available alongside your 'default' profile.* NOTE: BEFORE deciding to use this new user.js, you SHOULD actually read what the prefs do (information is provided, and links) and if necessary,change, remove or comment out with two forward slashes (//) any preferences you're not happy with or not sure about.* COMMON PROBLEMS: some prefs will break a number of popular sites (it's inevitable). In particular, these two settings below may need to be reset to defaults tostop breakage:security.OCSP.requiredom.indexedDB.enabled* ADDITIONAL FF CHANGES: Add-ons are also essential for safer browsing e.g. HTTPS Everywhere, No-Script & Canvas Blocker (stops HTML5 canvas/image dataextraction). Also strongly consider installing UBlock Origin, Privacy Badger, Self-destructing Cookies and Random Agent Spoofer as complimentary add-ons.* In preferences, set your default homepage to a search provider that doesn't track by default e.g. https://search.disconnect.me Consider also turning off hardwareacceleration as it is understood to be a possible attack vector (?), along with cached web content settings (set to zero MB).* Other general FF settings for better security - set all plug-ins to 'never activate' and do not install additional themes/services/languages. They are alllikely to be trackable identifiers, and plug-ins are further notorious for leaking lots of data about your system and protocols.*********/// STARTUP// 0100: STARTUP// 0101: disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser checkuser_pref("browser.slowStartup.notificationDisabled", true);user_pref("browser.slowStartup.maxSamples", 0);user_pref("browser.slowStartup.samples", 0);user_pref("browser.rights.3.shown", true);user_pref("browser.startup.homepage_override.mstone", "ignore");user_pref("startup.homepage_welcome_url", "");user_pref("startup.homepage_override_url", "");user_pref("browser.feeds.showFirstRunUI", false);user_pref("browser.shell.checkDefaultBrowser", false);// GEO// 0200: GEO// 0201: disable location-aware browsinguser_pref("geo.enabled", false);user_pref("geo.wifi.uri", "http://127.0.0.1");user_pref("browser.search.geoip.url", "");// 0202: disable GeoIP-based search results - https://trac.torproject.org/projects/tor/ticket/16254user_pref("browser.search.countryCode", "US");user_pref("browser.search.region", "US");// QUIET Fox Part 1// 0300: QUIET FOX [PART 1] - no (auto) phoning home for anything - you can still do manual updates// NOTE: It is still important to do updates for security reasons. If you don't auto update then make sure you do manually in a timely fashion// NOTE: There are many legitimate reasons for turning off AUTO updating, including hijacked moneytized extensions,// time contraints, legacy issues, and trepidation of breakage (easier to wait for others to report bugs)// 0301: disable browser auto updateuser_pref("app.update.enabled", false);// 0302: disable browser auto installing update when you do a manual checkuser_pref("app.update.auto", false);// 0303: disable search updateuser_pref("browser.search.update", false);// 0304: disable add-ons auto checking for new versionsuser_pref("extensions.update.enabled", false);// 0305: disable add-ons auto updateuser_pref("extensions.update.autoUpdateDefault", false);// 0306: disable add-on metadata updating - sends daily pings to mozilla about extensions and recent startups - privacy issueuser_pref("extensions.getAddons.cache.enabled", false);// 0307: disable auto updating of personas (themes)user_pref("lightweightThemes.update.enabled", false);// 0308: disable update plugin notifications - if you're using flash, java, silverlight - turn on their own auto-update mechanisms// also see 1804 below - Mozilla only checks a few plugins anyway - Silverlight, Flash, Java?, Quicktime? WMP?user_pref("plugins.update.notifyUser", false);// GITHUB 1: CIS Version 1.2.0 October 21st, 2011 2.1.3 Enable Information Bar for Outdated Pluginsuser_pref("plugins.hide_infobar_for_outdated_plugin", false);// 0309: disable sending plugin crash reports - keep FF quietuser_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);// 0310: disable sending the URL of the website where a plugin crashed - privacy issueuser_pref("dom.ipc.plugins.reportCrashURL", false);// 0320: disable extension discovery - featured extensions for displaying in Get Add-ons paneluser_pref("extensions.webservice.discoverURL", "http://127.0.0.1");// 0330: disable telemetry// big fat list here: https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html// the pref (.unified) affects the behaviour of the pref (.enabled)// IF unified=false then .enabled controls the telemetry module : IF unfied=true then .enabled ONLY controls whether to record extended data// so make sure to have both set as falseuser_pref("toolkit.telemetry.unified", false);user_pref("toolkit.telemetry.enabled", false);// 0331: remove url of server telemetry pings are sent touser_pref("toolkit.telemetry.server", "");// 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is falseuser_pref("toolkit.telemetry.archive.enabled", false);// 0333: disable health reportuser_pref("datareporting.healthreport.uploadEnabled", false);user_pref("datareporting.healthreport.documentServerURI", "");user_pref("datareporting.healthreport.service.enabled", false);// 0334: FF41+ see https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html// https://bugzilla.mozilla.org/show_bug.cgi?id=1195552// This is the master-kill-switch for upload/reporting for Health Reports and Telemetryuser_pref("datareporting.policy.dataSubmissionEnabled", false);// 0340: disable experimentsuser_pref("experiments.enabled", false);user_pref("experiments.manifest.uri", "");user_pref("experiments.supported", false);user_pref("experiments.activeExperiment", false);// 0341: disable mozilla permission to silently opt you into testsuser_pref("network.allow-experiments", false);// 0350: disable crash reportsuser_pref("breakpad.reportURL", "");// 0360: disable new tab tile ads & preload & marketing junkuser_pref("browser.newtab.preload", false);user_pref("browser.newtabpage.directory.ping", "");user_pref("browser.newtabpage.directory.source", "");user_pref("browser.newtabpage.enabled", false);user_pref("browser.newtabpage.enhanced", false);user_pref("browser.newtabpage.introShown", true);// GITHUB2: Control newtab behaviour// https://wiki.mozilla.org/Privacy/Reviews/New_Tabuser_pref("browser.newtabpage.enabled", false);// https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-offuser_pref("browser.newtab.url", "about:blank");// 0370: https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Serviceuser_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");// 0371: disable heartbeat - mozilla user rating telemetryuser_pref("browser.selfsupport.url", "");// 0372: disable hello - a WebRTC mozilla voice & video call that doesn't require an account - WebRTC (IP leak)user_pref("loop.enabled", false);// 0373: disable pocket, remove urls for good measure - a third party "save for later" service - privacy concernsuser_pref("browser.pocket.enabled", false);user_pref("reader.parse-on-load.enabled", false);user_pref("browser.pocket.api", "");user_pref("browser.pocket.site", "");// 0374: disable "social" integration - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_APIuser_pref("social.whitelist", "");user_pref("social.toast-notifications.enabled", false);user_pref("social.shareDirectory", "");user_pref("social.remote-install.enabled", false);user_pref("social.directories", "");user_pref("social.share.activationPanelEnabled", false);// QUIET Fox Part 2// 0400: QUIET FOX [PART 2] - NOTE: This section has security & tracking protection implications vs privacy concerns// These settings are geared up to make FF "quiet" & private, if you want safebrowsing & tracking protection then don't use this section (or parts of it)/// 0401: DON'T disable extension blocklist as it is now includes updates for "revoked certificates", this is not a privacy issue// see https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/// NOTE: requires extensions.blocklist.url to be set at defaultuser_pref("extensions.blocklist.enabled", true);// 0402: disable block reported web forgeries - when true this compares visited URLs against a blacklist or submits// URLs to a third party to determine whether a site is legitimate = privacy concerns. This setting is under Options>Securityuser_pref("browser.safebrowsing.enabled", false);// 0410: disable block reported attack sites - This setting is under Options>Security// safebrowsing uses locally stored data, but if the item is not found, then google is contacted - privacy concernsuser_pref("browser.safebrowsing.malware.enabled", false);// 0411: disable safebrowsing urls & downloaduser_pref("browser.safebrowsing.downloads.enabled", false);user_pref("browser.safebrowsing.downloads.remote.enabled", false);user_pref("browser.safebrowsing.appRepURL", "");user_pref("browser.safebrowsing.gethashURL", "");user_pref("browser.safebrowsing.malware.reportURL", "");user_pref("browser.safebrowsing.reportErrorURL", "");user_pref("browser.safebrowsing.reportGenericURL", "");user_pref("browser.safebrowsing.reportMalwareErrorURL", "");user_pref("browser.safebrowsing.reportMalwareURL", "");user_pref("browser.safebrowsing.reportPhishURL", "");user_pref("browser.safebrowsing.reportURL", "");user_pref("browser.safebrowsing.updateURL", "");// 0420: disable tracking protection - // https://support.mozilla.org/en-US/kb/tracking-protection-firefox// I believe there are no privacy concerns here, but you are better off using an extension such as uBlock Origin// which is not decided by a third party (disconnect) and which is far more effective (when used correctly)user_pref("privacy.trackingprotection.enabled", false);user_pref("browser.polaris.enabled", false); // deprecated?user_pref("browser.trackingprotection.gethashURL", "");user_pref("browser.trackingprotection.getupdateURL", "");user_pref("privacy.trackingprotection.pbmode.enabled", false);// GITHUB 3: CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 Enable IDN Show Punycode// http://kb.mozillazine.org/Network.IDN_show_punycodeuser_pref("network.IDN_show_punycode", true);// GITHUB 4: Disallow NTLMv1// https://bugzilla.mozilla.org/show_bug.cgi?id=828183user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);// it is still allowed through HTTPS. uncomment the following to disable it completely.//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_Listuser_pref("network.stricttransportsecurity.preloadlist", true);// BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]// 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]// 0601: disable link prefetchinguser_pref("network.prefetch-next", false);// 0602: disable dns prefetchinguser_pref("network.dns.disablePrefetch", true);user_pref("network.dns.disablePrefetchFromHTTPS", true);// 0603: disable seer/neckouser_pref("network.predictor.enabled", false);// 0604: disable search suggestionsuser_pref("browser.search.suggest.enabled", false);// 0605: disable link-mouseover opening connection to linked serveruser_pref("network.http.speculative-parallel-limit", 0);// 0606: disable pings (but enforce same host in case)user_pref("browser.send_pings", false);user_pref("browser.send_pings.require_same_host", true);// LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc// Not ALL of these are strictly needed, some are for the truely paranoid, but included for a more comprehensive list (see comments on each one)// 0801: disable location bar using search, give error message instead - don't leak typos to a search engine - PRIVACYuser_pref("keyword.enabled", false);// 0802: disable location bar domain guessing - intercepts DNS "hostname not found errors" and resends a request eg by adding www or .com.// Inconsistent use (eg FQDNs), does not work via Proxy Servers (different error), can send extra unexpected DNS requests,// is a flawed use of DNS (TLDs: why treat .com as the 411 for DNS errors?), privacy issues (why connect to sites you didn't intend to),// can leak sensitive data? (eg query strings: eg Princeton attack), and is a security risk (eg common typos & malicious sites set up to exploit this) - PRIVACY/SECURITYuser_pref("browser.fixup.alternate.enabled", false);// 0803: disable location bar dropdown - PRIVACY issue (i.e computer forensics/shoulder surfers)user_pref("browser.urlbar.maxRichResults", 0);// 0804: display all parts of the url - why rely on just a visual clue - helps SECURITYuser_pref("browser.urlbar.trimURLs", false);// 0805: disable URLbar autofill - http://kb.mozillazine.org/Inline_autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers)user_pref("browser.urlbar.autoFill", false);user_pref("browser.urlbar.autoFill.typed", false);// 0806: disable autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers)user_pref("browser.urlbar.autocomplete.enabled", false);// 0807: disable history manipulation - https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history - SECURITY// false=disable, have set to true otherwise it breaks some sites (youtube) ability to correctly show the url in location bar and for the forward/back tab history to workuser_pref("browser.history.allowPopState", true);user_pref("browser.history.allowPushState", true);user_pref("browser.history.allowReplaceState", true);// GITHUB 5: Don't remember browsing historyuser_pref("places.history.enabled", false);// GITHUB 6: CIS Version 1.2.0 October 21st, 2011 2.5.4 Delete History and Form Data// http://kb.mozillazine.org/Browser.history_expire_daysuser_pref("browser.history_expire_days", 0);// http://kb.mozillazine.org/Browser.history_expire_sitesuser_pref("browser.history_expire_sites", 0);// http://kb.mozillazine.org/Browser.history_expire_visitsuser_pref("browser.history_expire_visits", 0);// 0808: disable history suggestions - PRIVACY issue (i.e computer forensics/shoulder surfers)user_pref("browser.urlbar.suggest.history", false);// 0809: limit history PER TAB (back/forward) - history leaks via enumeration - PRIVACY// default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practicaluser_pref("browser.sessionhistory.max_entries", 4);// 0810: disable css querying page history - css history leak - PRIVACYuser_pref("layout.css.visited_links_enabled", false);// 0811: disable displaying Javascript in history URLs - SECURITYuser_pref("browser.urlbar.filter.javascript", true);// 0812: disable saving information entered in web forms AND the search bar - PRIVACY issue (i.e computer forensics/shoulder surfers)// for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard.user_pref("browser.formfill. enable", false);// 0813: disable saving form data on secure websites (default=true) - PRIVACY issue (i.e computer forensics/shoulder surfers)// for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard.user_pref("browser.formfill.saveHttpsForms", false);// 0814: disable auto-filling username & password form fields (can leak in cross-site forms AND be spoofed) - http://kb.mozillazine.org/Signon.autofillForms// password will still be set after the user name is manually entered - SECURITYuser_pref("signon.autofillForms", false);// GITHUB 7: CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storageuser_pref("security.ask_for_password", 0);// GITHUB 8: CIS Version 1.2.0 October 21st, 2011 2.5.2 Disallow Credential Storageuser_pref("signon.rememberSignons", false);// CACHE// 1000: CACHE// 1001: disable disk cacheuser_pref("browser.cache.disk.enable", false);// 1002: disable disk caching of SSL pages - http://kb.mozillazine.org/Browser.cache.disk_cache_ssluser_pref("browser.cache.disk_cache_ssl", false);// 1003: disable memory cache as well IF you're REALLY paranoid (yep!), you'll take a performance/traffic hituser_pref("browser.cache.memory.enable", false);// 1004: disable offline cacheuser_pref("browser.cache.offline.enable", false);// 1005: disable storing extra session data 0=all 1=http-only 2=noneuser_pref("browser.sessionstore.privacy_level", 2);user_pref("browser.sessionstore.privacy_level_deferred", 2);// GITHUB9: Remove sessionstore data// http://kb.mozillazine.org/Browser.sessionstore.postdata// NOTE: relates to CIS 2.5.7user_pref("browser.sessionstore.postdata", 0);// http://kb.mozillazine.org/Browser.sessionstore.enableduser_pref("browser.sessionstore.enabled", false);// SSL / OCSP / CIPHERS// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)// GITHUB 10: Warn of missing SSL// https://developer.mozilla.org/en/Preferences/Mozilla_preferences_for_uber-geeks// see also CVE-2009-3555user_pref("security.ssl.warn_missing_rfc5746", 1);// GITHUB 11: TLS 1.[012]// http://kb.mozillazine.org/Security.tls.version.max// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.user_pref("security.tls.version.min", 1);user_pref("security.tls.version.max", 3);// CIS Version 1.2.0 October 21st, 2011 2.2.3 Enable Warning of Using Weak Encryptionuser_pref("security.warn_entering_weak", true);// 1201: block rc4 fallback and disable whitelist// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security// https://bugzil.la/1138882// https://rc4.io/user_pref("security.tls.unrestricted_rc4_fallback", false);user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);// 1203: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/user_pref("security.ssl.enable_ocsp_stapling", false);// 1204: https://wiki.mozilla.org/Security:Renegotiation - eventually this will be set to true by default,// leave commented out for now, as when set to true it can break too many sites eg some microsoft.com ones// user_pref("security.ssl.require_safe_negotiation", true);// 1205: display warning (red padlock) for "broken security" - https://wiki.mozilla.org/Security:Renegotiationuser_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);// 1206: require certificate revocation check through OCSP protocol. - this leaks information about the sites you visit to the CA// It's a trade-off between security (checking) and privacy (leaking info to the CA) - your choice (default is false)// WARNING: If set to true, this may cause some site breakage - some users have mentioned issues with youtube, microsoft etcuser_pref("security.OCSP.require", false);// 1207: query OCSP responder servers to confirm current validity of certificates (default=1)// 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signinguser_pref("security.OCSP.enabled", 0);// 1208: enforce strict pinning - https://trac.torproject.org/projects/tor/ticket/16206 (default is 1)// PKP (public key pinning) 0-disabled 1=allow user MITM (such as your antivirus), 2=strict// WARNING: If you rely on an AV (antivirus) to protect your web browsing by inspecting ALL your web traffic, then leave at default =1user_pref("security.cert_pinning.enforcement_level", 2);// https://support.mozilla.org/en-US/kb/certificate-pinning-reports//// we could also disable security.ssl.errorReporting.enabled, but I think it's// good to leave the option to report potentially malicious sites if the user// chooses to do so.//// you can test this at https://pinningtest.appspot.com/user_pref("security.ssl.errorReporting.automatic", false);/****************************************************************************** * CIPHERS * * * * you can debug the SSL handshake with tshark: tshark -t ad -n -i wlan0 -T text -V -R ssl.handshake ******************************************************************************/// GITHUB12: disable null ciphersuser_pref("security.ssl3.rsa_null_sha", false);user_pref("security.ssl3.rsa_null_md5", false);user_pref("security.ssl3.ecdhe_rsa_null_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);user_pref("security.ssl3.ecdh_rsa_null_sha", false);user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);/* GITHUB13: SEED * https://en.wikipedia.org/wiki/SEED */user_pref("security.ssl3.rsa_seed_sha", false);// GITHUB 14: 40 bits...user_pref("security.ssl3.rsa_rc4_40_md5", false);user_pref("security.ssl3.rsa_rc2_40_md5", false);// GITHUB 15: 56 bitsuser_pref("security.ssl3.rsa_1024_rc4_56_sha", false);// GITHUB 16: 128 bitsuser_pref("security.ssl3.rsa_camellia_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);// GITHUB 17: RC4 (CVE-2013-2566)user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);user_pref("security.ssl3.rsa_rc4_128_md5", false);user_pref("security.ssl3.rsa_rc4_128_sha", false);user_pref("security.tls.unrestricted_rc4_fallback", false);/* * GITHUB 18: 3DES -> false because effective key size < 128 * * https://en.wikipedia.org/wiki/3des#Security * http://en.citizendium.org/wiki/Meet-in-the-middle_attack * * * See also: * * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html */user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);// GITHUB 19: Ciphers with ECDH (without /e$/)user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);// GITHUB 20: 256 bits without PFSuser_pref("security.ssl3.rsa_camellia_256_sha", false);// GITHUB 21: Ciphers with ECDHE and > 128bitsuser_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);// GITHUB 22: GCM, yes please!user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);// GITHUB 23: Susceptible to the logjam attack - https://weakdh.org/user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);// GITHUB 24: Ciphers with DSA (max 1024 bits)user_pref("security.ssl3.dhe_dss_aes_128_sha", false);user_pref("security.ssl3.dhe_dss_aes_256_sha", false);user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);// GITHUB 25: Fallbacks due compatibility reasonsuser_pref("security.ssl3.rsa_aes_256_sha", true);user_pref("security.ssl3.rsa_aes_128_sha", true);// FONTS// 1400: FONTS// 1401: disable websites downloading their own fonts - change this to 0 in FF41+. Note: 0=block, 1=allow// This is the preference under Options>Content>Font & Colors>Advanced>Allow pages to choose their own fonts// If you disallow fonts, this blocks font enumeration (by JS) which is a high entropy fingerprinting vector// disabling fonts uglifies the web a little, and until FF41 will also block icon fontsuser_pref("browser.display.use_document_fonts", 0);// 1402: but for FF41+ allow icon fonts (gylphs) throughuser_pref("gfx.downloadable_fonts.enabled", true);// 1403: https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable thisuser_pref("gfx.font_rendering.opentype_svg.enabled", false);// HEADERS// 1600: HEADERS// 1601: disable Referer from an SSL Websiteuser_pref("network.http.sendSecureXSiteReferrer", false);// 1602: DNT HTTP header - essentially useless// http://kb.mozillazine.org/Privacy.donottrackheader.value - this pref is required since FF21+user_pref("privacy.donottrackheader.enabled", true);user_pref("privacy.donottrackheader.value", 1);// 1603: REFERER - http://kb.mozillazine.org/Network.http.sendRefererHeader// It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl )// otherwise too much of the internet breaks. Even TOR does nothing about this.user_pref("network.http.sendRefererHeader",2);user_pref("network.http.referer.spoofSource", true);// PLUGINS// 1800: PLUGINS// 1801: set default plugin state (i.e new plugins on discovery) to never activate - 0=disabled, 1=ask to activate, 2=active - you can override individual pluginsuser_pref("plugin.default.state", 0);user_pref("plugin.defaultXpi.state", 0);// 1802: enable click to play and set to 0 minutesuser_pref("plugins.click_to_play", true);user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);// make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled - flash example below// you can just set all these plugin.state's via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissionsuser_pref("plugin.state.flash", 0);// 1803: remove plugin finder service - http://kb.mozillazine.org/Pfs.datasource.url// plugins are a dying breed, do we really want mozilla to find us missing plugins?user_pref("pfs.datasource.url", "");// 1804: disable plugin enumeration// WARNING: disabling plugin.enumerate.names breaks the plugin check at https://www.mozilla.org/en-US/plugincheck/// If you want to use this, then the default setting is an asterix. Otherwise most plugins have their own auto-update checks & downloadsuser_pref("plugins.enumerable_names", ""); // deprecated soon?: https://bugzilla.mozilla.org/show_bug.cgi?id=1169945user_pref("security.xpconnect.plugin.unrestricted", false);// 1805: disable scanning for plugins - http://kb.mozillazine.org/Plugin_scanning// plid.all = whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flashuser_pref("plugin.scan.plid.all", false);// 1806: Acrobat, Quicktime, WMP are handled separately - integer refers to min version number alloweduser_pref("plugin.scan.Acrobat", 99999);user_pref("plugin.scan.Quicktime", 99999);user_pref("plugin.scan.WindowsMediaPlayer", 99999);// 1807: disable auto-play of HTML5 media - have put this under plugins, not media. Note: this disables webm's auto playinguser_pref("media.autoplay.enabled", false);// 1808: disable OpenH264user_pref("media.gmp-provider.enabled", false);// MEDIA / CAMERA / MIKE// 2000: MEDIA / CAMERA / MIKE// 2001: disable webRTCuser_pref("media.peerconnection.enabled", false);user_pref("media.peerconnection.use_document_iceservers", false);user_pref("media.peerconnection.video.enabled", false);user_pref("media.peerconnection.identity.timeout", 1);// 2002: disable WebRTC - firefox making automatic connections#w_media-capabilitiesuser_pref("media.gmp-gmpopenh264.enabled", false);user_pref("media.gmp-manager.url", "");// 2003: disable EME bits - https://trac.torproject.org/projects/tor/ticket/16285user_pref("browser.eme.ui.enabled", false);user_pref("media.gmp-eme-adobe.enabled", false);user_pref("media.eme.enabled", false);user_pref("media.eme.apiVisible", false);// 2004: getUserMedia - https://wiki.mozilla.org/Media/getUserMediauser_pref("media.navigator.enabled", false);// 2010: disable webGL, force bare minimum feature set if used & disable webGL extensionsuser_pref("webgl.disabled", true);user_pref("pdfjs.enableWebGL", false);user_pref("webgl.min_capability_mode", true);user_pref("webgl.disable-extensions", true);// 2020: disable video statistics fingerprinting vector - javascript performace fingerprintinguser_pref("media.video_stats.enabled", false);// 2021: disable speech recognitionuser_pref("media.webspeech.recognition.enable", false);// 2022: disable screensharinguser_pref("media.getusermedia.screensharing.enabled", false);user_pref("media.getusermedia.screensharing.allowed_domains", "");// 2023: disable camera stuffuser_pref("camera.control.autofocus_moving_callback.enabled", false);user_pref("camera.control.face_detection.enabled", false);// UI meddling// 2200: UI meddling// see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features// 2201: disable website control over rightclick context menuuser_pref("dom.event.contextmenu.enabled", false);// GITHUB 26: Disable DOM web notificationsuser_pref("dom.webnotifications.enabled", false);// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windowsuser_pref("dom.disable_window_open_feature.location", true);user_pref("dom.disable_window_open_feature.menubar", true);user_pref("dom.disable_window_open_feature.resizable", true);user_pref("dom.disable_window_open_feature.scrollbars", true);user_pref("dom.disable_window_open_feature.status", true);user_pref("dom.disable_window_open_feature.toolbar", true);// 2203: POPUP windows - prevent or allow javascript UI meddlinguser_pref("dom.disable_window_flip", true); // window z-orderuser_pref("dom.disable_window_move_resize", true);user_pref("dom.disable_window_open_feature.close", true);user_pref("dom.disable_window_open_feature.minimizable", true);user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbaruser_pref("dom.disable_window_open_feature.titlebar", true);user_pref("dom.disable_window_status_change", true);user_pref("dom.allow_scripts_to_close_windows", false);// DOM - JAVASCRIPT// 2400: DOM - JAVASCRIPT// GITHUB 27: Disable javascript options// https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29user_pref("javascript.options.methodjit.chrome", false);user_pref("javascript.options.methodjit.content", false);// http://asmjs.org/// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712user_pref("javascript.options.asmjs", false);// 2401: disable dom storageuser_pref("dom.storage.enabled", false);// 2402: disable website access to clipboard events (will break some sites functionaility such as pasting into Facebook)// this applies to onCut, onCopy, onPaste events - i.e is you have to interact with the website for it to look at the clipboarduser_pref("dom.event.clipboardevents.enabled", false);// 2403: disable scripts changing images eg google maps - will break a lot of web apps// user_pref("dom.disable_image_src_set", true);// 2404: disable JS storing data permanently - NOTE disabling this could break extensions (started in FFv35) - this bug has now been fixed but...// Note: this is the setting under about:permissions>All SItes>Maintain Offline Storage - you can override individual domains under site permissions// WARNING: i'll set as false (disabled), this WILL break some [old] add-ons and may break some sites' functionalityuser_pref("dom.indexedDB.enabled", false);// 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephonyuser_pref("dom.telephony.enabled", false);// 2406: disable gamepad API - fingerprinting - USB device ID enumerationuser_pref("dom.gamepad.enabled", false);// 2407: disable battery API - fingerprinting vectoruser_pref("dom.battery.enabled", false);// 2408: disable network API - fingerprinting vectoruser_pref("dom.network.enabled", false);// 2409: disable giving away network info - https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_APIuser_pref("dom.netinfo.enabled", false);// 2410: disable User Timing API - https://trac.torproject.org/projects/tor/ticket/16336user_pref("dom.enable_user_timing", false);// 2411: disable resource/navigation timinguser_pref("dom.enable_resource_timing", false);// 2412: https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI - javascript performace fingerprintinguser_pref("dom.enable_performance", false);// 2413: disable virtual reality devicesuser_pref("dom.vr.enabled", false);// 2414: disable shaking the screenuser_pref("dom.vibrator.enabled", false);// 2415: max popups from a single non-click event - default is 20!user_pref("dom.popup_maximum", 3);// 2416: disable idle observationuser_pref("dom.idle-observers-api.enabled", false);// 2417: disable SharedWorkers for now - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 8)// https://bugs.torproject.org/15562 - SharedWorker violates first party isolationuser_pref("dom.workers.sharedWorkers.enabled", false);// 2418: disbale full-screen API. This is the setting under about:permissions>All Sites>Fullscreen// set to false=block, set to true=ask. NOTE: you can still override individual domains under site permissionsuser_pref("full-screen-api.enabled", false);// MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY// 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY// 2601: disable sending additional analytics to web servers - https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeaconuser_pref("beacon.enabled", false);// 2602: CIS 2.3.2 disable downloading on desktopuser_pref("browser.download.folderList", 2);// 2603: always ask the user where to download - enforces user interaction for security reasonsuser_pref("browser.download.useDownloadDir", false);// 2604: https://bugzil.la/238789#c19user_pref("browser.helperApps.deleteTempFileOnExit", true);// 2605: don't integrate activity into windows recent documentsuser_pref("browser.download.manager.addToRecentDocs", false);// GITHUB 28: CIS Version 1.2.0 October 21st, 2011 2.5.5 Delete Download History// Zero (0) is an indication that no download history is retained for the current profile.user_pref("browser.download.manager.retention", 0);// 2606: disable hiding mime types in prefs applications tab that are not associated with a pluginuser_pref("browser.download.hide_plugins_without_extensions", false);// 2607: disable page thumbnails - privacyuser_pref("browser.pagethumbnails.capturing_disabled", true);// 2608: disable JAR from opening Unsafe File Typesuser_pref("network.jar.open-unsafe-types", false);// 2609: disable insecure active content on https pages - mixed contentuser_pref("security.mixed_content.block_active_content", true);// 2610: disable insecure passive content (such as images) on https pages - mixed context// current default is false, am inclined to leave it this way as too many sites break visuallyuser_pref("security.mixed_content.block_display_content", true);// GITHUB 29: Content security policy// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policyuser_pref("security.csp.enable", true);// https://bugzilla.mozilla.org/show_bug.cgi?id=855326user_pref("security.csp.experimentalEnabled", true);// 2611: disable WebIDE to prevent remote debugging and addon downloads// https://trac.torproject.org/projects/tor/ticket/16222user_pref("devtools.webide.autoinstallADBHelper", false);user_pref("devtools.webide.autoinstallFxdtAdapters", false);user_pref("devtools.debugger.remote-enabled", false);user_pref("devtools.webide.enabled", false);// GITHUB 30: Strict File Origin Policy// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8 Set File URI Origin Policy// http://kb.mozillazine.org/Security.fileuri.strict_origin_policyuser_pref("security.fileuri.strict_origin_policy", true);// GITHUB 31: Subresource integrity// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity// https://wiki.mozilla.org/Security/Subresource_Integrityuser_pref("security.sri.enable", true);// 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku// https://trac.torproject.org/projects/tor/ticket/16222user_pref("browser.casting.enabled", false);user_pref("gfx.layerscope.enabled", false);// 2613: disable device sensor API - fingerprinting vectoruser_pref("device.sensors.enabled", false);// 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 10)user_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3-1", false);// 2615: disable http/2 for now as well - need more infouser_pref("network.http.spdy.enabled.http2", false);user_pref("network.http.spdy.enabled.http2draft", false);// 2617: disable pdf.js as an option to preview PDFs within FF (see mime-types under Options>Applications) - exploit risk// enabling this will change your option - most likely to Ask, or Open with some external pdf reader// NOTE: this does NOT necessarily prevent pdf.js being used via other means, it only removes the option// I think this should probably be left at default (false) - but we'll change it anyway, even though 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as much risk or more (acrobat)// 3. mozilla are very quick to patch these sorts of exploits, they treat them as severe/critical 4. convenienceuser_pref("pdfjs.disabled", true);// 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue// http://kb.mozillazine.org/Network.proxy.socks_remote_dns// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers// eg in TOR, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS requestuser_pref("network.proxy.socks_remote_dns", true);// http://kb.mozillazine.org/Network.proxy.type// the default in Firefox for Linux is to use system proxy settings.// We change it to direct connection//user_pref("network.proxy.type", 0);// 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS), default is 20// WARNING: a low setting of 5 or under will probably break some sites [eg gmail logins]. This can be better handled by an addon [eg NoRedirect]// user_pref("network.http.redirection-limit", 20);// PERSONAL SETTINGS (with privacy implications)// 2800: PERSONAL SETTINGS [that have PRIVACY implications]// These can all be set via options. you don't have to use this section// This is included for those who wish to add this type of control into their user.js// 2801: COOKIES// disable cookies on all sites (you can still use exceptions under site permissions or use an extension - eg Cookie Controller, Self-destructing Cookies)// 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookieuser_pref("network.cookie.cookieBehavior", 1);// The cookie expires at the end of the session (when the browser closes).// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2user_pref("network.cookie.lifetimePolicy", 2);// 2082: enable FF to clear stuff on close (Options>Privacy>Clear history when firefox closes)user_pref("privacy.sanitize.sanitizeOnShutdown", true);// 2803: what to clear (Options>Privacy>Clear history when firefox closes>Settings)// these are the settings of the author of this user.js, chose your ownuser_pref("privacy.clearOnShutdown.cache", true);user_pref("privacy.clearOnShutdown.cookies", true);user_pref("privacy.clearOnShutdown.downloads", true);user_pref("privacy.clearOnShutdown.formdata", true);user_pref("privacy.clearOnShutdown.history", true);user_pref("privacy.clearOnShutdown.offlineApps", true);user_pref("privacy.clearOnShutdown.passwords", true);user_pref("privacy.clearOnShutdown.sessions", true); // active loginsuser_pref("privacy.clearOnShutdown.siteSettings", true);// 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Deluser_pref("privacy.cpd.cache", true);user_pref("privacy.cpd.cookies", true);user_pref("privacy.cpd.downloads", true);user_pref("privacy.cpd.formdata", true);user_pref("privacy.cpd.history", true);user_pref("privacy.cpd.offlineApps", true);user_pref("privacy.cpd.passwords", true);user_pref("privacy.cpd.sessions", true);user_pref("privacy.cpd.siteSettings", true);// GITHUB 32: Always use private browsing// https://support.mozilla.org/en-US/kb/Private-Browsing// https://wiki.mozilla.org/PrivateBrowsinguser_pref("browser.privatebrowsing.autostart", true);// Personal Handy Settings// 3000: PERSONAL HANDY SETTINGS// these are just damn handy to know, have lying around, and be able to easily migrate to a new profile// users can put their own non-security/privacy/fingerprinting/tracking stuff here// 3001: disable annoying warningsuser_pref("general.warnOnAboutConfig", false);user_pref("browser.tabs.warnOnClose", false);user_pref("browser.tabs.warnOnCloseOtherTabs", false);user_pref("browser.tabs.warnOnOpen", false);// 3001a disable warning when a domain requests full screen// https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode// user_pref("full-screen-api.approval-required", false); // deprecated after FF42?// user_pref("full-screen-api.warning.timeout", 0); // FF43+// 3002: disable closing browser with last tabuser_pref("browser.tabs.closeWindowWithLastTab", false);// 3003: disable new search panel UIuser_pref("browser.search.showOneOffButtons", false);// 3004: disable backspaceuser_pref("browser.backspace_action", 2);// 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2)user_pref("clipboard.autocopy", false);//3006: turn on full native HTML5 player supportuser_pref ("media.fragmented-mp4.enabled", true);user_pref ("media.fragmented-mp4.exposed", true);user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);user_pref ("media.fragmented-mp4.gmp.enabled", true);user_pref ("media.fragmented-mp4.use-blank-decoder", false); 1 OmniNegro reacted to this Quote Share this post Link to post
bigbrosbitch 65 Posted ... USER.JS ADDITIONAL NOTESRESOURCEShttp://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/https://github.com/pyllyukko/user.jshttps://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-datahttps://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profileshttp://www.wilderssecurity.com/threads/firefox-lockdown.368003/HARDENING FF RATIONALE Limit the possibilities to track the user through web analytics;Harden the browser, so it doesn't spill it's guts when asked;Limit the browser from storing anything even remotely sensitive persistently (mostly just making sure private browsing is always on);Make sure the browser doesn't reveal too much information to shoulder surfers;Harden the browser's encryption (cipher suites and protocols);Hopefully limit the attack surface by disabling various features; andStill be at least somewhat usable in daily use. WHAT FF INFORMATION IS STORED BY DEFAULT?Answer: A lot! Bookmarks and Browsing History: The places.sqlite file contains all your Firefox bookmarks and the list of all the websites you’ve visited. The bookmarkbackups folder stores bookmark backup files, which can be used to restore your bookmarks.Bookmarks, Downloads and Browsing History: The places.sqlite file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you’ve visited. The bookmarkbackups folder stores bookmark backup files, which can be used to restore your bookmarks.Passwords: Your passwords are stored in the key3.db and signons.sqlitelogins.json files.Site-specific preferences: The permissions.sqlite and content-prefs.sqlite files store many of your Firefox permissions (for instance, which sites are allowed to display popups) or zoom levels that are set on a site-by-site basis. Certain websites are given the ability to store passwords, set cookies and more e.g. font size and zoom - increase the size of web pages. Search engines: The search.sqlite file and searchplugins folder store the search engines that are available in the Firefox Search bar. Personal dictionary: The persdict.dat file stores any custom words you have added to Firefox's dictionary. Autocomplete history: The formhistory.sqlite file remembers what you have searched for in the Firefox search bar and what information you’ve entered into forms on websites.Download history: The downloads.sqlite file remembers what you have downloaded.Cookies: A cookie is a bit of information stored on your computer by a website you’ve visited. Usually this is something like your site preferences or login status. Cookies are all stored in the cookies.sqlite file.DOM storage: DOM Storage is designed to provide a larger, more secure, and easier-to-use alternative to storing information in cookies. Information is stored in the webappsstore.sqlite file for websites and in the chromeappsstore.sqlite for about:* pages.Security certificate settings: The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.Security device settings: The secmod.db file is the security module database.Download actions: The mimeTypes.rdf file stores your preferences that tell Firefox what to do when it comes across a particular type of file. For example, these are the settings that tell Firefox to open a PDF file with Acrobat Reader when you click on it.Plugin MIME type: The pluginreg.dat file stores Internet media types related to your installed plugins.Stored session: The sessionstore.js file stores the currently open tabs and windows.Toolbar customization: The localstore.rdf file stores toolbar and window size/position settings.Toolbar customization: The xulstore.json file stores toolbar and window size/position settings.User preferences: The prefs.js file stores customized user preference settings, such as changes you make in Firefox OptionsPreferences dialogs. The optional user.js file, if one exists, will override any modified preferences. User styles: If they exist, the \chrome\userChrome.css and \chrome\userContent.css files store user-defined changes to either how Firefox looks, or how certain websites or HTML elements look or act.SUMMARY OF KEY CHANGES IN THE FF 'ULTIMATE' PROFILE** A summary of key changes can also be seen by running 'Troubleshooting Information' from the Help Menu in FF. HTML5 / APIs / DOM Disable geolocation Don't reveal internal IP addresses (media.peerconnection.enabled) BeEF Module: Get Internal IP WebRTC browser.send_pings Disable WebGL Disable Battery APIMiscellaneous Enables Firefox's mixed content blocking (also for "display" content) Disables various your-browser-knows-better-let-me-guess-what-you-were-trying features Disable keyword guessing Disable Domain GuessingExtensions / plugins relatedIt is common for client side attacks to target browser extensions, instead of the browser itself (just look at all those Java and Flash vulnerabilities).Make sure your extensions and plugins are always up-to-date. Disable flash Enable click to play Enable add-on updatesFirefox features Enables Firefox's built-in tracking protection Disables telemetry, crash reporter, health report, heartbeat and other privacy invading crapAutomatic connectionsThis section disables some of Firefox's automatic connections. Disables prefetching network.prefetch-next network.dns.disablePrefetch Disable Necko/predictor Disable search suggestionsHTTP Referer header: Spoofs the referer header with network.http.referer.spoofSource & Network.http.sendRefererHeader "Don't send the Referer header when navigating from a https site to another https site." Don't accept 3rd party cookiesCaching Permanently enables private browsing mode Prevents Firefox from storing data filled in web page forms Disables password managerUI related Don't suggest any URLs while typing at the address barTLS / HTTPS / OCSP related TLS v1.[012] only Ditch OCSP Notice that this setting has some privacy implications OCSP stapling (enabled by default anyway) Disable TLS session tickets Enforces pinningCiphersThis section tweaks the cipher suites used by Firefox. The idea is to support only the strongest ones with emphasis on forward secrecy, but without compromising compatibility with all those sites on the internet. As new crypto related flaws are discovered quite often, the cipher suites can be tweakedto mitigate these newly discovered threats.Here's a list of the ciphers with default config and Firefox 27.0.1:Cipher Suites (23 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)Here's the list with this config for FF 41.0.2:Cipher Suites (8 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)OTHER KNOWN PROBLEMS WITH 'ULTIMATE' FF PROFILE Here's some examples: If you get "TypeError: localStorage is null", you probably need to enable local storage (dom.storage.enabled == true) If you get "sec_error_ocsp_invalid_signing_cert", it probably means that you don't have the required CA (see step further below) If you get "ssl_error_unsafe_negotiation", it means the server is vulnerable to CVE-2009-3555 and you need to disable security.ssl.require_safe_negotiation (not enabled currently) If you set browser.frames.enabled to false, probably a whole bunch of websites will break Some sites require the referer header (usually setting network.http.sendRefererHeader == 2 is enough to overcome this and the referer is still "spoofed") The IndexedDB is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox. It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info: Issue #8 IndexedDB Security Review (this document also states that "IndexedDB is completely disabled in private browsing mode.", but this should still be verified) This discussion on mozillaZine Forums IndexedDB page at MDN Firefox Hello requires WebRTC, so you'll need to enable media.peerconnection.enabled & media.getusermedia.screensharing.enabled and apparently disable security.OCSP.require. Captive portals might not let OCSP requests through before authentication, so setting security.OCSP.require == false might be required before internet access is granted DNT is not set, so you need to enable it manually if you want (see the discussion in issue #11) The network.http.referer.spoofSource and network.http.sendRefererHeader settings seems to break the visualization of the 3rd party sites on the Lightbeam extension You can not view or inspect cookies when in private browsing (see https://bugzil.la/823941) Installation of user.js causes saved passwords to be removed from FFTEST HARDENED FF BROWSERUse some of the following online tests and compare your 'ultimate' FF profile with your default. You should be pleasantly surprised. Online tests: Panopticlick www.filldisk.com SSL Client Test evercookie Mozilla Plugin Check BrowserSpy.dk Testing mixed content Similar from Microsoft WebRTC stuff Flash player version from Adobe Verify your installed Java Version Protip: Don't use Oracle's Java!! But if you really need it, update it regulary! IP check Onion test for CORS and WebSocket Firefox Addon Detector Blog post browserrecon?? Official WebGL check battery.js RC4 fallback test Battery API SECURE DESKTOP BROWSING ENVIRONMENTS - FINAL COMMENTS:* Download media files where possible in preference to using flash or other plug-ins for streaming. For example, in GNU/Linux you can use youtube-dl to play the media with your native video player at the O/S level instead. Youtube-dl and certain other apps can also be combined with torsocks to provide greater anonymity and security.* Ultimately, enhanced desktop browser security requires a minimum combination of:- a GNU/Linux host O/S (itself hardened with AppArmor, strict firewalls/network locks and significantly reduced attack vectors); and- OpenVPN and Tor Browser run in combination.* The BEST available O/S security for the average (capable) desktop user requires either running a hypervisor over the top e.g. Whonix running in Virtualbox from clean images, or (even better!) a Xen system running off the bare computer metal (e.g. Qubes). This SIGNIFICANTLY reduces attack vectors and limits the potential damage that can be caused by hackers, unless they are really, really good.* AFAIK, CRITICAL anonymous browsing with forensic considerations necessitates the use of TAILS with a non-persistent volume. Under normal circumstances, data trails are otherwise left on swap partitions and sectors of HDD/SSDs marked as 'dead/clean', even after 'secure, military-grade' wipes of the digital media!* TAILS can be used safely in infected computers, except (?) those pwned at the firmware level: double-check the TAILS forum for the latest security advice!* Using FOSS full disk encryption (e.g. LUKS) with a sufficiently large passphrase may be best practice if browsing directly from a standard Linux/Windoze/Mac operating system, or separately encrypting the swap, root and home partitions at the block level.* Semi-regularly zero out free space on your drives for greater security alongside thorough use of BleachBit. Good luck! 1 OmniNegro reacted to this Quote Share this post Link to post
zhang888 1066 Posted ... Thanks, but you made it very hard to differ between text and settings I'll put a simplified version of pretty much the same: http://www.zdziarski.com/blog/?p=5314 1 OmniNegro reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
bigbrosbitch 65 Posted ... /********ULTIMATE HARDENED FIREFOX USER.JS - AIRVPN CLEAN EDITION v2.0 8~]Based on:url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/url: https://github.com/pyllyukko/user.jsINSTRUCTIONS1. Save this text as user.js and place it under a newly created FF profile (see steps below). In Linux:2. Alt-F23. Firefox -P4. "Create New Profile" & "Create a new folder" for this FF profile5. Uncheck "Use the Selected Profile without asking at startup"6. Drop this user.js file into ~/.mozilla/Firefox/your_new_profile_name7. Restart FF with new profile & install add-ons: HTTPS Everywhere, No Script, Privacy Badger, UBlock Origin, Random Agent Spoofer, Canvas Block and Self-destructing Cookies.*********/// STARTUP// 0100: STARTUP// 0101: Disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser checkuser_pref("browser.slowStartup.notificationDisabled", true);user_pref("browser.slowStartup.maxSamples", 0);user_pref("browser.slowStartup.samples", 0);user_pref("browser.rights.3.shown", true);user_pref("browser.startup.homepage_override.mstone", "ignore");user_pref("startup.homepage_welcome_url", "");user_pref("startup.homepage_override_url", "");user_pref("browser.feeds.showFirstRunUI", false);user_pref("browser.shell.checkDefaultBrowser", false);// GEO// 0200: GEO// 0201: Disable location-aware browsinguser_pref("geo.enabled", false);user_pref("geo.wifi.uri", "http://127.0.0.1");user_pref("browser.search.geoip.url", "");// 0202: Disable GeoIP-based search resultsuser_pref("browser.search.countryCode", "US");user_pref("browser.search.region", "US");// QUIET Fox Part 1// 0300: QUIET FOX [PART 1] - "ET no phone home" for anything - manual updates are still possible// 0301: Disable browser auto updateuser_pref("app.update.enabled", false);// 0302: Disable browser auto installing update when you do a manual checkuser_pref("app.update.auto", false);// 0303: Disable search updateuser_pref("browser.search.update", false);// 0304: Disable add-ons auto checking for new versionsuser_pref("extensions.update.enabled", false);// 0305: Disable add-ons auto updateuser_pref("extensions.update.autoUpdateDefault", false);// 0306: Disable add-on metadata updatinguser_pref("extensions.getAddons.cache.enabled", false);// 0307: Disable auto updating of personas (themes)user_pref("lightweightThemes.update.enabled", false);// 0308: Disable update plugin notificationsuser_pref("plugins.update.notifyUser", false);// GITHUB #1: Enable Information Bar for Outdated Pluginsuser_pref("plugins.hide_infobar_for_outdated_plugin", false);// 0309: Disable sending plugin crash reports - keep FF quietuser_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);// 0310: Disable sending the URL of the website where a plugin crasheduser_pref("dom.ipc.plugins.reportCrashURL", false);// 0320: Disable extension discoveryuser_pref("extensions.webservice.discoverURL", "http://127.0.0.1");// 0330: Disable telemetryuser_pref("toolkit.telemetry.unified", false);user_pref("toolkit.telemetry.enabled", false);// 0331: Remove url of server telemetry pings are sent touser_pref("toolkit.telemetry.server", "");// 0332: Disable archiving pings locallyuser_pref("toolkit.telemetry.archive.enabled", false);// 0333: Disable health reportuser_pref("datareporting.healthreport.uploadEnabled", false);user_pref("datareporting.healthreport.documentServerURI", "");user_pref("datareporting.healthreport.service.enabled", false);user_pref("datareporting.policy.dataSubmissionEnabled", false);// 0340: Disable experimentsuser_pref("experiments.enabled", false);user_pref("experiments.manifest.uri", "");user_pref("experiments.supported", false);user_pref("experiments.activeExperiment", false);// 0341: Disable mozilla permission to silently opt you into testsuser_pref("network.allow-experiments", false);// 0350: Disable crash reportsuser_pref("breakpad.reportURL", "");// 0360: Disable new tab tile ads & preload & marketing junkuser_pref("browser.newtab.preload", false);user_pref("browser.newtabpage.directory.ping", "");user_pref("browser.newtabpage.directory.source", "");user_pref("browser.newtabpage.enabled", false);user_pref("browser.newtabpage.enhanced", false);user_pref("browser.newtabpage.introShown", true);// GITHUB #2: Control newtab behaviouruser_pref("browser.newtabpage.enabled", false);user_pref("browser.newtab.url", "about:blank");// 0370: Control snippet serviceuser_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");// 0371: Disable heartbeatuser_pref("browser.selfsupport.url", "");// 0372: Disable hellouser_pref("loop.enabled", false);// 0373: Disable pocket, remove urls for good measureuser_pref("browser.pocket.enabled", false);user_pref("reader.parse-on-load.enabled", false);user_pref("browser.pocket.api", "");user_pref("browser.pocket.site", "");// 0374: Disable "social" integrationuser_pref("social.whitelist", "");user_pref("social.toast-notifications.enabled", false);user_pref("social.shareDirectory", "");user_pref("social.remote-install.enabled", false);user_pref("social.directories", "");user_pref("social.share.activationPanelEnabled", false);// QUIET Fox Part 2// 0400: QUIET FOX [PART 2] - Security, tracking and privacy implications/// 0401: Don't disable extension blocklistuser_pref("extensions.blocklist.enabled", true);// 0402: Disable block reported web forgeriesuser_pref("browser.safebrowsing.enabled", false);// 0410: Disable block reported attack sitesuser_pref("browser.safebrowsing.malware.enabled", false);// 0411: Disable safebrowsing urls & downloaduser_pref("browser.safebrowsing.downloads.enabled", false);user_pref("browser.safebrowsing.downloads.remote.enabled", false);user_pref("browser.safebrowsing.appRepURL", "");user_pref("browser.safebrowsing.gethashURL", "");user_pref("browser.safebrowsing.malware.reportURL", "");user_pref("browser.safebrowsing.reportErrorURL", "");user_pref("browser.safebrowsing.reportGenericURL", "");user_pref("browser.safebrowsing.reportMalwareErrorURL", "");user_pref("browser.safebrowsing.reportMalwareURL", "");user_pref("browser.safebrowsing.reportPhishURL", "");user_pref("browser.safebrowsing.reportURL", "");user_pref("browser.safebrowsing.updateURL", "");// 0420: Disable tracking protectionuser_pref("privacy.trackingprotection.enabled", false);user_pref("browser.polaris.enabled", false);user_pref("browser.trackingprotection.gethashURL", "");user_pref("browser.trackingprotection.getupdateURL", "");user_pref("privacy.trackingprotection.pbmode.enabled", false);// GITHUB #3: Enable IDN Show Punycodeuser_pref("network.IDN_show_punycode", true);// GITHUB #4: Disallow NTLMv1user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);user_pref("network.stricttransportsecurity.preloadlist", true);// BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]// 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]// 0601: Disable link prefetchinguser_pref("network.prefetch-next", false);// 0602: Disable dns prefetchinguser_pref("network.dns.disablePrefetch", true);user_pref("network.dns.disablePrefetchFromHTTPS", true);// 0603: Disable seer/neckouser_pref("network.predictor.enabled", false);// 0604: Disable search suggestionsuser_pref("browser.search.suggest.enabled", false);// 0605: Disable link-mouseover opening connection to linked serveruser_pref("network.http.speculative-parallel-limit", 0);// 0606: Disable pings (but enforce same host in case)user_pref("browser.send_pings", false);user_pref("browser.send_pings.require_same_host", true);// LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc// 0801: Disable location bar using search, give error message insteaduser_pref("keyword.enabled", false);// 0802: Disable location bar domain guessinguser_pref("browser.fixup.alternate.enabled", false);// 0803: Disable location bar dropdownuser_pref("browser.urlbar.maxRichResults", 0);// 0804: Display all parts of the urluser_pref("browser.urlbar.trimURLs", false);// 0805: Disable URLbar autofilluser_pref("browser.urlbar.autoFill", false);user_pref("browser.urlbar.autoFill.typed", false);// 0806: Disable autocompleteuser_pref("browser.urlbar.autocomplete.enabled", false);// 0807: Disable history manipulation user_pref("browser.history.allowPopState", true);user_pref("browser.history.allowPushState", true);user_pref("browser.history.allowReplaceState", true);// GITHUB #5: Don't remember browsing historyuser_pref("places.history.enabled", false);// GITHUB #6: Delete History and Form Datauser_pref("browser.history_expire_days", 0);user_pref("browser.history_expire_sites", 0);user_pref("browser.history_expire_visits", 0);// 0808: Disable history suggestionsuser_pref("browser.urlbar.suggest.history", false);// 0809: Limit history PER TAB (back/forward)user_pref("browser.sessionhistory.max_entries", 4);// 0810: Disable css querying page historyuser_pref("layout.css.visited_links_enabled", false);// 0811: Disable displaying Javascript in history URLsuser_pref("browser.urlbar.filter.javascript", true);// 0812: Disable saving information entered in web forms AND the search baruser_pref("browser.formfill. enable", false);// 0813: Disable saving form data on secure websites (default=true)user_pref("browser.formfill.saveHttpsForms", false);// 0814: Disable auto-filling username & password form fieldsuser_pref("signon.autofillForms", false);// GITHUB #7: Disable Prompting for Credential Storageuser_pref("security.ask_for_password", 0);// GITHUB #8: Disallow Credential Storageuser_pref("signon.rememberSignons", false);// CACHE// 1000: CACHE// 1001: Disable disk cacheuser_pref("browser.cache.disk.enable", false);// 1002: Disable disk caching of SSL pagesuser_pref("browser.cache.disk_cache_ssl", false);// 1003: Disable memory cacheuser_pref("browser.cache.memory.enable", false);// 1004: Disable offline cacheuser_pref("browser.cache.offline.enable", false);// 1005: Disable storing extra session datauser_pref("browser.sessionstore.privacy_level", 2);user_pref("browser.sessionstore.privacy_level_deferred", 2);// GITHUB #9: Remove sessionstore datauser_pref("browser.sessionstore.postdata", 0);user_pref("browser.sessionstore.enabled", false);// SSL / OCSP / CIPHERS// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)// GITHUB #10: Warn of missing SSLuser_pref("security.ssl.warn_missing_rfc5746", 1);// GITHUB #11: TLS 1.[012]user_pref("security.tls.version.min", 1);user_pref("security.tls.version.max", 3);user_pref("security.warn_entering_weak", true);// 1201: Block rc4 fallback and disable whitelistuser_pref("security.tls.unrestricted_rc4_fallback", false);user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);// 1203: OSCP staplinguser_pref("security.ssl.enable_ocsp_stapling", false);// 1204: Security renegotiation// user_pref("security.ssl.require_safe_negotiation", true);// 1205: Display warning (red padlock) for "broken security"user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);// 1206: Require certificate revocation check through OCSP protocoluser_pref("security.OCSP.require", false);// 1207: Query OCSP responder servers to confirm current validity of certificatesuser_pref("security.OCSP.enabled", 0);// 1208: Enforce strict pinninguser_pref("security.cert_pinning.enforcement_level", 2);user_pref("security.ssl.errorReporting.automatic", false);// GITHUB #12: Disable null ciphersuser_pref("security.ssl3.rsa_null_sha", false);user_pref("security.ssl3.rsa_null_md5", false);user_pref("security.ssl3.ecdhe_rsa_null_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);user_pref("security.ssl3.ecdh_rsa_null_sha", false);user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);// GITHUB #13: Seeduser_pref("security.ssl3.rsa_seed_sha", false);// GITHUB #14: 40 bitsuser_pref("security.ssl3.rsa_rc4_40_md5", false);user_pref("security.ssl3.rsa_rc2_40_md5", false);// GITHUB #15: 56 bitsuser_pref("security.ssl3.rsa_1024_rc4_56_sha", false);// GITHUB #16: 128 bitsuser_pref("security.ssl3.rsa_camellia_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);// GITHUB #17: RC4user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);user_pref("security.ssl3.rsa_rc4_128_md5", false);user_pref("security.ssl3.rsa_rc4_128_sha", false);user_pref("security.tls.unrestricted_rc4_fallback", false);// GITHUB #18: 3DESuser_pref("security.ssl3.dhe_dss_des_ede3_sha", false);user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);// GITHUB #19: Ciphers with ECDH (without /e$/)user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);// GITHUB #20: 256 bits without PFSuser_pref("security.ssl3.rsa_camellia_256_sha", false);// GITHUB #21: Ciphers with ECDHE and > 128bitsuser_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);// GITHUB #22: GCM, yes please!user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);// GITHUB #23: Susceptible to the logjam attackuser_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);// GITHUB #24: Ciphers with DSA (max 1024 bits)user_pref("security.ssl3.dhe_dss_aes_128_sha", false);user_pref("security.ssl3.dhe_dss_aes_256_sha", false);user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);// GITHUB #25: Fallbacks due compatibility reasonsuser_pref("security.ssl3.rsa_aes_256_sha", true);user_pref("security.ssl3.rsa_aes_128_sha", true);// FONTS// 1400: FONTS// 1401: Disable website downloading fontsuser_pref("browser.display.use_document_fonts", 0);// 1402: But for FF41+ allow icon fonts (gylphs) throughuser_pref("gfx.downloadable_fonts.enabled", true);// 1403: iSEC Partners Report recommends disablinguser_pref("gfx.font_rendering.opentype_svg.enabled", false);// HEADERS// 1600: HEADERS// 1601: Disable Referer from an SSL Websiteuser_pref("network.http.sendSecureXSiteReferrer", false);// 1602: DNT HTTP headeruser_pref("privacy.donottrackheader.enabled", true);user_pref("privacy.donottrackheader.value", 1);// 1603: Referreruser_pref("network.http.sendRefererHeader",2);user_pref("network.http.referer.spoofSource", true);// PLUGINS// 1800: PLUGINS// 1801: Set default plugin stateuser_pref("plugin.default.state", 0);user_pref("plugin.defaultXpi.state", 0);// 1802: Enable click to play and set to 0 minutesuser_pref("plugins.click_to_play", true);user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);user_pref("plugin.state.flash", 0);// 1803: Remove plugin finder serviceuser_pref("pfs.datasource.url", "");// 1804: Disable plugin enumerationuser_pref("plugins.enumerable_names", "");user_pref("security.xpconnect.plugin.unrestricted", false);// 1805: Disable scanning for pluginsuser_pref("plugin.scan.plid.all", false);// 1806: Acrobat, Quicktime, WMP are handled separatelyuser_pref("plugin.scan.Acrobat", 99999);user_pref("plugin.scan.Quicktime", 99999);user_pref("plugin.scan.WindowsMediaPlayer", 99999);// 1807: Disable auto-play of HTML5 mediauser_pref("media.autoplay.enabled", false);// 1808: Disable OpenH264user_pref("media.gmp-provider.enabled", false);// MEDIA / CAMERA / MIKE// 2000: MEDIA / CAMERA / MIKE// 2001: Disable webRTCuser_pref("media.peerconnection.enabled", false);user_pref("media.peerconnection.use_document_iceservers", false);user_pref("media.peerconnection.video.enabled", false);user_pref("media.peerconnection.identity.timeout", 1);// 2002: Disable WebRTC auto-connectionsuser_pref("media.gmp-gmpopenh264.enabled", false);user_pref("media.gmp-manager.url", "");// 2003: Disable EME bitsuser_pref("browser.eme.ui.enabled", false);user_pref("media.gmp-eme-adobe.enabled", false);user_pref("media.eme.enabled", false);user_pref("media.eme.apiVisible", false);// 2004: GetUserMediauser_pref("media.navigator.enabled", false);// 2010: Disable webGLuser_pref("webgl.disabled", true);user_pref("pdfjs.enableWebGL", false);user_pref("webgl.min_capability_mode", true);user_pref("webgl.disable-extensions", true);// 2020: Disable video statistics fingerprinting vectoruser_pref("media.video_stats.enabled", false);// 2021: Disable speech recognitionuser_pref("media.webspeech.recognition.enable", false);// 2022: Disable screensharinguser_pref("media.getusermedia.screensharing.enabled", false);user_pref("media.getusermedia.screensharing.allowed_domains", "");// 2023: Disable camera stuffuser_pref("camera.control.autofocus_moving_callback.enabled", false);user_pref("camera.control.face_detection.enabled", false);// UI meddling// 2200: UI meddling// 2201: Disable website control over rightclick context menuuser_pref("dom.event.contextmenu.enabled", false);// GITHUB #26: Disable DOM web notificationsuser_pref("dom.webnotifications.enabled", false);// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windowsuser_pref("dom.disable_window_open_feature.location", true);user_pref("dom.disable_window_open_feature.menubar", true);user_pref("dom.disable_window_open_feature.resizable", true);user_pref("dom.disable_window_open_feature.scrollbars", true);user_pref("dom.disable_window_open_feature.status", true);user_pref("dom.disable_window_open_feature.toolbar", true);// 2203: POPUP windows - prevent or allow javascript UI meddlinguser_pref("dom.disable_window_flip", true); // window z-orderuser_pref("dom.disable_window_move_resize", true);user_pref("dom.disable_window_open_feature.close", true);user_pref("dom.disable_window_open_feature.minimizable", true);user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbaruser_pref("dom.disable_window_open_feature.titlebar", true);user_pref("dom.disable_window_status_change", true);user_pref("dom.allow_scripts_to_close_windows", false);// DOM - JAVASCRIPT// 2400: DOM - JAVASCRIPT// GITHUB #27: Disable javascript optionsuser_pref("javascript.options.methodjit.chrome", false);user_pref("javascript.options.methodjit.content", false);user_pref("javascript.options.asmjs", false);// 2401: Disable dom storageuser_pref("dom.storage.enabled", false);// 2402: Disable website access to clipboard eventsuser_pref("dom.event.clipboardevents.enabled", false);// 2403: Disable scripts changing images eg google maps - will break a lot of web apps// user_pref("dom.disable_image_src_set", true);// 2404: Disable JS storing data permanentlyuser_pref("dom.indexedDB.enabled", false);// 2405: Web telephonyuser_pref("dom.telephony.enabled", false);// 2406: Disable gamepad APIuser_pref("dom.gamepad.enabled", false);// 2407: Disable battery APIuser_pref("dom.battery.enabled", false);// 2408: Disable network APIuser_pref("dom.network.enabled", false);// 2409: Disable giving away network infouser_pref("dom.netinfo.enabled", false);// 2410: Disable User Timing APIuser_pref("dom.enable_user_timing", false);// 2411: Disable resource/navigation timinguser_pref("dom.enable_resource_timing", false);// 2412: Javascript performace fingerprintinguser_pref("dom.enable_performance", false);// 2413: Disable virtual reality devicesuser_pref("dom.vr.enabled", false);// 2414: Disable shaking the screenuser_pref("dom.vibrator.enabled", false);// 2415: Max popups from a single non-click eventuser_pref("dom.popup_maximum", 3);// 2416: Disable idle observationuser_pref("dom.idle-observers-api.enabled", false);// 2417: Disable SharedWorkers for nowuser_pref("dom.workers.sharedWorkers.enabled", false);// 2418: Disbale full-screen APIuser_pref("full-screen-api.enabled", false);// MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY// 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY// 2601: Disable sending additional analytics to web serversuser_pref("beacon.enabled", false);// 2602: Disable downloading on desktopuser_pref("browser.download.folderList", 2);// 2603: Always ask the user where to downloaduser_pref("browser.download.useDownloadDir", false);// 2604: Delete temp files on exituser_pref("browser.helperApps.deleteTempFileOnExit", true);// 2605: Don't integrate activity into windows recent documentsuser_pref("browser.download.manager.addToRecentDocs", false);// GITHUB #28: Delete download historyuser_pref("browser.download.manager.retention", 0);// 2606: Disable hiding mime types in prefs applications tab that are not associated with a pluginuser_pref("browser.download.hide_plugins_without_extensions", false);// 2607: Disable page thumbnailsuser_pref("browser.pagethumbnails.capturing_disabled", true);// 2608: Disable JAR from opening Unsafe File Typesuser_pref("network.jar.open-unsafe-types", false);// 2609: Disable insecure active content on https pages - mixed contentuser_pref("security.mixed_content.block_active_content", true);// 2610: Disable insecure passive content (such as images) on https pages - mixed contextuser_pref("security.mixed_content.block_display_content", true);// GITHUB #29: Content security policyuser_pref("security.csp.enable", true);user_pref("security.csp.experimentalEnabled", true);// 2611: Disable WebIDE to prevent remote debugging and addon downloadsuser_pref("devtools.webide.autoinstallADBHelper", false);user_pref("devtools.webide.autoinstallFxdtAdapters", false);user_pref("devtools.debugger.remote-enabled", false);user_pref("devtools.webide.enabled", false);// GITHUB #30: Strict File URI Origin Policyuser_pref("security.fileuri.strict_origin_policy", true);// GITHUB #31: Sub-resource integrityuser_pref("security.sri.enable", true);// 2612: Disable SimpleServiceDiscoveryuser_pref("browser.casting.enabled", false);user_pref("gfx.layerscope.enabled", false);// 2613: Disable device sensor APIuser_pref("device.sensors.enabled", false);// 2614: Disable SPDYuser_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3-1", false);// 2615: Disable http/2 for now as welluser_pref("network.http.spdy.enabled.http2", false);user_pref("network.http.spdy.enabled.http2draft", false);// 2617: Disable pdf.jsuser_pref("pdfjs.disabled", true);// 2618: When using SOCKS have the proxy server do the DNS lookupuser_pref("network.proxy.socks_remote_dns", true);// 2619: limit HTTP redirects// user_pref("network.http.redirection-limit", 20);// PERSONAL SETTINGS (with privacy implications)// 2800: PERSONAL SETTINGS [that have PRIVACY implications]// 2801: Disable cookiesuser_pref("network.cookie.cookieBehavior", 1);user_pref("network.cookie.lifetimePolicy", 2);// 2082: Enable FF to clear stuff on shutdownuser_pref("privacy.sanitize.sanitizeOnShutdown", true);// 2803: Tell FF what to clearuser_pref("privacy.clearOnShutdown.cache", true);user_pref("privacy.clearOnShutdown.cookies", true);user_pref("privacy.clearOnShutdown.downloads", true);user_pref("privacy.clearOnShutdown.formdata", true);user_pref("privacy.clearOnShutdown.history", true);user_pref("privacy.clearOnShutdown.offlineApps", true);user_pref("privacy.clearOnShutdown.passwords", true);user_pref("privacy.clearOnShutdown.sessions", true); // active loginsuser_pref("privacy.clearOnShutdown.siteSettings", true);// 2804: (To match above)user_pref("privacy.cpd.cache", true);user_pref("privacy.cpd.cookies", true);user_pref("privacy.cpd.downloads", true);user_pref("privacy.cpd.formdata", true);user_pref("privacy.cpd.history", true);user_pref("privacy.cpd.offlineApps", true);user_pref("privacy.cpd.passwords", true);user_pref("privacy.cpd.sessions", true);user_pref("privacy.cpd.siteSettings", true);// GITHUB #32: Always use private browsinguser_pref("browser.privatebrowsing.autostart", true);// Personal Handy Settings// 3000: PERSONAL HANDY SETTINGS// 3001: Disable annoying warningsuser_pref("general.warnOnAboutConfig", false);user_pref("browser.tabs.warnOnClose", false);user_pref("browser.tabs.warnOnCloseOtherTabs", false);user_pref("browser.tabs.warnOnOpen", false);// 3001a Disable warning when a domain requests full screen// user_pref("full-screen-api.warning.timeout", 0); // FF43+// 3002: Disable closing browser with last tabuser_pref("browser.tabs.closeWindowWithLastTab", false);// 3003: Disable new search panel UIuser_pref("browser.search.showOneOffButtons", false);// 3004: Disable backspaceuser_pref("browser.backspace_action", 2);// 3005: Disable autocopy defaultuser_pref("clipboard.autocopy", false);//3006: Turn on full native HTML5 player supportuser_pref ("media.fragmented-mp4.enabled", true);user_pref ("media.fragmented-mp4.exposed", true);user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);user_pref ("media.fragmented-mp4.gmp.enabled", true);user_pref ("media.fragmented-mp4.use-blank-decoder", false); 2 Valerian and OmniNegro reacted to this Quote Share this post Link to post
bigbrosbitch 65 Posted ... /********HARDENED FIREFOX USER.JS v2.1 - "Codename cmOs"Based on:1. url: http://www.ghacks.ne...urity-settings/2. url: https://github.com/pyllyukko/user.js3. Compatible Tor Browser v5.5a4 about:config changes4. Deprecated items noted by Martin Brinkman (GHacks) @ 11/11/155. Additional author itemsINSTRUCTIONS1. Save this text as user.js and place it under a newly created FF profile (see steps below). In Linux:2. Alt-F23. Firefox -P4. "Create New Profile" & "Create a new folder" for this FF profile5. Uncheck "Use the Selected Profile without asking at startup"6. Drop this user.js file into ~/.mozilla/Firefox/your_new_profile_name7. Restart FF with new profile8. Immediately install these add-ons: HTTPS Everywhere, No Script, Privacy Badger, UBlock Origin, Random Agent Spoofer, Canvas Block and Self-Destructing Cookies.*********/// STARTUP// 0100: STARTUP// 0101: Disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser checkuser_pref("browser.slowStartup.notificationDisabled", true);user_pref("browser.slowStartup.maxSamples", 0);user_pref("browser.slowStartup.samples", 0);user_pref("browser.rights.3.shown", true);user_pref("browser.startup.homepage_override.mstone", "ignore");user_pref("startup.homepage_welcome_url", "");user_pref("startup.homepage_override_url", "");user_pref("browser.feeds.showFirstRunUI", false);user_pref("browser.shell.checkDefaultBrowser", false);// GEO// 0200: GEO// 0201: Disable location-aware browsinguser_pref("geo.enabled", false);user_pref("geo.wifi.uri", "http://127.0.0.1");user_pref("browser.search.geoip.url", "");// 0202: Disable GeoIP-based search resultsuser_pref("browser.search.countryCode", "US");user_pref("browser.search.region", "US");// QUIET FOX PART 1// 0300: QUIET FOX [PART 1] - Don't phone home for anything; manual updates are still possible// 0301: Disable browser auto updateuser_pref("app.update.enabled", false);// 0302: Disable browser auto installing update when you do a manual checkuser_pref("app.update.auto", false);// 0303: Disable search updateuser_pref("browser.search.update", false);// 0304: Disable add-ons auto checking for new versionsuser_pref("extensions.update.enabled", false);// 0305: Disable add-ons auto updateuser_pref("extensions.update.autoUpdateDefault", false);// 0306: Disable add-on metadata updatinguser_pref("extensions.getAddons.cache.enabled", false);// 0307: Disable auto updating of personas (themes)user_pref("lightweightThemes.update.enabled", false);// 0308: Disable update plugin notificationsuser_pref("plugins.update.notifyUser", false);// 0309: Enable Information Bar for Outdated Pluginsuser_pref("plugins.hide_infobar_for_outdated_plugin", false);// 0310: Disable sending plugin crash reports - keep FF quietuser_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);// 0311: Disable sending the URL of the website where a plugin crasheduser_pref("dom.ipc.plugins.reportCrashURL", false);// 0320: Disable extension discoveryuser_pref("extensions.webservice.discoverURL", "http://127.0.0.1");// 0330: Disable telemetryuser_pref("toolkit.telemetry.unified", false);user_pref("toolkit.telemetry.enabled", false);// 0331: Remove url of server telemetry pings are sent touser_pref("toolkit.telemetry.server", "");// 0332: Disable archiving pings locallyuser_pref("toolkit.telemetry.archive.enabled", false);// 0333: Disable health reportuser_pref("datareporting.healthreport.uploadEnabled", false);user_pref("datareporting.healthreport.documentServerURI", "");user_pref("datareporting.healthreport.service.enabled", false);user_pref("datareporting.policy.dataSubmissionEnabled", false);// 0340: Disable experimentsuser_pref("experiments.enabled", false);user_pref("experiments.manifest.uri", "");user_pref("experiments.supported", false);user_pref("experiments.activeExperiment", false);// 0341: Disable mozilla permission to silently opt you into testsuser_pref("network.allow-experiments", false);// 0350: Disable crash reportsuser_pref("breakpad.reportURL", "");// 0360: Disable new tab tile ads & preload & marketing junkuser_pref("browser.newtab.preload", false);user_pref("browser.newtabpage.directory.ping", "");user_pref("browser.newtabpage.directory.source", "");user_pref("browser.newtabpage.enabled", false);user_pref("browser.newtabpage.enhanced", false);user_pref("browser.newtabpage.introShown", true);// 0361: Control newtab behaviouruser_pref("browser.newtabpage.enabled", false);user_pref("browser.newtab.url", "about:blank");// 0370: Control snippet serviceuser_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");// 0371: Disable heartbeatuser_pref("browser.selfsupport.url", "");// 0372: Disable hellouser_pref("loop.enabled", false);// 0373: Disable pocket, remove urls for good measureuser_pref("browser.pocket.enabled", false);user_pref("reader.parse-on-load.enabled", false);user_pref("browser.pocket.api", "");user_pref("browser.pocket.site", "");// 0374: Disable "social" integrationuser_pref("social.whitelist", "");user_pref("social.toast-notifications.enabled", false);user_pref("social.shareDirectory", "");user_pref("social.remote-install.enabled", false);user_pref("social.directories", "");user_pref("social.share.activationPanelEnabled", false);// QUIET FOX PART 2// 0400: QUIET FOX [PART 2] - Security, tracking and privacy implications// 0401: Don't disable extension blocklistuser_pref("extensions.blocklist.enabled", true);// 0402: Disable block reported web forgeriesuser_pref("browser.safebrowsing.enabled", false);// 0410: Disable block reported attack sitesuser_pref("browser.safebrowsing.malware.enabled", false);// 0411: Disable safebrowsing urls & downloaduser_pref("browser.safebrowsing.downloads.enabled", false);user_pref("browser.safebrowsing.downloads.remote.enabled", false);user_pref("browser.safebrowsing.appRepURL", "");user_pref("browser.safebrowsing.gethashURL", "");user_pref("browser.safebrowsing.malware.reportURL", "");user_pref("browser.safebrowsing.reportErrorURL", "");user_pref("browser.safebrowsing.reportGenericURL", "");user_pref("browser.safebrowsing.reportMalwareErrorURL", "");user_pref("browser.safebrowsing.reportMalwareURL", "");user_pref("browser.safebrowsing.reportPhishURL", "");user_pref("browser.safebrowsing.reportURL", "");user_pref("browser.safebrowsing.updateURL", "");// 0420: Disable tracking protectionuser_pref("privacy.trackingprotection.enabled", false);user_pref("browser.trackingprotection.gethashURL", "");user_pref("browser.trackingprotection.getupdateURL", "");user_pref("privacy.trackingprotection.pbmode.enabled", false);// 0430: Enable IDN Show Punycodeuser_pref("network.IDN_show_punycode", true);// 0440: Disallow NTLMv1user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);user_pref("network.stricttransportsecurity.preloadlist", true);// BLOCK IMPLICIT OUTBOUND// 0600: BLOCK IMPLICIT OUTBOUND (not explicitly asked for - eg clicked on)// 0601: Disable link prefetchinguser_pref("network.prefetch-next", false);// 0602: Disable dns prefetchinguser_pref("network.dns.disablePrefetch", true);user_pref("network.dns.disablePrefetchFromHTTPS", true);// 0603: Disable seer/neckouser_pref("network.predictor.enabled", false);// 0604: Disable search suggestionsuser_pref("browser.search.suggest.enabled", false);// 0605: Disable link-mouseover opening connection to linked serveruser_pref("network.http.speculative-parallel-limit", 0);// 0606: Disable pings (but enforce same host in case)user_pref("browser.send_pings", false);user_pref("browser.send_pings.require_same_host", true);// LOCATION / SEARCH / HISTORY etc// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc// 0801: Disable location bar using search, give error message insteaduser_pref("keyword.enabled", false);// 0802: Disable location bar domain guessinguser_pref("browser.fixup.alternate.enabled", false);// 0803: Disable location bar dropdownuser_pref("browser.urlbar.maxRichResults", 0);// 0804: Display all parts of the urluser_pref("browser.urlbar.trimURLs", false);// 0805: Disable URLbar autofilluser_pref("browser.urlbar.autoFill", false);user_pref("browser.urlbar.autoFill.typed", false);// 0806: Disable autocompleteuser_pref("browser.urlbar.autocomplete.enabled", false);// 0807: Disable history manipulation user_pref("browser.history.allowPopState", true);user_pref("browser.history.allowPushState", true);user_pref("browser.history.allowReplaceState", true);// 0808: Don't remember browsing historyuser_pref("places.history.enabled", false);// 0809: Delete History and Form Datauser_pref("browser.history_expire_days", 0);user_pref("browser.history_expire_sites", 0);user_pref("browser.history_expire_visits", 0);// 0810: Disable history suggestionsuser_pref("browser.urlbar.suggest.history", false);// 0811: Limit history PER TAB (back/forward)user_pref("browser.sessionhistory.max_entries", 4);// 0812: Disable css querying page historyuser_pref("layout.css.visited_links_enabled", false);// 0813: Disable displaying Javascript in history URLsuser_pref("browser.urlbar.filter.javascript", true);// 0814: Disable saving information entered in web forms AND the search baruser_pref("browser.formfill. enable", false);// 0815: Disable saving form data on secure websites (default=true)user_pref("browser.formfill.saveHttpsForms", false);// 0816: Disable auto-filling username & password form fieldsuser_pref("signon.autofillForms", false);// 0817: Disable Prompting for Credential Storageuser_pref("security.ask_for_password", 0);// 0818: Disallow Credential Storageuser_pref("signon.rememberSignons", false);// CACHE// 1000: CACHE// 1001: Disable disk cacheuser_pref("browser.cache.disk.enable", false);// 1002: Disable disk caching of SSL pagesuser_pref("browser.cache.disk_cache_ssl", false);// 1003: Disable memory cacheuser_pref("browser.cache.memory.enable", false);// 1004: Disable offline cacheuser_pref("browser.cache.offline.enable", false);// 1005: Disable storing extra session datauser_pref("browser.sessionstore.privacy_level", 2);user_pref("browser.sessionstore.privacy_level_deferred", 2);// 1006: Remove sessionstore datauser_pref("browser.sessionstore.postdata", 0);user_pref("browser.sessionstore.enabled", false);// SSL / OCSP / CIPHERS// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)// 1201: Warn of missing SSLuser_pref("security.ssl.warn_missing_rfc5746", 1);// 1202: TLS 1.[012]user_pref("security.tls.version.min", 1);user_pref("security.tls.version.max", 3);user_pref("security.warn_entering_weak", true);// 1203: OSCP staplinguser_pref("security.ssl.enable_ocsp_stapling", false);// 1204: Security renegotiation// user_pref("security.ssl.require_safe_negotiation", true);// 1205: Display warning (red padlock) for "broken security"user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);// 1206: Require certificate revocation check through OCSP protocoluser_pref("security.OCSP.require", false);// 1207: Query OCSP responder servers to confirm current validity of certificatesuser_pref("security.OCSP.enabled", 0);// 1208: Enforce strict pinninguser_pref("security.cert_pinning.enforcement_level", 2);user_pref("security.ssl.errorReporting.automatic", false);// 1209: Disable null ciphersuser_pref("security.ssl3.rsa_null_sha", false);user_pref("security.ssl3.rsa_null_md5", false);user_pref("security.ssl3.ecdhe_rsa_null_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);user_pref("security.ssl3.ecdh_rsa_null_sha", false);user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);// 1210: Seeduser_pref("security.ssl3.rsa_seed_sha", false);// 1211: 40 bitsuser_pref("security.ssl3.rsa_rc4_40_md5", false);user_pref("security.ssl3.rsa_rc2_40_md5", false);// 1212: 56 bitsuser_pref("security.ssl3.rsa_1024_rc4_56_sha", false);// 1213: 128 bitsuser_pref("security.ssl3.rsa_camellia_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);// 1214: RC4user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);user_pref("security.ssl3.rsa_rc4_128_md5", false);user_pref("security.ssl3.rsa_rc4_128_sha", false);// 1215: 3DESuser_pref("security.ssl3.dhe_dss_des_ede3_sha", false);user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_des_ede3_sha", false);user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);// 1216: Ciphers with ECDH (without /e$/)user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);// 1217: 256 bits without PFSuser_pref("security.ssl3.rsa_camellia_256_sha", false);// 1218: Ciphers with ECDHE and > 128bitsuser_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);// 1219: GCM, yes please!user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);// 1220: Susceptible to the logjam attackuser_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);// 1221: Ciphers with DSA (max 1024 bits)user_pref("security.ssl3.dhe_dss_aes_128_sha", false);user_pref("security.ssl3.dhe_dss_aes_256_sha", false);user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);// 1222: Fallbacks due compatibility reasonsuser_pref("security.ssl3.rsa_aes_256_sha", true);user_pref("security.ssl3.rsa_aes_128_sha", true);// FONTS// 1400: FONTS// 1401: Disable website downloading fontsuser_pref("browser.display.use_document_fonts", 0);// 1402: But for FF41+ allow icon fonts (gylphs) throughuser_pref("gfx.downloadable_fonts.enabled", true);// 1403: iSEC Partners Report recommends disablinguser_pref("gfx.font_rendering.opentype_svg.enabled", false);// HEADERS// 1600: HEADERS// 1601: Disable Referer from an SSL Websiteuser_pref("network.http.sendSecureXSiteReferrer", false);// 1602: DNT HTTP headeruser_pref("privacy.donottrackheader.enabled", true);user_pref("privacy.donottrackheader.value", 1);// 1603: Referreruser_pref("network.http.sendRefererHeader",2);user_pref("network.http.referer.spoofSource", true);// PLUGINS// 1800: PLUGINS// 1801: Set default plugin stateuser_pref("plugin.default.state", 0);user_pref("plugin.defaultXpi.state", 0);// 1802: Enable click to play and set to 0 minutesuser_pref("plugins.click_to_play", true);user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);user_pref("plugin.state.flash", 0);// 1803: Remove plugin finder serviceuser_pref("pfs.datasource.url", "");// 1804: Disable plugin enumerationuser_pref("security.xpconnect.plugin.unrestricted", false);// 1805: Disable scanning for pluginsuser_pref("plugin.scan.plid.all", false);// 1806: Acrobat, Quicktime, WMP are handled separatelyuser_pref("plugin.scan.Acrobat", 99999);user_pref("plugin.scan.Quicktime", 99999);user_pref("plugin.scan.WindowsMediaPlayer", 99999);// 1807: Disable auto-play of HTML5 mediauser_pref("media.autoplay.enabled", false);// 1808: Disable OpenH264user_pref("media.gmp-provider.enabled", false);// MEDIA / CAMERA / MIKE// 2000: MEDIA / CAMERA / MIKE// 2001: Disable webRTCuser_pref("media.peerconnection.enabled", false);user_pref("media.peerconnection.use_document_iceservers", false);user_pref("media.peerconnection.video.enabled", false);user_pref("media.peerconnection.identity.timeout", 1);// 2002: Disable WebRTC auto-connectionsuser_pref("media.gmp-gmpopenh264.enabled", false);user_pref("media.gmp-manager.url", "");// 2003: Disable EME bitsuser_pref("browser.eme.ui.enabled", false);user_pref("media.gmp-eme-adobe.enabled", false);user_pref("media.eme.enabled", false);user_pref("media.eme.apiVisible", false);// 2004: GetUserMediauser_pref("media.navigator.enabled", false);// 2010: Disable webGLuser_pref("webgl.disabled", true);user_pref("pdfjs.enableWebGL", false);user_pref("webgl.min_capability_mode", true);user_pref("webgl.disable-extensions", true);// 2020: Disable video statistics fingerprinting vectoruser_pref("media.video_stats.enabled", false);// 2021: Disable speech recognitionuser_pref("media.webspeech.recognition.enable", false);// 2022: Disable screensharinguser_pref("media.getusermedia.screensharing.enabled", false);user_pref("media.getusermedia.screensharing.allowed_domains", "");// 2023: Disable camera stuffuser_pref("camera.control.autofocus_moving_callback.enabled", false);user_pref("camera.control.face_detection.enabled", false);// UI meddling// 2200: UI meddling// 2201: Disable website control over rightclick context menuuser_pref("dom.event.contextmenu.enabled", false);// 2202: Disable DOM web notificationsuser_pref("dom.webnotifications.enabled", false);// 2203: UI SPOOFING: disable scripts hiding or disabling the following on new windowsuser_pref("dom.disable_window_open_feature.location", true);user_pref("dom.disable_window_open_feature.menubar", true);user_pref("dom.disable_window_open_feature.resizable", true);user_pref("dom.disable_window_open_feature.scrollbars", true);user_pref("dom.disable_window_open_feature.status", true);user_pref("dom.disable_window_open_feature.toolbar", true);// 2204: POPUP windows - prevent or allow javascript UI meddlinguser_pref("dom.disable_window_flip", true); // window z-orderuser_pref("dom.disable_window_move_resize", true);user_pref("dom.disable_window_open_feature.close", true);user_pref("dom.disable_window_open_feature.minimizable", true);user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbaruser_pref("dom.disable_window_open_feature.titlebar", true);user_pref("dom.disable_window_status_change", true);user_pref("dom.allow_scripts_to_close_windows", false);// DOM - JAVASCRIPT// 2400: DOM - JAVASCRIPT// 2401: Disable javascript optionsuser_pref("javascript.options.methodjit.chrome", false);user_pref("javascript.options.methodjit.content", false);user_pref("javascript.options.asmjs", false);// 2402: Disable dom storageuser_pref("dom.storage.enabled", false);// 2403: Disable website access to clipboard eventsuser_pref("dom.event.clipboardevents.enabled", false);// 2404: Disable scripts changing images eg google maps - will break a lot of web apps// user_pref("dom.disable_image_src_set", true);// 2405: Disable JS storing data permanentlyuser_pref("dom.indexedDB.enabled", false);// 2406: Web telephonyuser_pref("dom.telephony.enabled", false);// 2407: Disable gamepad APIuser_pref("dom.gamepad.enabled", false);// 2408: Disable battery APIuser_pref("dom.battery.enabled", false);// 2409: Disable network APIuser_pref("dom.network.enabled", false);// 2410: Disable giving away network infouser_pref("dom.netinfo.enabled", false);// 2411: Disable User Timing APIuser_pref("dom.enable_user_timing", false);// 2412: Disable resource/navigation timinguser_pref("dom.enable_resource_timing", false);// 2413: Javascript performace fingerprintinguser_pref("dom.enable_performance", false);// 2414: Disable virtual reality devicesuser_pref("dom.vr.enabled", false);// 2415: Disable shaking the screenuser_pref("dom.vibrator.enabled", false);// 2416: Max popups from a single non-click eventuser_pref("dom.popup_maximum", 3);// 2417: Disable idle observationuser_pref("dom.idle-observers-api.enabled", false);// 2418: Disable SharedWorkers for nowuser_pref("dom.workers.sharedWorkers.enabled", false);// 2419: Disbale full-screen APIuser_pref("full-screen-api.enabled", false);// MISC - LEAKS// 2600: LEAKS / FINGERPRINTING / PRIVACY / SECURITY// 2601: Disable sending additional analytics to web serversuser_pref("beacon.enabled", false);// 2602: Disable downloading on desktopuser_pref("browser.download.folderList", 2);// 2603: Always ask the user where to downloaduser_pref("browser.download.useDownloadDir", false);// 2604: Delete temp files on exituser_pref("browser.helperApps.deleteTempFileOnExit", true);// 2605: Don't integrate activity into windows recent documentsuser_pref("browser.download.manager.addToRecentDocs", false);// 2606: Delete download historyuser_pref("browser.download.manager.retention", 0);// 2607: Disable hiding mime types in prefs applications tab that are not associated with a pluginuser_pref("browser.download.hide_plugins_without_extensions", false);// 2608: Disable page thumbnailsuser_pref("browser.pagethumbnails.capturing_disabled", true);// 2609: Disable JAR from opening Unsafe File Typesuser_pref("network.jar.open-unsafe-types", false);// 2610: Disable insecure active content on https pages - mixed contentuser_pref("security.mixed_content.block_active_content", true);// 2611: Disable insecure passive content (such as images) on https pages - mixed contextuser_pref("security.mixed_content.block_display_content", true);// 2612: Content security policyuser_pref("security.csp.enable", true);user_pref("security.csp.experimentalEnabled", true);// 2613: Disable WebIDE to prevent remote debugging and addon downloadsuser_pref("devtools.webide.autoinstallADBHelper", false);user_pref("devtools.webide.autoinstallFxdtAdapters", false);user_pref("devtools.debugger.remote-enabled", false);user_pref("devtools.webide.enabled", false);// 2614: Strict File URI Origin Policyuser_pref("security.fileuri.strict_origin_policy", true);// 2615: Sub-resource integrityuser_pref("security.sri.enable", true);// 2616: Disable SimpleServiceDiscoveryuser_pref("browser.casting.enabled", false);user_pref("gfx.layerscope.enabled", false);// 2617: Disable device sensor APIuser_pref("device.sensors.enabled", false);// 2618: Disable SPDYuser_pref("network.http.spdy.enabled", false);user_pref("network.http.spdy.enabled.v3-1", false);// 2619: Disable http/2 for now as welluser_pref("network.http.spdy.enabled.http2", false);user_pref("network.http.spdy.enabled.http2draft", false);// 2620: Disable pdf.jsuser_pref("pdfjs.disabled", true);// 2621: When using SOCKS have the proxy server do the DNS lookupuser_pref("network.proxy.socks_remote_dns", true);// 2622: limit HTTP redirects// user_pref("network.http.redirection-limit", 20);// PERSONAL SETTINGS (with privacy implications)// 2800: PERSONAL SETTINGS [that have PRIVACY implications]// 2801: Disable cookiesuser_pref("network.cookie.cookieBehavior", 1);user_pref("network.cookie.lifetimePolicy", 2);// 2802: Enable FF to clear stuff on shutdownuser_pref("privacy.sanitize.sanitizeOnShutdown", true);// 2803: Tell FF what to clearuser_pref("privacy.clearOnShutdown.cache", true);user_pref("privacy.clearOnShutdown.cookies", true);user_pref("privacy.clearOnShutdown.downloads", true);user_pref("privacy.clearOnShutdown.formdata", true);user_pref("privacy.clearOnShutdown.history", true);user_pref("privacy.clearOnShutdown.offlineApps", true);user_pref("privacy.clearOnShutdown.passwords", true);user_pref("privacy.clearOnShutdown.sessions", true); // active loginsuser_pref("privacy.clearOnShutdown.siteSettings", true);// 2804: (To match above)user_pref("privacy.cpd.cache", true);user_pref("privacy.cpd.cookies", true);user_pref("privacy.cpd.downloads", true);user_pref("privacy.cpd.formdata", true);user_pref("privacy.cpd.history", true);user_pref("privacy.cpd.offlineApps", true);user_pref("privacy.cpd.passwords", true);user_pref("privacy.cpd.sessions", true);user_pref("privacy.cpd.siteSettings", true);// 2805: Always use private browsinguser_pref("browser.privatebrowsing.autostart", true);// HANDY SETTINGS// 3000: PERSONAL HANDY SETTINGS// 3001: Disable annoying warningsuser_pref("general.warnOnAboutConfig", false);user_pref("browser.tabs.warnOnClose", false);user_pref("browser.tabs.warnOnCloseOtherTabs", false);user_pref("browser.tabs.warnOnOpen", false);// 3002: Disable warning when a domain requests full screen// user_pref("full-screen-api.warning.timeout", 0); // FF43+// 3003: Disable closing browser with last tabuser_pref("browser.tabs.closeWindowWithLastTab", false);// 3004: Disable new search panel UIuser_pref("browser.search.showOneOffButtons", false);// 3005: Disable backspaceuser_pref("browser.backspace_action", 2);// 3006: Disable autocopy defaultuser_pref("clipboard.autocopy", false);//3007: Turn on full native HTML5 player supportuser_pref ("media.fragmented-mp4.enabled", true);user_pref ("media.fragmented-mp4.exposed", true);user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);user_pref ("media.fragmented-mp4.gmp.enabled", true);user_pref ("media.fragmented-mp4.use-blank-decoder", false);// 4000: TOR BROWSER BUNDLE ABOUT:CONFIG CHANGES// 4001: Compatible Tor Browser config changes v5.5a4user_pref ("accessibility.typeaheadfind.flashBar", 0); //The Find Toolbar has flashed before; don’t flash when text is founduser_pref ("browser.cache.disk.capacity", 0); //Tor = 358400. 0 = do not cache files on the hard-driveuser_pref ("browser.cache.disk.smart_size.first_run", false); //Indicates whether or not this is the first time smart sizing has been useduser_pref ("browser.cache.frecency_experiment", -1); //Tor = 1. -1 disables experimental HTTP_CACHE_MISS_HALFLIFE_EXPERIMENT telemetry and the preferred value for frecency is set to 6hrsuser_pref ("gfx.font_rendering.graphite.enabled", false);user_pref ("javascript.options.baselinejit", false); //Tor setting is javascript.options.baselinejit.contentuser_pref ("javasscript.options.ion", false); //Tor setting is javascript.options.ion.contentuser_pref ("network.jar.block-remote-files", true); //.jar are rarely used and potentially dangeroususer_pref ("network.predictor.cleaned-up", true); //Unclear what it does, but recommended in multiple forums// 5000: DESTROY ADDITIONAL CACHES & URL REPORTING// 5001: Eliminate additional cachesuser_pref ("browser.cache.check_doc_frequency", 2); //Compare the page in cache to the page on the network (1 = Every time I view the page, 0 = Once per session, 3 = When the page is out of date (default), 2 = Never)//user_pref ("browser.cache.disk.filesystem_reported", 0); //Unclear, so left at default (1) for the momentuser_pref ("browser.cache.disk.free_space_hard_limit", 0); //Zero spaceuser_pref ("browser.cache.disk.free_space_soft_limit", 0); //Zero spaceuser_pref ("browser.cache.disk.max_chunks_memory_usage", 0); //Zero spaceuser_pref ("browser.cache.disk.max_entry_size", 0); //Zero spaceuser_pref ("browser.cache.disk.max_priority_chunks_memory_usage", 0); //Zero spaceuser_pref ("browser.cache.disk.metadata_memory_limit",0); //Zero spaceuser_pref ("browser.cache.disk.preload_chunk_count", 0); //Zero spaceuser_pref ("browser.cache.disk.smart_size.use_old_max", false); //Indicates whether to use old cache disk smart size//user_pref ("browser.cache.frecency_half_life_hours", 0); //Redundant, as set browser.cache.frecency_experiment to -1 defaults frecency to 6hrsuser_pref ("browser.cache.memory.max_entry_size", 0); //The maximum size of an entry in the disk cacheuser_pref ("browser.cache.offline.capacity", 0); //Total offline capacity for cache// 5002: Disable reporting safebrowsing mistake URLs / geo-specific resultsuser_pref ("browser.safebrowsing.reportMalwareMistakeURL", ""); //Disable further reportinguser_pref ("browser.safebrowsing.reportPhishMistakeURL", ""); //Disable further reportinguser_pref ("browser.search.geoSpecificDefaults.url", ""); //Disable geo-specific results 1 OmniNegro reacted to this Quote Share this post Link to post
OmniNegro 155 Posted ... I am having hell on the Windows side attempting to get Firefox v42 to accept the user.js file at all. It simply does not ever apply. Yes, I made a new profile and put it in there before it was ever started. I tried restarting repeatedly, but it never even accesses the file. Anyone have any ideas on how to get this working without hoping into about:config and manually adding/changing each and every one of these? *Edit* 24 hours has passed. No comments. I guess there is no choice anymore. It will take DAYS to get all this shit straightened out if I do nothing else. Please do comment if you have an idea or solution that could work. Quote Hide OmniNegro's signature Hide all signatures Debugging is at least twice as hard as writing the program in the first place.So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it. Share this post Link to post
zhang888 1066 Posted ... There is a new project that might be more useful.At least it is fully customizable and easy to understand and integrate. https://ffprofile.com 4 mrgrey, go558a83nk, OmniNegro and 1 other reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
OmniNegro 155 Posted ... Thank you zhang888. I will give it a try. Quote Hide OmniNegro's signature Hide all signatures Debugging is at least twice as hard as writing the program in the first place.So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it. Share this post Link to post
OmniNegro 155 Posted ... There is a new project that might be more useful.At least it is fully customizable and easy to understand and integrate. https://ffprofile.comThis works well. But the newest version of FF cannot use all the extensions I am using, so I am sticking to an old profile for the moment. Thank you for the idea. This really is as close to perfect as possible. Quote Hide OmniNegro's signature Hide all signatures Debugging is at least twice as hard as writing the program in the first place.So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it. Share this post Link to post
knighthawk 19 Posted ... Just wanted to say thanks, these have been really helpful and handy to have in one place! Quote Share this post Link to post
go558a83nk 362 Posted ... I've tried a few different days that ffprofile site and keep getting error 500 (that means it's on their end). how have y'all been able to get it done? Quote Share this post Link to post
go558a83nk 362 Posted ... hello? anybody get the ffprofile site to work? I can get through the first 2 steps then I always get 500 error. Quote Share this post Link to post
zhang888 1066 Posted ... Works fine, try from another browser or the Tor browser. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
plasmahidef 1 Posted ... I am having hell on the Windows side attempting to get Firefox v42 to accept the user.js file at all. It simply does not ever apply. Yes, I made a new profile and put it in there before it was ever started. I tried restarting repeatedly, but it never even accesses the file. Anyone have any ideas on how to get this working without hoping into about:config and manually adding/changing each and every one of these? I had the same problem. I couldn't figure out why it was not working. Then, I noticed on exisiting "default" profile that I did not have a user.js but had something called prefs. So following are the steps that should work, as it worked for me. 1) Find you "user.js" file and save as "prefs.js" file. 2) Create a new profile.3) Next, add this "prefs.js" file to the profile. Make sure you do this before starting Firefox. 4) Start Firefox using the new profile. All the changes as shown in "user.js" file should get applied. 5) You now can add your extension, bookmarks, etc. I hope this helps. 1 snaggle reacted to this Quote Share this post Link to post
wintermute1912 6 Posted ... This is incredible work!! I've only just been referred to this resource and am still getting my head around it so I apologise if the following question is inappropriate I've been reviewing the recommendations at https://privacytools.io and am wondering if the following additions might be necessary for the latest version of Firefox? user_pref ("privacy.firstparty.isolate", true);user_pref ("privacy.resistFingerprinting", true);user_pref ("browser.urlbar.speculativeConnect.enabled", false);user_pref ("media.gmp-widevinecdm.enabled", false);user_pref ("media.navigator.enabled", false);user_pref ("network.http.referer.trimmingPolicy", 2);user_pref ("network.http.referer.XOriginPolicy", 2);user_pref ("network.http.referer.XOriginTrimmingPolicy", 2);user_pref ("browser.sessionstore.privacy_level", 2); Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post
WaNNaBEAnoNymoUs 10 Posted ... ^ Depends what you want for firefox. I personally use those. Quote Hide WaNNaBEAnoNymoUs's signature Hide all signatures "You don't have to be a genius to sound like one." - BDS Share this post Link to post
win8 7 Posted ... And you dont have any issues? With such setting aliexpress errors out on payments Quote Share this post Link to post
wintermute1912 6 Posted ... ^ Depends what you want for firefox. I personally use those.When you say you use them do you mean you do modify the values or leave the defaults in place? Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post
WaNNaBEAnoNymoUs 10 Posted ... ^ Depends what you want for firefox. I personally use those.When you say you use them do you mean you do modify the values or leave the defaults in place?I modify. Quote Hide WaNNaBEAnoNymoUs's signature Hide all signatures "You don't have to be a genius to sound like one." - BDS Share this post Link to post
wintermute1912 6 Posted ... I do all that kind of stuff using my clearnet identity on Windows in Chrome cos yeah these settings will break a lot of sites that need to, well, compromise your privacy! lolSWIM (Someone I might know) tells me these settings render a lot of adult content sites inoperable too. And you dont have any issues? With such setting aliexpress errors out on payments Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post