Jump to content
Not connected, Your IP:

Search the Community

Showing results for tags 'Custom Firefox Profiles'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • AirVPN
    • News and Announcement
    • How-To
    • Databases
  • Community
    • General & Suggestions
    • Troubleshooting and Problems
    • Blocked websites warning
    • Eddie - AirVPN Client
    • DNS Lists
    • Reviews
    • Other VPN competitors or features
    • Nonprofit
    • Off-Topic
  • Other Projects
    • IP Leak
    • XMPP

Product Groups

  • AirVPN Access
  • Coupons
  • Misc

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



Website URL







XMPP / Jabber




Found 1 result

  1. /******** * ULTIMATE HARDENED FIREFOX USER.JS * Combines changes outlined in ghacks.net and GitHub's hardened FF profiles as at October 2015. The GHacks version was used as the base profile, with additional Github privacy/settings inserted (marked with 'GITHUB' label). * Successfully tested with Linux FF 41.0.2 (Youtube etc). * All credits to the primary authors and many contributors from Github, GHacks Forums and Wilders Security Forums who did the hard yards. * Minor changes have been made by this author to further increase privacy and convenience e.g. no OCSP checks due to third parties involved, changes to cookie policies/behaviours, disabling of spdy, using all privacy options to clear data/cookies etc upon FF shutdown, enabling full native HTML5 support by default (and several others). * This entire text block should be saved to a new file named user.js ********/ /********* * The two original user.js profiles used to create this 'ultimate' privacy/security profile can be found here: * url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/ * url: https://github.com/pyllyukko/user.js * This is NOT a "comprehensive" list of ALL things privacy/security-related, otherwise it would be enormous. * It is actually a long list of settings that generally differ from their defaults, and is aimed at improving security, privacy, a "quieter" FF, fingerprinting, and tracking - while allowing (most) functionality. There will be trade-offs and conflicts between these. * IMPORTANT STEPS: * Note: user.js - this OVER-WRITES any corresponding about:config entries on Firefox start if accidentally stored in the default folder! see: http://kb.mozillazine.org/User.js_file To avoid this problem, carefully follow the steps below: 1. Create a new FF profile and directory to store this new version of user.js for testing purposes. * To create a new profile in GNU/Linux, the FF profile manager can be accessed via the terminal (Alt-F2): firefox -P * Create a new profile, give it a suitable name, and then shutdown FF. * To access the FF profile manager in other O/S and create new profiles, see simple Mozilla notes online. 3. This entire text file should be saved as user.js and moved to the new profile directory you just created. * In GNU/Linux, run in terminal: ls .mozilla/firefox You will see that FF profiles are stored (hidden) under your home directory: ./mozilla/firefox * In Windoze, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_new_profile_name. * Do NOT touch the 'XXXXXX.default' profile directory or dump your new user.js in the default folder! You will lose all your current 'default' settings, bookmarks and other data! 4. Restart Firefox and select your new profile at start-up. Voila! You now have a 'secure' profile available alongside your 'default' profile. * NOTE: BEFORE deciding to use this new user.js, you SHOULD actually read what the prefs do (information is provided, and links) and if necessary, change, remove or comment out with two forward slashes (//) any preferences you're not happy with or not sure about. * COMMON PROBLEMS: some prefs will break a number of popular sites (it's inevitable). In particular, these two settings below may need to be reset to defaults to stop breakage: security.OCSP.require dom.indexedDB.enabled * ADDITIONAL FF CHANGES: Add-ons are also essential for safer browsing e.g. HTTPS Everywhere, No-Script & Canvas Blocker (stops HTML5 canvas/image data extraction). Also strongly consider installing UBlock Origin, Privacy Badger, Self-destructing Cookies and Random Agent Spoofer as complimentary add-ons. * In preferences, set your default homepage to a search provider that doesn't track by default e.g. https://search.disconnect.me Consider also turning off hardware acceleration as it is understood to be a possible attack vector (?), along with cached web content settings (set to zero MB). * Other general FF settings for better security - set all plug-ins to 'never activate' and do not install additional themes/services/languages. They are all likely to be trackable identifiers, and plug-ins are further notorious for leaking lots of data about your system and protocols. *********/ // STARTUP // 0100: STARTUP // 0101: disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check user_pref("browser.slowStartup.notificationDisabled", true); user_pref("browser.slowStartup.maxSamples", 0); user_pref("browser.slowStartup.samples", 0); user_pref("browser.rights.3.shown", true); user_pref("browser.startup.homepage_override.mstone", "ignore"); user_pref("startup.homepage_welcome_url", ""); user_pref("startup.homepage_override_url", ""); user_pref("browser.feeds.showFirstRunUI", false); user_pref("browser.shell.checkDefaultBrowser", false); // GEO // 0200: GEO // 0201: disable location-aware browsing user_pref("geo.enabled", false); user_pref("geo.wifi.uri", ""); user_pref("browser.search.geoip.url", ""); // 0202: disable GeoIP-based search results - https://trac.torproject.org/projects/tor/ticket/16254 user_pref("browser.search.countryCode", "US"); user_pref("browser.search.region", "US"); // QUIET Fox Part 1 // 0300: QUIET FOX [PART 1] - no (auto) phoning home for anything - you can still do manual updates // NOTE: It is still important to do updates for security reasons. If you don't auto update then make sure you do manually in a timely fashion // NOTE: There are many legitimate reasons for turning off AUTO updating, including hijacked moneytized extensions, // time contraints, legacy issues, and trepidation of breakage (easier to wait for others to report bugs) // 0301: disable browser auto update user_pref("app.update.enabled", false); // 0302: disable browser auto installing update when you do a manual check user_pref("app.update.auto", false); // 0303: disable search update user_pref("browser.search.update", false); // 0304: disable add-ons auto checking for new versions user_pref("extensions.update.enabled", false); // 0305: disable add-ons auto update user_pref("extensions.update.autoUpdateDefault", false); // 0306: disable add-on metadata updating - sends daily pings to mozilla about extensions and recent startups - privacy issue user_pref("extensions.getAddons.cache.enabled", false); // 0307: disable auto updating of personas (themes) user_pref("lightweightThemes.update.enabled", false); // 0308: disable update plugin notifications - if you're using flash, java, silverlight - turn on their own auto-update mechanisms // also see 1804 below - Mozilla only checks a few plugins anyway - Silverlight, Flash, Java?, Quicktime? WMP? user_pref("plugins.update.notifyUser", false); // GITHUB 1: CIS Version 1.2.0 October 21st, 2011 2.1.3 Enable Information Bar for Outdated Plugins user_pref("plugins.hide_infobar_for_outdated_plugin", false); // 0309: disable sending plugin crash reports - keep FF quiet user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // 0310: disable sending the URL of the website where a plugin crashed - privacy issue user_pref("dom.ipc.plugins.reportCrashURL", false); // 0320: disable extension discovery - featured extensions for displaying in Get Add-ons panel user_pref("extensions.webservice.discoverURL", ""); // 0330: disable telemetry // big fat list here: https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html // the pref (.unified) affects the behaviour of the pref (.enabled) // IF unified=false then .enabled controls the telemetry module : IF unfied=true then .enabled ONLY controls whether to record extended data // so make sure to have both set as false user_pref("toolkit.telemetry.unified", false); user_pref("toolkit.telemetry.enabled", false); // 0331: remove url of server telemetry pings are sent to user_pref("toolkit.telemetry.server", ""); // 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false user_pref("toolkit.telemetry.archive.enabled", false); // 0333: disable health report user_pref("datareporting.healthreport.uploadEnabled", false); user_pref("datareporting.healthreport.documentServerURI", ""); user_pref("datareporting.healthreport.service.enabled", false); // 0334: FF41+ see https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html // https://bugzilla.mozilla.org/show_bug.cgi?id=1195552 // This is the master-kill-switch for upload/reporting for Health Reports and Telemetry user_pref("datareporting.policy.dataSubmissionEnabled", false); // 0340: disable experiments user_pref("experiments.enabled", false); user_pref("experiments.manifest.uri", ""); user_pref("experiments.supported", false); user_pref("experiments.activeExperiment", false); // 0341: disable mozilla permission to silently opt you into tests user_pref("network.allow-experiments", false); // 0350: disable crash reports user_pref("breakpad.reportURL", ""); // 0360: disable new tab tile ads & preload & marketing junk user_pref("browser.newtab.preload", false); user_pref("browser.newtabpage.directory.ping", ""); user_pref("browser.newtabpage.directory.source", ""); user_pref("browser.newtabpage.enabled", false); user_pref("browser.newtabpage.enhanced", false); user_pref("browser.newtabpage.introShown", true); // GITHUB2: Control newtab behaviour // https://wiki.mozilla.org/Privacy/Reviews/New_Tab user_pref("browser.newtabpage.enabled", false); // https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off user_pref("browser.newtab.url", "about:blank"); // 0370: https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service user_pref("browser.aboutHomeSnippets.updateUrl", ""); // 0371: disable heartbeat - mozilla user rating telemetry user_pref("browser.selfsupport.url", ""); // 0372: disable hello - a WebRTC mozilla voice & video call that doesn't require an account - WebRTC (IP leak) user_pref("loop.enabled", false); // 0373: disable pocket, remove urls for good measure - a third party "save for later" service - privacy concerns user_pref("browser.pocket.enabled", false); user_pref("reader.parse-on-load.enabled", false); user_pref("browser.pocket.api", ""); user_pref("browser.pocket.site", ""); // 0374: disable "social" integration - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API user_pref("social.whitelist", ""); user_pref("social.toast-notifications.enabled", false); user_pref("social.shareDirectory", ""); user_pref("social.remote-install.enabled", false); user_pref("social.directories", ""); user_pref("social.share.activationPanelEnabled", false); // QUIET Fox Part 2 // 0400: QUIET FOX [PART 2] - NOTE: This section has security & tracking protection implications vs privacy concerns // These settings are geared up to make FF "quiet" & private, if you want safebrowsing & tracking protection then don't use this section (or parts of it) /// 0401: DON'T disable extension blocklist as it is now includes updates for "revoked certificates", this is not a privacy issue // see https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ // NOTE: requires extensions.blocklist.url to be set at default user_pref("extensions.blocklist.enabled", true); // 0402: disable block reported web forgeries - when true this compares visited URLs against a blacklist or submits // URLs to a third party to determine whether a site is legitimate = privacy concerns. This setting is under Options>Security user_pref("browser.safebrowsing.enabled", false); // 0410: disable block reported attack sites - This setting is under Options>Security // safebrowsing uses locally stored data, but if the item is not found, then google is contacted - privacy concerns user_pref("browser.safebrowsing.malware.enabled", false); // 0411: disable safebrowsing urls & download user_pref("browser.safebrowsing.downloads.enabled", false); user_pref("browser.safebrowsing.downloads.remote.enabled", false); user_pref("browser.safebrowsing.appRepURL", ""); user_pref("browser.safebrowsing.gethashURL", ""); user_pref("browser.safebrowsing.malware.reportURL", ""); user_pref("browser.safebrowsing.reportErrorURL", ""); user_pref("browser.safebrowsing.reportGenericURL", ""); user_pref("browser.safebrowsing.reportMalwareErrorURL", ""); user_pref("browser.safebrowsing.reportMalwareURL", ""); user_pref("browser.safebrowsing.reportPhishURL", ""); user_pref("browser.safebrowsing.reportURL", ""); user_pref("browser.safebrowsing.updateURL", ""); // 0420: disable tracking protection - // https://support.mozilla.org/en-US/kb/tracking-protection-firefox // I believe there are no privacy concerns here, but you are better off using an extension such as uBlock Origin // which is not decided by a third party (disconnect) and which is far more effective (when used correctly) user_pref("privacy.trackingprotection.enabled", false); user_pref("browser.polaris.enabled", false); // deprecated? user_pref("browser.trackingprotection.gethashURL", ""); user_pref("browser.trackingprotection.getupdateURL", ""); user_pref("privacy.trackingprotection.pbmode.enabled", false); // GITHUB 3: CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 Enable IDN Show Punycode // http://kb.mozillazine.org/Network.IDN_show_punycode user_pref("network.IDN_show_punycode", true); // GITHUB 4: Disallow NTLMv1 // https://bugzilla.mozilla.org/show_bug.cgi?id=828183 user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false); // it is still allowed through HTTPS. uncomment the following to disable it completely. //user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false); // https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ // https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List user_pref("network.stricttransportsecurity.preloadlist", true); // BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] // 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] // 0601: disable link prefetching user_pref("network.prefetch-next", false); // 0602: disable dns prefetching user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); // 0603: disable seer/necko user_pref("network.predictor.enabled", false); // 0604: disable search suggestions user_pref("browser.search.suggest.enabled", false); // 0605: disable link-mouseover opening connection to linked server user_pref("network.http.speculative-parallel-limit", 0); // 0606: disable pings (but enforce same host in case) user_pref("browser.send_pings", false); user_pref("browser.send_pings.require_same_host", true); // LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc // 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc // Not ALL of these are strictly needed, some are for the truely paranoid, but included for a more comprehensive list (see comments on each one) // 0801: disable location bar using search, give error message instead - don't leak typos to a search engine - PRIVACY user_pref("keyword.enabled", false); // 0802: disable location bar domain guessing - intercepts DNS "hostname not found errors" and resends a request eg by adding www or .com. // Inconsistent use (eg FQDNs), does not work via Proxy Servers (different error), can send extra unexpected DNS requests, // is a flawed use of DNS (TLDs: why treat .com as the 411 for DNS errors?), privacy issues (why connect to sites you didn't intend to), // can leak sensitive data? (eg query strings: eg Princeton attack), and is a security risk (eg common typos & malicious sites set up to exploit this) - PRIVACY/SECURITY user_pref("browser.fixup.alternate.enabled", false); // 0803: disable location bar dropdown - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.maxRichResults", 0); // 0804: display all parts of the url - why rely on just a visual clue - helps SECURITY user_pref("browser.urlbar.trimURLs", false); // 0805: disable URLbar autofill - http://kb.mozillazine.org/Inline_autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.autoFill", false); user_pref("browser.urlbar.autoFill.typed", false); // 0806: disable autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.autocomplete.enabled", false); // 0807: disable history manipulation - https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history - SECURITY // false=disable, have set to true otherwise it breaks some sites (youtube) ability to correctly show the url in location bar and for the forward/back tab history to work user_pref("browser.history.allowPopState", true); user_pref("browser.history.allowPushState", true); user_pref("browser.history.allowReplaceState", true); // GITHUB 5: Don't remember browsing history user_pref("places.history.enabled", false); // GITHUB 6: CIS Version 1.2.0 October 21st, 2011 2.5.4 Delete History and Form Data // http://kb.mozillazine.org/Browser.history_expire_days user_pref("browser.history_expire_days", 0); // http://kb.mozillazine.org/Browser.history_expire_sites user_pref("browser.history_expire_sites", 0); // http://kb.mozillazine.org/Browser.history_expire_visits user_pref("browser.history_expire_visits", 0); // 0808: disable history suggestions - PRIVACY issue (i.e computer forensics/shoulder surfers) user_pref("browser.urlbar.suggest.history", false); // 0809: limit history PER TAB (back/forward) - history leaks via enumeration - PRIVACY // default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practical user_pref("browser.sessionhistory.max_entries", 4); // 0810: disable css querying page history - css history leak - PRIVACY user_pref("layout.css.visited_links_enabled", false); // 0811: disable displaying Javascript in history URLs - SECURITY user_pref("browser.urlbar.filter.javascript", true); // 0812: disable saving information entered in web forms AND the search bar - PRIVACY issue (i.e computer forensics/shoulder surfers) // for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard. user_pref("browser.formfill. enable", false); // 0813: disable saving form data on secure websites (default=true) - PRIVACY issue (i.e computer forensics/shoulder surfers) // for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard. user_pref("browser.formfill.saveHttpsForms", false); // 0814: disable auto-filling username & password form fields (can leak in cross-site forms AND be spoofed) - http://kb.mozillazine.org/Signon.autofillForms // password will still be set after the user name is manually entered - SECURITY user_pref("signon.autofillForms", false); // GITHUB 7: CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage user_pref("security.ask_for_password", 0); // GITHUB 8: CIS Version 1.2.0 October 21st, 2011 2.5.2 Disallow Credential Storage user_pref("signon.rememberSignons", false); // CACHE // 1000: CACHE // 1001: disable disk cache user_pref("browser.cache.disk.enable", false); // 1002: disable disk caching of SSL pages - http://kb.mozillazine.org/Browser.cache.disk_cache_ssl user_pref("browser.cache.disk_cache_ssl", false); // 1003: disable memory cache as well IF you're REALLY paranoid (yep!), you'll take a performance/traffic hit user_pref("browser.cache.memory.enable", false); // 1004: disable offline cache user_pref("browser.cache.offline.enable", false); // 1005: disable storing extra session data 0=all 1=http-only 2=none user_pref("browser.sessionstore.privacy_level", 2); user_pref("browser.sessionstore.privacy_level_deferred", 2); // GITHUB9: Remove sessionstore data // http://kb.mozillazine.org/Browser.sessionstore.postdata // NOTE: relates to CIS 2.5.7 user_pref("browser.sessionstore.postdata", 0); // http://kb.mozillazine.org/Browser.sessionstore.enabled user_pref("browser.sessionstore.enabled", false); // SSL / OCSP / CIPHERS // 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS) // GITHUB 10: Warn of missing SSL // https://developer.mozilla.org/en/Preferences/Mozilla_preferences_for_uber-geeks // see also CVE-2009-3555 user_pref("security.ssl.warn_missing_rfc5746", 1); // GITHUB 11: TLS 1.[012] // http://kb.mozillazine.org/Security.tls.version.max // 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.) // 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol. user_pref("security.tls.version.min", 1); user_pref("security.tls.version.max", 3); // CIS Version 1.2.0 October 21st, 2011 2.2.3 Enable Warning of Using Weak Encryption user_pref("security.warn_entering_weak", true); // 1201: block rc4 fallback and disable whitelist // https://developer.mozilla.org/en-US/Firefox/Releases/38#Security // https://bugzil.la/1138882 // https://rc4.io/ user_pref("security.tls.unrestricted_rc4_fallback", false); user_pref("security.tls.insecure_fallback_hosts.use_static_list", false); // 1203: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ user_pref("security.ssl.enable_ocsp_stapling", false); // 1204: https://wiki.mozilla.org/Security:Renegotiation - eventually this will be set to true by default, // leave commented out for now, as when set to true it can break too many sites eg some microsoft.com ones // user_pref("security.ssl.require_safe_negotiation", true); // 1205: display warning (red padlock) for "broken security" - https://wiki.mozilla.org/Security:Renegotiation user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); // 1206: require certificate revocation check through OCSP protocol. - this leaks information about the sites you visit to the CA // It's a trade-off between security (checking) and privacy (leaking info to the CA) - your choice (default is false) // WARNING: If set to true, this may cause some site breakage - some users have mentioned issues with youtube, microsoft etc user_pref("security.OCSP.require", false); // 1207: query OCSP responder servers to confirm current validity of certificates (default=1) // 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signing user_pref("security.OCSP.enabled", 0); // 1208: enforce strict pinning - https://trac.torproject.org/projects/tor/ticket/16206 (default is 1) // PKP (public key pinning) 0-disabled 1=allow user MITM (such as your antivirus), 2=strict // WARNING: If you rely on an AV (antivirus) to protect your web browsing by inspecting ALL your web traffic, then leave at default =1 user_pref("security.cert_pinning.enforcement_level", 2); // https://support.mozilla.org/en-US/kb/certificate-pinning-reports // // we could also disable security.ssl.errorReporting.enabled, but I think it's // good to leave the option to report potentially malicious sites if the user // chooses to do so. // // you can test this at https://pinningtest.appspot.com/ user_pref("security.ssl.errorReporting.automatic", false); /****************************************************************************** * CIPHERS * * * * you can debug the SSL handshake with tshark: tshark -t ad -n -i wlan0 -T text -V -R ssl.handshake ******************************************************************************/ // GITHUB12: disable null ciphers user_pref("security.ssl3.rsa_null_sha", false); user_pref("security.ssl3.rsa_null_md5", false); user_pref("security.ssl3.ecdhe_rsa_null_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false); user_pref("security.ssl3.ecdh_rsa_null_sha", false); user_pref("security.ssl3.ecdh_ecdsa_null_sha", false); /* GITHUB13: SEED * https://en.wikipedia.org/wiki/SEED */ user_pref("security.ssl3.rsa_seed_sha", false); // GITHUB 14: 40 bits... user_pref("security.ssl3.rsa_rc4_40_md5", false); user_pref("security.ssl3.rsa_rc2_40_md5", false); // GITHUB 15: 56 bits user_pref("security.ssl3.rsa_1024_rc4_56_sha", false); // GITHUB 16: 128 bits user_pref("security.ssl3.rsa_camellia_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false); user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false); user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // GITHUB 17: RC4 (CVE-2013-2566) user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); user_pref("security.ssl3.rsa_rc4_128_md5", false); user_pref("security.ssl3.rsa_rc4_128_sha", false); user_pref("security.tls.unrestricted_rc4_fallback", false); /* * GITHUB 18: 3DES -> false because effective key size < 128 * * https://en.wikipedia.org/wiki/3des#Security * http://en.citizendium.org/wiki/Meet-in-the-middle_attack * * * See also: * * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html */ user_pref("security.ssl3.dhe_dss_des_ede3_sha", false); user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false); user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_des_ede3_sha", false); user_pref("security.ssl3.rsa_fips_des_ede3_sha", false); // GITHUB 19: Ciphers with ECDH (without /e$/) user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false); user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false); // GITHUB 20: 256 bits without PFS user_pref("security.ssl3.rsa_camellia_256_sha", false); // GITHUB 21: Ciphers with ECDHE and > 128bits user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true); user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true); // GITHUB 22: GCM, yes please! user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true); user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true); // GITHUB 23: Susceptible to the logjam attack - https://weakdh.org/ user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false); user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // GITHUB 24: Ciphers with DSA (max 1024 bits) user_pref("security.ssl3.dhe_dss_aes_128_sha", false); user_pref("security.ssl3.dhe_dss_aes_256_sha", false); user_pref("security.ssl3.dhe_dss_camellia_128_sha", false); user_pref("security.ssl3.dhe_dss_camellia_256_sha", false); // GITHUB 25: Fallbacks due compatibility reasons user_pref("security.ssl3.rsa_aes_256_sha", true); user_pref("security.ssl3.rsa_aes_128_sha", true); // FONTS // 1400: FONTS // 1401: disable websites downloading their own fonts - change this to 0 in FF41+. Note: 0=block, 1=allow // This is the preference under Options>Content>Font & Colors>Advanced>Allow pages to choose their own fonts // If you disallow fonts, this blocks font enumeration (by JS) which is a high entropy fingerprinting vector // disabling fonts uglifies the web a little, and until FF41 will also block icon fonts user_pref("browser.display.use_document_fonts", 0); // 1402: but for FF41+ allow icon fonts (gylphs) through user_pref("gfx.downloadable_fonts.enabled", true); // 1403: https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable this user_pref("gfx.font_rendering.opentype_svg.enabled", false); // HEADERS // 1600: HEADERS // 1601: disable Referer from an SSL Website user_pref("network.http.sendSecureXSiteReferrer", false); // 1602: DNT HTTP header - essentially useless // http://kb.mozillazine.org/Privacy.donottrackheader.value - this pref is required since FF21+ user_pref("privacy.donottrackheader.enabled", true); user_pref("privacy.donottrackheader.value", 1); // 1603: REFERER - http://kb.mozillazine.org/Network.http.sendRefererHeader // It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl ) // otherwise too much of the internet breaks. Even TOR does nothing about this. user_pref("network.http.sendRefererHeader",2); user_pref("network.http.referer.spoofSource", true); // PLUGINS // 1800: PLUGINS // 1801: set default plugin state (i.e new plugins on discovery) to never activate - 0=disabled, 1=ask to activate, 2=active - you can override individual plugins user_pref("plugin.default.state", 0); user_pref("plugin.defaultXpi.state", 0); // 1802: enable click to play and set to 0 minutes user_pref("plugins.click_to_play", true); user_pref("plugin.sessionPermissionNow.intervalinminutes", 0); // make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled - flash example below // you can just set all these plugin.state's via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissions user_pref("plugin.state.flash", 0); // 1803: remove plugin finder service - http://kb.mozillazine.org/Pfs.datasource.url // plugins are a dying breed, do we really want mozilla to find us missing plugins? user_pref("pfs.datasource.url", ""); // 1804: disable plugin enumeration // WARNING: disabling plugin.enumerate.names breaks the plugin check at https://www.mozilla.org/en-US/plugincheck/ // If you want to use this, then the default setting is an asterix. Otherwise most plugins have their own auto-update checks & downloads user_pref("plugins.enumerable_names", ""); // deprecated soon?: https://bugzilla.mozilla.org/show_bug.cgi?id=1169945 user_pref("security.xpconnect.plugin.unrestricted", false); // 1805: disable scanning for plugins - http://kb.mozillazine.org/Plugin_scanning // plid.all = whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash user_pref("plugin.scan.plid.all", false); // 1806: Acrobat, Quicktime, WMP are handled separately - integer refers to min version number allowed user_pref("plugin.scan.Acrobat", 99999); user_pref("plugin.scan.Quicktime", 99999); user_pref("plugin.scan.WindowsMediaPlayer", 99999); // 1807: disable auto-play of HTML5 media - have put this under plugins, not media. Note: this disables webm's auto playing user_pref("media.autoplay.enabled", false); // 1808: disable OpenH264 user_pref("media.gmp-provider.enabled", false); // MEDIA / CAMERA / MIKE // 2000: MEDIA / CAMERA / MIKE // 2001: disable webRTC user_pref("media.peerconnection.enabled", false); user_pref("media.peerconnection.use_document_iceservers", false); user_pref("media.peerconnection.video.enabled", false); user_pref("media.peerconnection.identity.timeout", 1); // 2002: disable WebRTC - firefox making automatic connections#w_media-capabilities user_pref("media.gmp-gmpopenh264.enabled", false); user_pref("media.gmp-manager.url", ""); // 2003: disable EME bits - https://trac.torproject.org/projects/tor/ticket/16285 user_pref("browser.eme.ui.enabled", false); user_pref("media.gmp-eme-adobe.enabled", false); user_pref("media.eme.enabled", false); user_pref("media.eme.apiVisible", false); // 2004: getUserMedia - https://wiki.mozilla.org/Media/getUserMedia user_pref("media.navigator.enabled", false); // 2010: disable webGL, force bare minimum feature set if used & disable webGL extensions user_pref("webgl.disabled", true); user_pref("pdfjs.enableWebGL", false); user_pref("webgl.min_capability_mode", true); user_pref("webgl.disable-extensions", true); // 2020: disable video statistics fingerprinting vector - javascript performace fingerprinting user_pref("media.video_stats.enabled", false); // 2021: disable speech recognition user_pref("media.webspeech.recognition.enable", false); // 2022: disable screensharing user_pref("media.getusermedia.screensharing.enabled", false); user_pref("media.getusermedia.screensharing.allowed_domains", ""); // 2023: disable camera stuff user_pref("camera.control.autofocus_moving_callback.enabled", false); user_pref("camera.control.face_detection.enabled", false); // UI meddling // 2200: UI meddling // see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features // 2201: disable website control over rightclick context menu user_pref("dom.event.contextmenu.enabled", false); // GITHUB 26: Disable DOM web notifications user_pref("dom.webnotifications.enabled", false); // 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows user_pref("dom.disable_window_open_feature.location", true); user_pref("dom.disable_window_open_feature.menubar", true); user_pref("dom.disable_window_open_feature.resizable", true); user_pref("dom.disable_window_open_feature.scrollbars", true); user_pref("dom.disable_window_open_feature.status", true); user_pref("dom.disable_window_open_feature.toolbar", true); // 2203: POPUP windows - prevent or allow javascript UI meddling user_pref("dom.disable_window_flip", true); // window z-order user_pref("dom.disable_window_move_resize", true); user_pref("dom.disable_window_open_feature.close", true); user_pref("dom.disable_window_open_feature.minimizable", true); user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar user_pref("dom.disable_window_open_feature.titlebar", true); user_pref("dom.disable_window_status_change", true); user_pref("dom.allow_scripts_to_close_windows", false); // DOM - JAVASCRIPT // 2400: DOM - JAVASCRIPT // GITHUB 27: Disable javascript options // https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29 user_pref("javascript.options.methodjit.chrome", false); user_pref("javascript.options.methodjit.content", false); // http://asmjs.org/ // https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/ // https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/ // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 user_pref("javascript.options.asmjs", false); // 2401: disable dom storage user_pref("dom.storage.enabled", false); // 2402: disable website access to clipboard events (will break some sites functionaility such as pasting into Facebook) // this applies to onCut, onCopy, onPaste events - i.e is you have to interact with the website for it to look at the clipboard user_pref("dom.event.clipboardevents.enabled", false); // 2403: disable scripts changing images eg google maps - will break a lot of web apps // user_pref("dom.disable_image_src_set", true); // 2404: disable JS storing data permanently - NOTE disabling this could break extensions (started in FFv35) - this bug has now been fixed but... // Note: this is the setting under about:permissions>All SItes>Maintain Offline Storage - you can override individual domains under site permissions // WARNING: i'll set as false (disabled), this WILL break some [old] add-ons and may break some sites' functionality user_pref("dom.indexedDB.enabled", false); // 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony user_pref("dom.telephony.enabled", false); // 2406: disable gamepad API - fingerprinting - USB device ID enumeration user_pref("dom.gamepad.enabled", false); // 2407: disable battery API - fingerprinting vector user_pref("dom.battery.enabled", false); // 2408: disable network API - fingerprinting vector user_pref("dom.network.enabled", false); // 2409: disable giving away network info - https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API user_pref("dom.netinfo.enabled", false); // 2410: disable User Timing API - https://trac.torproject.org/projects/tor/ticket/16336 user_pref("dom.enable_user_timing", false); // 2411: disable resource/navigation timing user_pref("dom.enable_resource_timing", false); // 2412: https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI - javascript performace fingerprinting user_pref("dom.enable_performance", false); // 2413: disable virtual reality devices user_pref("dom.vr.enabled", false); // 2414: disable shaking the screen user_pref("dom.vibrator.enabled", false); // 2415: max popups from a single non-click event - default is 20! user_pref("dom.popup_maximum", 3); // 2416: disable idle observation user_pref("dom.idle-observers-api.enabled", false); // 2417: disable SharedWorkers for now - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 8) // https://bugs.torproject.org/15562 - SharedWorker violates first party isolation user_pref("dom.workers.sharedWorkers.enabled", false); // 2418: disbale full-screen API. This is the setting under about:permissions>All Sites>Fullscreen // set to false=block, set to true=ask. NOTE: you can still override individual domains under site permissions user_pref("full-screen-api.enabled", false); // MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY // 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY // 2601: disable sending additional analytics to web servers - https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon user_pref("beacon.enabled", false); // 2602: CIS 2.3.2 disable downloading on desktop user_pref("browser.download.folderList", 2); // 2603: always ask the user where to download - enforces user interaction for security reasons user_pref("browser.download.useDownloadDir", false); // 2604: https://bugzil.la/238789#c19 user_pref("browser.helperApps.deleteTempFileOnExit", true); // 2605: don't integrate activity into windows recent documents user_pref("browser.download.manager.addToRecentDocs", false); // GITHUB 28: CIS Version 1.2.0 October 21st, 2011 2.5.5 Delete Download History // Zero (0) is an indication that no download history is retained for the current profile. user_pref("browser.download.manager.retention", 0); // 2606: disable hiding mime types in prefs applications tab that are not associated with a plugin user_pref("browser.download.hide_plugins_without_extensions", false); // 2607: disable page thumbnails - privacy user_pref("browser.pagethumbnails.capturing_disabled", true); // 2608: disable JAR from opening Unsafe File Types user_pref("network.jar.open-unsafe-types", false); // 2609: disable insecure active content on https pages - mixed content user_pref("security.mixed_content.block_active_content", true); // 2610: disable insecure passive content (such as images) on https pages - mixed context // current default is false, am inclined to leave it this way as too many sites break visually user_pref("security.mixed_content.block_display_content", true); // GITHUB 29: Content security policy // https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy user_pref("security.csp.enable", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=855326 user_pref("security.csp.experimentalEnabled", true); // 2611: disable WebIDE to prevent remote debugging and addon downloads // https://trac.torproject.org/projects/tor/ticket/16222 user_pref("devtools.webide.autoinstallADBHelper", false); user_pref("devtools.webide.autoinstallFxdtAdapters", false); user_pref("devtools.debugger.remote-enabled", false); user_pref("devtools.webide.enabled", false); // GITHUB 30: Strict File Origin Policy // CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8 Set File URI Origin Policy // http://kb.mozillazine.org/Security.fileuri.strict_origin_policy user_pref("security.fileuri.strict_origin_policy", true); // GITHUB 31: Subresource integrity // https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity // https://wiki.mozilla.org/Security/Subresource_Integrity user_pref("security.sri.enable", true); // 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku // https://trac.torproject.org/projects/tor/ticket/16222 user_pref("browser.casting.enabled", false); user_pref("gfx.layerscope.enabled", false); // 2613: disable device sensor API - fingerprinting vector user_pref("device.sensors.enabled", false); // 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (see no. 10) user_pref("network.http.spdy.enabled", false); user_pref("network.http.spdy.enabled.v3-1", false); // 2615: disable http/2 for now as well - need more info user_pref("network.http.spdy.enabled.http2", false); user_pref("network.http.spdy.enabled.http2draft", false); // 2617: disable pdf.js as an option to preview PDFs within FF (see mime-types under Options>Applications) - exploit risk // enabling this will change your option - most likely to Ask, or Open with some external pdf reader // NOTE: this does NOT necessarily prevent pdf.js being used via other means, it only removes the option // I think this should probably be left at default (false) - but we'll change it anyway, even though 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as much risk or more (acrobat) // 3. mozilla are very quick to patch these sorts of exploits, they treat them as severe/critical 4. convenience user_pref("pdfjs.disabled", true); // 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue // http://kb.mozillazine.org/Network.proxy.socks_remote_dns // https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers // eg in TOR, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request user_pref("network.proxy.socks_remote_dns", true); // http://kb.mozillazine.org/Network.proxy.type // the default in Firefox for Linux is to use system proxy settings. // We change it to direct connection //user_pref("network.proxy.type", 0); // 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS), default is 20 // WARNING: a low setting of 5 or under will probably break some sites [eg gmail logins]. This can be better handled by an addon [eg NoRedirect] // user_pref("network.http.redirection-limit", 20); // PERSONAL SETTINGS (with privacy implications) // 2800: PERSONAL SETTINGS [that have PRIVACY implications] // These can all be set via options. you don't have to use this section // This is included for those who wish to add this type of control into their user.js // 2801: COOKIES // disable cookies on all sites (you can still use exceptions under site permissions or use an extension - eg Cookie Controller, Self-destructing Cookies) // 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie user_pref("network.cookie.cookieBehavior", 1); // The cookie expires at the end of the session (when the browser closes). // http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2 user_pref("network.cookie.lifetimePolicy", 2); // 2082: enable FF to clear stuff on close (Options>Privacy>Clear history when firefox closes) user_pref("privacy.sanitize.sanitizeOnShutdown", true); // 2803: what to clear (Options>Privacy>Clear history when firefox closes>Settings) // these are the settings of the author of this user.js, chose your own user_pref("privacy.clearOnShutdown.cache", true); user_pref("privacy.clearOnShutdown.cookies", true); user_pref("privacy.clearOnShutdown.downloads", true); user_pref("privacy.clearOnShutdown.formdata", true); user_pref("privacy.clearOnShutdown.history", true); user_pref("privacy.clearOnShutdown.offlineApps", true); user_pref("privacy.clearOnShutdown.passwords", true); user_pref("privacy.clearOnShutdown.sessions", true); // active logins user_pref("privacy.clearOnShutdown.siteSettings", true); // 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del user_pref("privacy.cpd.cache", true); user_pref("privacy.cpd.cookies", true); user_pref("privacy.cpd.downloads", true); user_pref("privacy.cpd.formdata", true); user_pref("privacy.cpd.history", true); user_pref("privacy.cpd.offlineApps", true); user_pref("privacy.cpd.passwords", true); user_pref("privacy.cpd.sessions", true); user_pref("privacy.cpd.siteSettings", true); // GITHUB 32: Always use private browsing // https://support.mozilla.org/en-US/kb/Private-Browsing // https://wiki.mozilla.org/PrivateBrowsing user_pref("browser.privatebrowsing.autostart", true); // Personal Handy Settings // 3000: PERSONAL HANDY SETTINGS // these are just damn handy to know, have lying around, and be able to easily migrate to a new profile // users can put their own non-security/privacy/fingerprinting/tracking stuff here // 3001: disable annoying warnings user_pref("general.warnOnAboutConfig", false); user_pref("browser.tabs.warnOnClose", false); user_pref("browser.tabs.warnOnCloseOtherTabs", false); user_pref("browser.tabs.warnOnOpen", false); // 3001a disable warning when a domain requests full screen // https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode // user_pref("full-screen-api.approval-required", false); // deprecated after FF42? // user_pref("full-screen-api.warning.timeout", 0); // FF43+ // 3002: disable closing browser with last tab user_pref("browser.tabs.closeWindowWithLastTab", false); // 3003: disable new search panel UI user_pref("browser.search.showOneOffButtons", false); // 3004: disable backspace user_pref("browser.backspace_action", 2); // 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2) user_pref("clipboard.autocopy", false); //3006: turn on full native HTML5 player support user_pref ("media.fragmented-mp4.enabled", true); user_pref ("media.fragmented-mp4.exposed", true); user_pref ("media.fragmented-mp4.ffmpeg.enabled", true); user_pref ("media.fragmented-mp4.gmp.enabled", true); user_pref ("media.fragmented-mp4.use-blank-decoder", false);
  • Create New...