Jump to content
Not connected, Your IP: 44.215.110.142

Recommended Posts

/********
* ULTIMATE HARDENED FIREFOX USER.JS

* Combines changes outlined in ghacks.net and GitHub's hardened FF profiles as at October 2015. The GHacks version was used as the base profile,

with additional Github privacy/settings inserted (marked with 'GITHUB' label).

 

* Successfully tested with Linux FF 41.0.2 (Youtube etc).

* All credits to the primary authors and many contributors from Github, GHacks Forums and Wilders Security Forums who did the hard yards.

* Minor changes have been made by this author to further increase privacy and convenience e.g. no OCSP checks due to third parties involved,
changes to cookie policies/behaviours, disabling of spdy, using all privacy options to clear data/cookies etc upon FF shutdown, enabling full
native HTML5 support by default (and several others).

* This entire text block should be saved to a new file named user.js

********/

/*********
* The two original user.js profiles used to create this 'ultimate' privacy/security profile can be found here:
* url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
* url: https://github.com/pyllyukko/user.js

* This is NOT a "comprehensive" list of ALL things privacy/security-related, otherwise it would be enormous.

* It is actually a long list of settings that generally differ from their defaults, and is aimed at improving security, privacy, a "quieter" FF,
fingerprinting, and tracking - while allowing (most) functionality. There will be trade-offs and conflicts between these.

* IMPORTANT STEPS:

* Note: user.js - this OVER-WRITES any corresponding about:config entries on Firefox start if accidentally stored in the default folder!
see: http://kb.mozillazine.org/User.js_file To avoid this problem, carefully follow the steps below:

1. Create a new FF profile and directory to store this new version of user.js for testing purposes.

* To create a new profile in GNU/Linux, the FF profile manager can be accessed via the terminal (Alt-F2): firefox -P

* Create a new profile, give it a suitable name, and then shutdown FF.

* To access the FF profile manager in other O/S and create new profiles, see simple Mozilla notes online.

3. This entire text file should be saved as user.js and moved to the new profile directory you just created.

* In GNU/Linux, run in terminal: ls .mozilla/firefox
You will see that FF profiles are stored (hidden) under your home directory: ./mozilla/firefox

* In Windoze, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_new_profile_name.

* Do NOT touch the 'XXXXXX.default' profile directory or dump your new user.js in the default folder! You will lose all your current 'default' settings, bookmarks
and other data!

4. Restart Firefox and select your new profile at start-up. Voila! You now have a 'secure' profile available alongside your 'default' profile.

* NOTE: BEFORE deciding to use this new user.js, you SHOULD actually read what the prefs do (information is provided, and links) and if necessary,
change, remove or comment out with two forward slashes (//) any preferences you're not happy with or not sure about.

* COMMON PROBLEMS: some prefs will break a number of popular sites (it's inevitable). In particular, these two settings below may need to be reset to defaults to
stop breakage:

security.OCSP.require
dom.indexedDB.enabled

* ADDITIONAL FF CHANGES: Add-ons are also essential for safer browsing e.g. HTTPS Everywhere, No-Script & Canvas Blocker (stops HTML5 canvas/image data
extraction). Also strongly consider installing UBlock Origin, Privacy Badger, Self-destructing Cookies and Random Agent Spoofer as complimentary add-ons.

* In preferences, set your default homepage to a search provider that doesn't track by default e.g. https://search.disconnect.me Consider also turning off hardware
acceleration as it is understood to be a possible attack vector (?), along with cached web content settings (set to zero MB).

* Other general FF settings for better security - set all plug-ins to 'never activate' and do not install additional themes/services/languages. They are all
likely to be trackable identifiers, and plug-ins are further notorious for leaking lots of data about your system and protocols.

*********/

// STARTUP

// 0100: STARTUP

// 0101: disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.feeds.showFirstRunUI", false);
user_pref("browser.shell.checkDefaultBrowser", false);

// GEO

// 0200: GEO

// 0201: disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "http://127.0.0.1");
user_pref("browser.search.geoip.url", "");

// 0202: disable GeoIP-based search results - https://trac.torproject.org/projects/tor/ticket/16254
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");

// QUIET Fox Part 1

// 0300: QUIET FOX [PART 1] - no (auto) phoning home for anything - you can still do manual updates

// NOTE: It is still important to do updates for security reasons. If you don't auto update then make sure you do manually in a timely fashion
// NOTE: There are many legitimate reasons for turning off AUTO updating, including  hijacked moneytized extensions,
// time contraints, legacy issues, and trepidation of breakage (easier to wait for others to report bugs)

// 0301: disable browser auto update
user_pref("app.update.enabled", false);

// 0302: disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);

// 0303: disable search update
user_pref("browser.search.update", false);

// 0304: disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);

// 0305: disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);

// 0306: disable add-on metadata updating - sends daily pings to mozilla about extensions and recent startups - privacy issue
user_pref("extensions.getAddons.cache.enabled", false);

// 0307: disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);

// 0308: disable update plugin notifications - if you're using flash, java, silverlight - turn on their own auto-update mechanisms
// also see 1804 below - Mozilla only checks a few plugins anyway - Silverlight, Flash, Java?, Quicktime? WMP?
user_pref("plugins.update.notifyUser", false);

// GITHUB 1: CIS Version 1.2.0 October 21st, 2011 2.1.3 Enable Information Bar for Outdated Plugins
user_pref("plugins.hide_infobar_for_outdated_plugin", false);

// 0309: disable sending plugin crash reports - keep FF quiet
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);

// 0310: disable sending the URL of the website where a plugin crashed - privacy issue
user_pref("dom.ipc.plugins.reportCrashURL", false);

// 0320: disable extension discovery - featured extensions for displaying in Get Add-ons panel
user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");

// 0330: disable telemetry
// big fat list here: https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// the pref  (.unified) affects the behaviour of the pref (.enabled)
// IF unified=false then .enabled controls the telemetry module : IF unfied=true then .enabled ONLY controls whether to record extended data
// so make sure to have both set as false
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);

// 0331: remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");

// 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
user_pref("toolkit.telemetry.archive.enabled", false);

// 0333: disable health report
user_pref("datareporting.healthreport.uploadEnabled",    false);
user_pref("datareporting.healthreport.documentServerURI", "");
user_pref("datareporting.healthreport.service.enabled", false);

// 0334: FF41+ see https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=1195552
// This is the master-kill-switch for upload/reporting for Health Reports and Telemetry
user_pref("datareporting.policy.dataSubmissionEnabled", false);

// 0340: disable experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);

// 0341: disable mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);

// 0350: disable crash reports
user_pref("breakpad.reportURL", "");

// 0360: disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);

// GITHUB2: Control newtab behaviour
// https://wiki.mozilla.org/Privacy/Reviews/New_Tab
user_pref("browser.newtabpage.enabled", false);
// https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off
user_pref("browser.newtab.url", "about:blank");

// 0370: https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");

// 0371: disable heartbeat - mozilla user rating telemetry
user_pref("browser.selfsupport.url", "");

// 0372: disable hello - a WebRTC mozilla voice & video call that doesn't require an account - WebRTC (IP leak)
user_pref("loop.enabled", false);

// 0373: disable pocket, remove urls for good measure - a third party "save for later" service - privacy concerns
user_pref("browser.pocket.enabled", false);
user_pref("reader.parse-on-load.enabled", false);
user_pref("browser.pocket.api", "");
user_pref("browser.pocket.site", "");

// 0374: disable "social" integration - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);

// QUIET Fox Part 2

// 0400: QUIET FOX [PART 2] - NOTE: This section has security & tracking protection implications vs privacy concerns
// These settings are geared up to make FF "quiet" & private, if you want safebrowsing & tracking protection then don't use this section (or parts of it)

/// 0401: DON'T disable extension blocklist as it is now includes updates for "revoked certificates", this is not a privacy issue
// see https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
// NOTE: requires extensions.blocklist.url to be set at default
user_pref("extensions.blocklist.enabled", true);

// 0402: disable block reported web forgeries - when true this compares visited URLs against a blacklist  or submits
// URLs to a third party to determine whether a site is legitimate = privacy concerns. This setting is under Options>Security
user_pref("browser.safebrowsing.enabled", false);

// 0410: disable block reported attack sites - This setting is under Options>Security
// safebrowsing uses locally stored data, but if the item is not found, then google is contacted - privacy concerns
user_pref("browser.safebrowsing.malware.enabled", false);

// 0411: disable safebrowsing urls & download
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.appRepURL", "");
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");

// 0420: disable tracking protection - // https://support.mozilla.org/en-US/kb/tracking-protection-firefox
// I believe there are no privacy concerns here, but  you are better off using an extension such as uBlock Origin
// which is not decided by a third party (disconnect) and which is far more effective (when used correctly)
user_pref("privacy.trackingprotection.enabled", false);
user_pref("browser.polaris.enabled", false);  // deprecated?
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.getupdateURL", "");
user_pref("privacy.trackingprotection.pbmode.enabled", false);

// GITHUB 3: CIS Mozilla Firefox 24 ESR v1.0.0 - 3.6 Enable IDN Show Punycode
// http://kb.mozillazine.org/Network.IDN_show_punycode
user_pref("network.IDN_show_punycode", true);

// GITHUB 4: Disallow NTLMv1
// https://bugzilla.mozilla.org/show_bug.cgi?id=828183
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);

// it is still allowed through HTTPS. uncomment the following to disable it completely.
//user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
// https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
// https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List
user_pref("network.stricttransportsecurity.preloadlist", true);

// BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

// 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

// 0601: disable link prefetching
user_pref("network.prefetch-next", false);

// 0602: disable dns prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);

// 0603: disable seer/necko
user_pref("network.predictor.enabled", false);

// 0604: disable search suggestions
user_pref("browser.search.suggest.enabled", false);

// 0605: disable link-mouseover opening connection to linked server
user_pref("network.http.speculative-parallel-limit", 0);

// 0606: disable pings (but enforce same host in case)
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);

// LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc

// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc
// Not ALL of these are strictly needed, some are for the truely paranoid, but included for a more comprehensive list (see comments on each one)

// 0801: disable location bar using search, give error message instead - don't leak typos to a search engine - PRIVACY
user_pref("keyword.enabled", false);

// 0802: disable location bar domain guessing - intercepts DNS "hostname not found errors" and resends a request eg by adding www or .com.
// Inconsistent use (eg FQDNs), does not work via Proxy Servers (different error), can send extra unexpected DNS requests,
// is a flawed use of DNS (TLDs: why treat .com as the 411 for DNS errors?), privacy issues (why connect to sites you didn't intend to),
// can leak sensitive data? (eg query strings: eg Princeton attack), and is a security risk (eg common typos & malicious sites set up to exploit this) - PRIVACY/SECURITY
user_pref("browser.fixup.alternate.enabled", false);

// 0803: disable location bar dropdown - PRIVACY issue (i.e computer forensics/shoulder surfers)
user_pref("browser.urlbar.maxRichResults", 0);

// 0804: display all parts of the url - why rely on just a visual clue - helps SECURITY
user_pref("browser.urlbar.trimURLs", false);

// 0805: disable URLbar autofill - http://kb.mozillazine.org/Inline_autocomplete - PRIVACY issue (i.e computer forensics/shoulder surfers)
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);

// 0806: disable autocomplete -  PRIVACY issue (i.e computer forensics/shoulder surfers)
user_pref("browser.urlbar.autocomplete.enabled", false);

// 0807: disable history manipulation  - https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history - SECURITY
// false=disable, have set to true otherwise it breaks some sites (youtube) ability to correctly show the url in location bar and for the forward/back tab history to work
user_pref("browser.history.allowPopState", true);
user_pref("browser.history.allowPushState", true);
user_pref("browser.history.allowReplaceState", true);

// GITHUB 5: Don't remember browsing history
user_pref("places.history.enabled", false);

// GITHUB 6: CIS Version 1.2.0 October 21st, 2011 2.5.4 Delete History and Form Data
// http://kb.mozillazine.org/Browser.history_expire_days
user_pref("browser.history_expire_days", 0);
// http://kb.mozillazine.org/Browser.history_expire_sites
user_pref("browser.history_expire_sites", 0);
// http://kb.mozillazine.org/Browser.history_expire_visits
user_pref("browser.history_expire_visits", 0);

// 0808: disable history suggestions - PRIVACY issue (i.e computer forensics/shoulder surfers)
user_pref("browser.urlbar.suggest.history", false);

// 0809: limit history PER TAB (back/forward) - history leaks via enumeration - PRIVACY
// default=50!! minimum=1=currentpage, 2 is good for some sites/pages to work, 4 may be more practical
user_pref("browser.sessionhistory.max_entries", 4);

// 0810: disable css querying page history - css history leak - PRIVACY
user_pref("layout.css.visited_links_enabled", false);

// 0811: disable displaying Javascript in history URLs - SECURITY
user_pref("browser.urlbar.filter.javascript", true);

// 0812: disable saving information entered in web forms AND the search bar  - PRIVACY issue (i.e computer forensics/shoulder surfers)
// for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard.
user_pref("browser.formfill. enable", false);

// 0813: disable saving form data on secure websites (default=true) - PRIVACY issue (i.e computer forensics/shoulder surfers)
// for convenience & functionality, this is best left at default true - you can clear formdata on exiting firefox. But, lets go full secure-tard.
user_pref("browser.formfill.saveHttpsForms", false);

// 0814: disable auto-filling username & password form fields (can leak in cross-site forms AND be spoofed) - http://kb.mozillazine.org/Signon.autofillForms
// password will still be set after the user name is manually entered - SECURITY
user_pref("signon.autofillForms", false);

// GITHUB 7: CIS Version 1.2.0 October 21st, 2011 2.5.3 Disable Prompting for Credential Storage
user_pref("security.ask_for_password", 0);

// GITHUB 8: CIS Version 1.2.0 October 21st, 2011 2.5.2 Disallow Credential Storage
user_pref("signon.rememberSignons", false);

// CACHE

// 1000: CACHE

// 1001: disable disk cache
user_pref("browser.cache.disk.enable", false);

// 1002: disable disk caching of SSL pages - http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref("browser.cache.disk_cache_ssl", false);

// 1003: disable memory cache as well IF you're REALLY paranoid (yep!), you'll take a performance/traffic hit
user_pref("browser.cache.memory.enable", false);

// 1004: disable offline cache
user_pref("browser.cache.offline.enable", false);

// 1005: disable storing extra session data 0=all 1=http-only 2=none
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);

// GITHUB9: Remove sessionstore data
// http://kb.mozillazine.org/Browser.sessionstore.postdata
// NOTE: relates to CIS 2.5.7
user_pref("browser.sessionstore.postdata", 0);
// http://kb.mozillazine.org/Browser.sessionstore.enabled
user_pref("browser.sessionstore.enabled", false);

// SSL / OCSP / CIPHERS

// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)

// GITHUB 10: Warn of missing SSL
// https://developer.mozilla.org/en/Preferences/Mozilla_preferences_for_uber-geeks
// see also CVE-2009-3555
user_pref("security.ssl.warn_missing_rfc5746", 1);

// GITHUB 11: TLS 1.[012]
// http://kb.mozillazine.org/Security.tls.version.max
// 1 = TLS 1.0 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 2 = TLS 1.1 is the minimum required / maximum supported encryption protocol.
user_pref("security.tls.version.min", 1);
user_pref("security.tls.version.max", 3);
// CIS Version 1.2.0 October 21st, 2011 2.2.3 Enable Warning of Using Weak Encryption
user_pref("security.warn_entering_weak", true);

// 1201: block rc4 fallback and disable whitelist
// https://developer.mozilla.org/en-US/Firefox/Releases/38#Security
// https://bugzil.la/1138882
// https://rc4.io/
user_pref("security.tls.unrestricted_rc4_fallback", false);
user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);

// 1203: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.ssl.enable_ocsp_stapling", false);

// 1204: https://wiki.mozilla.org/Security:Renegotiation - eventually this will be set to true by default,
// leave commented out for now, as when set to true it can break too many sites eg some microsoft.com ones
// user_pref("security.ssl.require_safe_negotiation", true);

// 1205: display warning (red padlock)  for "broken security" - https://wiki.mozilla.org/Security:Renegotiation
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

// 1206: require certificate revocation check through OCSP protocol. - this leaks information about the sites you visit to the CA
// It's a trade-off between security (checking) and privacy (leaking info to the CA) - your choice (default is false)
// WARNING: If set to true, this may cause some site breakage  - some users have mentioned issues with youtube, microsoft etc
user_pref("security.OCSP.require", false);

// 1207: query OCSP responder servers to confirm current validity of certificates (default=1)
// 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signing
user_pref("security.OCSP.enabled", 0);

// 1208: enforce strict pinning - https://trac.torproject.org/projects/tor/ticket/16206 (default is 1)
// PKP (public key pinning) 0-disabled 1=allow user MITM (such as your antivirus), 2=strict
// WARNING: If you rely on an AV (antivirus) to protect your web browsing by inspecting ALL your web traffic, then leave at default =1
user_pref("security.cert_pinning.enforcement_level", 2);

// https://support.mozilla.org/en-US/kb/certificate-pinning-reports
//
// we could also disable security.ssl.errorReporting.enabled, but I think it's
// good to leave the option to report potentially malicious sites if the user
// chooses to do so.
//
// you can test this at https://pinningtest.appspot.com/
user_pref("security.ssl.errorReporting.automatic", false);

/******************************************************************************
 * CIPHERS                                                                    *
 *                                                                            *
 * you can debug the SSL handshake with tshark: tshark -t ad -n -i wlan0 -T text -V -R ssl.handshake
 ******************************************************************************/

// GITHUB12: disable null ciphers
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);

/* GITHUB13: SEED
 * https://en.wikipedia.org/wiki/SEED
 */
user_pref("security.ssl3.rsa_seed_sha", false);

// GITHUB 14: 40 bits...
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);

// GITHUB 15: 56 bits
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);

// GITHUB 16: 128 bits
user_pref("security.ssl3.rsa_camellia_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);

// GITHUB 17: RC4 (CVE-2013-2566)
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);

user_pref("security.tls.unrestricted_rc4_fallback", false);

/*
 * GITHUB 18: 3DES -> false because effective key size < 128
 *
 *   https://en.wikipedia.org/wiki/3des#Security
 *   http://en.citizendium.org/wiki/Meet-in-the-middle_attack
 *
 *
 * See also:
 *
 * http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
 */
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);

// GITHUB 19: Ciphers with ECDH (without /e$/)
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);

// GITHUB 20: 256 bits without PFS
user_pref("security.ssl3.rsa_camellia_256_sha", false);

// GITHUB 21: Ciphers with ECDHE and > 128bits
user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);

// GITHUB 22: GCM, yes please!
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);

// GITHUB 23: Susceptible to the logjam attack - https://weakdh.org/
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

// GITHUB 24: Ciphers with DSA (max 1024 bits)
user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);

// GITHUB 25: Fallbacks due compatibility reasons
user_pref("security.ssl3.rsa_aes_256_sha", true);
user_pref("security.ssl3.rsa_aes_128_sha", true);

// FONTS

// 1400: FONTS

// 1401: disable websites downloading their own fonts - change this to 0 in FF41+. Note: 0=block, 1=allow
// This is the preference under  Options>Content>Font & Colors>Advanced>Allow pages to choose their own fonts
// If you disallow fonts, this blocks font enumeration (by JS) which is a high entropy fingerprinting vector
// disabling fonts uglifies the web a little, and until FF41 will also block icon fonts
user_pref("browser.display.use_document_fonts", 0);

// 1402: but for FF41+ allow icon fonts (gylphs) through
user_pref("gfx.downloadable_fonts.enabled", true);

// 1403: https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable this
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

// HEADERS

// 1600: HEADERS

// 1601: disable Referer from an SSL Website
user_pref("network.http.sendSecureXSiteReferrer", false);

// 1602: DNT HTTP header - essentially useless
//  http://kb.mozillazine.org/Privacy.donottrackheader.value - this pref is required since FF21+
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.donottrackheader.value", 1);

// 1603: REFERER - http://kb.mozillazine.org/Network.http.sendRefererHeader
// It is better to leave these at default (2, false) and use an extension to block all and then whitelist ( eg RefControl )
// otherwise too much of the internet breaks. Even TOR does nothing about this.
user_pref("network.http.sendRefererHeader",2);
user_pref("network.http.referer.spoofSource", true);

// PLUGINS

// 1800: PLUGINS

// 1801: set default plugin state (i.e new plugins on discovery) to never activate - 0=disabled, 1=ask to activate, 2=active - you can override individual plugins
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);

// 1802: enable click to play and set to 0 minutes
user_pref("plugins.click_to_play", true);
user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);
// make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled - flash example below
// you can just set all these plugin.state's via add-ons>plugins NOTE: you can still over-ride individual sites eg Youtube/ via site permissions
user_pref("plugin.state.flash", 0);

// 1803: remove plugin finder service - http://kb.mozillazine.org/Pfs.datasource.url
// plugins are a dying breed, do we really want mozilla to find us missing plugins?
user_pref("pfs.datasource.url", "");

// 1804: disable plugin enumeration
// WARNING: disabling plugin.enumerate.names breaks the plugin check at https://www.mozilla.org/en-US/plugincheck/
// If you want to use this, then the default setting is an asterix. Otherwise most plugins have their own auto-update checks & downloads
user_pref("plugins.enumerable_names", "");  // deprecated soon?: https://bugzilla.mozilla.org/show_bug.cgi?id=1169945
user_pref("security.xpconnect.plugin.unrestricted", false);

// 1805: disable scanning for plugins - http://kb.mozillazine.org/Plugin_scanning
// plid.all = whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash
user_pref("plugin.scan.plid.all", false);

// 1806: Acrobat, Quicktime, WMP are handled separately - integer refers to min version number allowed
user_pref("plugin.scan.Acrobat", 99999);
user_pref("plugin.scan.Quicktime", 99999);
user_pref("plugin.scan.WindowsMediaPlayer", 99999);

// 1807: disable auto-play of HTML5 media - have put this under plugins, not media. Note: this disables webm's auto playing
user_pref("media.autoplay.enabled", false);

// 1808: disable OpenH264
user_pref("media.gmp-provider.enabled", false);

// MEDIA / CAMERA / MIKE

// 2000: MEDIA / CAMERA / MIKE

// 2001: disable webRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);

// 2002: disable WebRTC - firefox making automatic connections#w_media-capabilities
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");

// 2003: disable EME bits - https://trac.torproject.org/projects/tor/ticket/16285
user_pref("browser.eme.ui.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.eme.apiVisible", false);

// 2004: getUserMedia - https://wiki.mozilla.org/Media/getUserMedia
user_pref("media.navigator.enabled", false);

// 2010: disable webGL, force bare minimum feature set if used & disable webGL extensions
user_pref("webgl.disabled", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);

// 2020: disable video statistics fingerprinting vector - javascript performace fingerprinting
user_pref("media.video_stats.enabled", false);

// 2021: disable speech recognition
user_pref("media.webspeech.recognition.enable", false);

// 2022: disable screensharing
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");

// 2023: disable camera stuff
user_pref("camera.control.autofocus_moving_callback.enabled", false);
user_pref("camera.control.face_detection.enabled", false);

// UI meddling

// 2200: UI meddling
// see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features

// 2201: disable website control over rightclick context menu
user_pref("dom.event.contextmenu.enabled", false);

// GITHUB 26: Disable DOM web notifications
user_pref("dom.webnotifications.enabled", false);

// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.status", true);
user_pref("dom.disable_window_open_feature.toolbar", true);

// 2203: POPUP windows - prevent or allow javascript UI meddling
user_pref("dom.disable_window_flip", true); // window z-order
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_status_change", true);
user_pref("dom.allow_scripts_to_close_windows", false);

// DOM - JAVASCRIPT

// 2400: DOM - JAVASCRIPT

// GITHUB 27: Disable javascript options
// https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_in_Debian.29
user_pref("javascript.options.methodjit.chrome", false);
user_pref("javascript.options.methodjit.content", false);
// http://asmjs.org/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
user_pref("javascript.options.asmjs", false);

// 2401: disable dom storage
user_pref("dom.storage.enabled", false);

// 2402: disable website access to clipboard events (will break some sites functionaility such as pasting into Facebook)
// this applies to onCut, onCopy, onPaste events - i.e is you have to interact with the website for it to look at the clipboard
user_pref("dom.event.clipboardevents.enabled", false);

// 2403: disable scripts changing images eg google maps - will break a lot of web apps
// user_pref("dom.disable_image_src_set", true);

// 2404: disable JS storing data permanently - NOTE disabling this could break extensions (started in FFv35) - this bug has now been fixed but...
// Note: this is the setting under about:permissions>All SItes>Maintain Offline Storage - you can override individual domains under site permissions
// WARNING: i'll set as false (disabled), this WILL break some [old] add-ons and may break some sites' functionality
user_pref("dom.indexedDB.enabled", false);

// 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref("dom.telephony.enabled", false);

// 2406: disable gamepad API  - fingerprinting - USB device ID enumeration
user_pref("dom.gamepad.enabled", false);

// 2407: disable battery API - fingerprinting vector
user_pref("dom.battery.enabled", false);

// 2408: disable network API - fingerprinting vector
user_pref("dom.network.enabled", false);

// 2409: disable giving away network info - https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
user_pref("dom.netinfo.enabled", false);

// 2410: disable User Timing API - https://trac.torproject.org/projects/tor/ticket/16336
user_pref("dom.enable_user_timing", false);

// 2411: disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);

// 2412: https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI  -  javascript performace fingerprinting
user_pref("dom.enable_performance", false);

// 2413: disable virtual reality devices
user_pref("dom.vr.enabled", false);

// 2414: disable shaking the screen
user_pref("dom.vibrator.enabled", false);

// 2415: max popups from a single non-click event - default is 20!
user_pref("dom.popup_maximum", 3);

// 2416: disable idle observation
user_pref("dom.idle-observers-api.enabled", false);

// 2417: disable SharedWorkers for now - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability  (see no. 8)
// https://bugs.torproject.org/15562 - SharedWorker violates first party isolation
user_pref("dom.workers.sharedWorkers.enabled", false);

// 2418: disbale full-screen API. This is the setting under about:permissions>All Sites>Fullscreen
// set to false=block, set to true=ask. NOTE: you can still override individual domains under site permissions
user_pref("full-screen-api.enabled", false);

// MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

// 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

// 2601: disable sending additional analytics to web servers - https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);

// 2602: CIS 2.3.2 disable downloading on desktop
user_pref("browser.download.folderList", 2);

// 2603: always ask the user where to download - enforces user interaction for security reasons
user_pref("browser.download.useDownloadDir", false);

// 2604: https://bugzil.la/238789#c19
user_pref("browser.helperApps.deleteTempFileOnExit", true);

// 2605: don't integrate activity into windows recent documents
user_pref("browser.download.manager.addToRecentDocs", false);

// GITHUB 28: CIS Version 1.2.0 October 21st, 2011 2.5.5 Delete Download History
// Zero (0) is an indication that no download history is retained for the current profile.
user_pref("browser.download.manager.retention", 0);

// 2606: disable hiding mime types in prefs applications tab that are not associated with a plugin
user_pref("browser.download.hide_plugins_without_extensions", false);

// 2607: disable page thumbnails - privacy
user_pref("browser.pagethumbnails.capturing_disabled", true);

// 2608: disable JAR from opening Unsafe File Types
user_pref("network.jar.open-unsafe-types", false);

// 2609: disable insecure active content on https pages - mixed content
user_pref("security.mixed_content.block_active_content", true);

// 2610: disable insecure passive content (such as images) on https pages - mixed context
// current default is false, am inclined to leave it this way as too many sites break visually
user_pref("security.mixed_content.block_display_content", true);

// GITHUB 29: Content security policy
// https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
user_pref("security.csp.enable", true);
// https://bugzilla.mozilla.org/show_bug.cgi?id=855326
user_pref("security.csp.experimentalEnabled", true);

// 2611: disable WebIDE to prevent remote debugging and addon downloads
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);

// GITHUB 30: Strict File Origin Policy
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8 Set File URI Origin Policy
// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
user_pref("security.fileuri.strict_origin_policy", true);

// GITHUB 31: Subresource integrity
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
// https://wiki.mozilla.org/Security/Subresource_Integrity
user_pref("security.sri.enable", true);

// 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("browser.casting.enabled", false);
user_pref("gfx.layerscope.enabled", false);

// 2613: disable device sensor API - fingerprinting vector
user_pref("device.sensors.enabled", false);

// 2614: disable SPDY as it can contain identifiers - https://www.torproject.org/projects/torbrowser/design/#identifier-linkability  (see no. 10)
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3-1", false);

// 2615: disable http/2 for now as well - need more info
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);

// 2617: disable pdf.js as an option to preview PDFs within FF (see mime-types under Options>Applications) - exploit risk
// enabling this will change your option - most likely to Ask, or Open with some external pdf reader
// NOTE: this does NOT necessarily prevent pdf.js being used via other means, it only removes the option
// I think this should probably be left at default (false) - but we'll change it anyway, even though 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as much risk or more (acrobat)
// 3. mozilla are very quick to patch these sorts of exploits, they treat them as severe/critical 4. convenience
user_pref("pdfjs.disabled", true);

// 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// eg in TOR, this stops your local DNS server from knowing your Tor destination as a remote Tor node will handle the DNS request
user_pref("network.proxy.socks_remote_dns", true);
// http://kb.mozillazine.org/Network.proxy.type
// the default in Firefox for Linux is to use system proxy settings.
// We change it to direct connection
//user_pref("network.proxy.type", 0);

// 2619: limit  HTTP redirects (this does not control redirects with HTML meta tags or JS), default is 20
// WARNING: a low setting of 5 or under will probably break some sites [eg gmail  logins]. This can be better handled by an addon [eg NoRedirect]
// user_pref("network.http.redirection-limit", 20);

// PERSONAL SETTINGS (with privacy implications)

// 2800: PERSONAL SETTINGS [that have PRIVACY implications]
// These can all be set via options. you don't have to use this section
// This is included for those who wish to add this type of control into their user.js

// 2801: COOKIES
// disable cookies on all sites (you can still use exceptions under site permissions or use an extension - eg Cookie Controller, Self-destructing Cookies)
// 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie
user_pref("network.cookie.cookieBehavior", 1);
// The cookie expires at the end of the session (when the browser closes).
// http://kb.mozillazine.org/Network.cookie.lifetimePolicy#2
user_pref("network.cookie.lifetimePolicy", 2);

// 2082: enable FF to clear stuff on close (Options>Privacy>Clear history when firefox closes)
user_pref("privacy.sanitize.sanitizeOnShutdown", true);

// 2803: what to clear (Options>Privacy>Clear history when firefox closes>Settings)
// these are the settings of the author of this user.js, chose your own
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.passwords", true);
user_pref("privacy.clearOnShutdown.sessions", true); // active logins
user_pref("privacy.clearOnShutdown.siteSettings", true);

// 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", true);
user_pref("privacy.cpd.sessions", true);
user_pref("privacy.cpd.siteSettings", true);

// GITHUB 32: Always use private browsing
// https://support.mozilla.org/en-US/kb/Private-Browsing
// https://wiki.mozilla.org/PrivateBrowsing
user_pref("browser.privatebrowsing.autostart", true);

// Personal Handy Settings

// 3000: PERSONAL HANDY SETTINGS
// these are just damn handy to know, have lying around, and be able to easily migrate to a new profile
// users can put their own non-security/privacy/fingerprinting/tracking stuff here

// 3001: disable annoying warnings
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);

// 3001a  disable warning when a domain requests full screen
// https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode
// user_pref("full-screen-api.approval-required", false);  // deprecated after FF42?
// user_pref("full-screen-api.warning.timeout", 0); // FF43+

// 3002: disable closing browser with last tab
user_pref("browser.tabs.closeWindowWithLastTab", false);

// 3003: disable new search panel UI
user_pref("browser.search.showOneOffButtons", false);

// 3004: disable backspace
user_pref("browser.backspace_action", 2);

// 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2)
user_pref("clipboard.autocopy", false);

//3006: turn on full native HTML5 player support
user_pref ("media.fragmented-mp4.enabled", true);
user_pref ("media.fragmented-mp4.exposed", true);
user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);
user_pref ("media.fragmented-mp4.gmp.enabled", true);
user_pref ("media.fragmented-mp4.use-blank-decoder", false);

Share this post


Link to post

USER.JS ADDITIONAL NOTES

RESOURCES

http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
https://github.com/pyllyukko/user.js
https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
http://www.wilderssecurity.com/threads/firefox-lockdown.368003/


HARDENING FF RATIONALE

 

  • Limit the possibilities to track the user through web analytics;
  • Harden the browser, so it doesn't spill it's guts when asked;
  • Limit the browser from storing anything even remotely sensitive persistently (mostly just making sure private browsing is always on);
  • Make sure the browser doesn't reveal too much information to shoulder surfers;
  • Harden the browser's encryption (cipher suites and protocols);
  • Hopefully limit the attack surface by disabling various features; and
  • Still be at least somewhat usable in daily use.

 

WHAT FF INFORMATION IS STORED BY DEFAULT?

Answer: A lot!

 

Bookmarks and Browsing History: The places.sqlite file contains all your Firefox bookmarks and the list of all the websites you’ve visited. The bookmarkbackups folder stores bookmark backup files, which can be used to restore your bookmarks.

Bookmarks, Downloads and Browsing History: The places.sqlite file contains all your Firefox bookmarks and lists of all the files you've downloaded and websites you’ve visited. The bookmarkbackups folder stores bookmark backup files, which can be used to restore your bookmarks.

Passwords: Your passwords are stored in the key3.db and signons.sqlitelogins.json files.

Site-specific preferences: The permissions.sqlite and content-prefs.sqlite files store many of your Firefox permissions (for instance, which sites are allowed to display popups) or zoom levels that are set on a site-by-site basis. Certain websites are given the ability to store passwords, set cookies and more e.g. font size and zoom - increase the size of web pages.
   
Search engines: The search.sqlite file and searchplugins folder store the search engines that are available in the Firefox Search bar.
   
Personal dictionary: The persdict.dat file stores any custom words you have added to Firefox's dictionary.
   
Autocomplete history: The formhistory.sqlite file remembers what you have searched for in the Firefox search bar and what information you’ve entered into forms on websites.

Download history: The downloads.sqlite file remembers what you have downloaded.

Cookies: A cookie is a bit of information stored on your computer by a website you’ve visited. Usually this is something like your site preferences or login status. Cookies are all stored in the cookies.sqlite file.

DOM storage: DOM Storage is designed to provide a larger, more secure, and easier-to-use alternative to storing information in cookies. Information is stored in the webappsstore.sqlite file for websites and in the chromeappsstore.sqlite for about:* pages.

Security certificate settings: The cert8.db file stores all your security certificate settings and any SSL certificates you have imported into Firefox.

Security device settings: The secmod.db file is the security module database.

Download actions: The mimeTypes.rdf file stores your preferences that tell Firefox what to do when it comes across a particular type of file. For example, these are the settings that tell Firefox to open a PDF file with Acrobat Reader when you click on it.

Plugin MIME type: The pluginreg.dat file stores Internet media types related to your installed plugins.

Stored session: The sessionstore.js file stores the currently open tabs and windows.

Toolbar customization: The localstore.rdf file stores toolbar and window size/position settings.

Toolbar customization: The xulstore.json file stores toolbar and window size/position settings.

User preferences: The prefs.js file stores customized user preference settings, such as changes you make in Firefox OptionsPreferences dialogs. The optional user.js file, if one exists, will override any modified preferences.
   
User styles: If they exist, the \chrome\userChrome.css and \chrome\userContent.css files store user-defined changes to either how Firefox looks, or how certain websites or HTML elements look or act.


SUMMARY OF KEY CHANGES IN THE FF 'ULTIMATE' PROFILE*

* A summary of key changes can also be seen by running 'Troubleshooting Information' from the Help Menu in FF.

 

HTML5 / APIs / DOM

  •     Disable geolocation
  •     Don't reveal internal IP addresses (media.peerconnection.enabled)
  •     BeEF Module: Get Internal IP WebRTC
  •     browser.send_pings
  •     Disable WebGL
  •     Disable Battery API

Miscellaneous

  •     Enables Firefox's mixed content blocking (also for "display" content)
  •     Disables various your-browser-knows-better-let-me-guess-what-you-were-trying features
  •     Disable keyword guessing
  •     Disable Domain Guessing

Extensions / plugins related

It is common for client side attacks to target browser extensions, instead of the browser itself (just look at all those Java and Flash vulnerabilities).

Make sure your extensions and plugins are always up-to-date.

  •     Disable flash
  •     Enable click to play
  •     Enable add-on updates

Firefox features

  •     Enables Firefox's built-in tracking protection
  •     Disables telemetry, crash reporter, health report, heartbeat and other privacy invading crap

Automatic connections

This section disables some of Firefox's automatic connections.

  •     Disables prefetching
  •         network.prefetch-next
  •         network.dns.disablePrefetch
  •     Disable Necko/predictor
  •     Disable search suggestions

HTTP

  •     Referer header:
  •     Spoofs the referer header with network.http.referer.spoofSource & Network.http.sendRefererHeader
  •     "Don't send the Referer header when navigating from a https site to another https site."
  •     Don't accept 3rd party cookies

Caching

  •     Permanently enables private browsing mode
  •     Prevents Firefox from storing data filled in web page forms
  •     Disables password manager

UI related

  •     Don't suggest any URLs while typing at the address bar

TLS / HTTPS / OCSP related

  •     TLS v1.[012] only
  •     Ditch OCSP
  •         Notice that this setting has some privacy implications
  •     OCSP stapling (enabled by default anyway)
  •     Disable TLS session tickets
  •     Enforces pinning

Ciphers

This section tweaks the cipher suites used by Firefox. The idea is to support only the strongest ones with emphasis on forward secrecy, but without compromising compatibility with all those sites on the internet. As new crypto related flaws are discovered quite often, the cipher suites can be tweaked
to mitigate these newly discovered threats.

Here's a list of the ciphers with default config and Firefox 27.0.1:

Cipher Suites (23 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Here's the list with this config for FF 41.0.2:

Cipher Suites (8 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)


OTHER KNOWN PROBLEMS WITH 'ULTIMATE' FF PROFILE
 

 

Here's some examples:

  •     If you get "TypeError: localStorage is null", you probably need to enable local storage (dom.storage.enabled == true)
  •     If you get "sec_error_ocsp_invalid_signing_cert", it probably means that you don't have the required CA (see step further below)
  •     If you get "ssl_error_unsafe_negotiation", it means the server is vulnerable to CVE-2009-3555 and you need to disable security.ssl.require_safe_negotiation (not enabled currently)
  •     If you set browser.frames.enabled to false, probably a whole bunch of websites will break
  •     Some sites require the referer header (usually setting network.http.sendRefererHeader == 2 is enough to overcome this and the referer is still "spoofed")
  •     The IndexedDB is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox.
  •     It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info:

        Issue #8
        IndexedDB Security Review (this document also states that "IndexedDB is completely disabled in private browsing mode.", but this should still be verified)
        This discussion on mozillaZine Forums
        IndexedDB page at MDN

  •     Firefox Hello requires WebRTC, so you'll need to enable media.peerconnection.enabled & media.getusermedia.screensharing.enabled and apparently disable security.OCSP.require.
  •     Captive portals might not let OCSP requests through before authentication, so setting security.OCSP.require == false might be required before internet access is granted
  •     DNT is not set, so you need to enable it manually if you want (see the discussion in issue #11)
  •     The network.http.referer.spoofSource and network.http.sendRefererHeader settings seems to break the visualization of the 3rd party sites on the Lightbeam extension
  •     You can not view or inspect cookies when in private browsing (see https://bugzil.la/823941)
  •     Installation of user.js causes saved passwords to be removed from FF

TEST HARDENED FF BROWSER

Use some of the following online tests and compare your 'ultimate' FF profile with your default. You should be pleasantly surprised.
 

 

Online tests:

  •     Panopticlick
  •     www.filldisk.com
  •     SSL Client Test
  •     evercookie
  •     Mozilla Plugin Check
  •     BrowserSpy.dk
  •     Testing mixed content
  •         Similar from Microsoft
  •     WebRTC stuff
  •     Flash player version from Adobe
  •     Verify your installed Java Version
  •         Protip: Don't use Oracle's Java!! But if you really need it, update it regulary!
  •     IP check
  •     Onion test for CORS and WebSocket
  •     Firefox Addon Detector
  •         Blog post
  •     browserrecon??
  •     Official WebGL check
  •     battery.js
  •     RC4 fallback test
  •     Battery API

 

SECURE DESKTOP BROWSING ENVIRONMENTS - FINAL COMMENTS:

* Download media files where possible in preference to using flash or other plug-ins for streaming. For example, in GNU/Linux you can use youtube-dl to play the media with your native video player at the O/S level instead. Youtube-dl and certain other apps can also be combined with torsocks to provide greater anonymity and security.

* Ultimately, enhanced desktop browser security requires a minimum combination of:
- a GNU/Linux host O/S (itself hardened with AppArmor, strict firewalls/network locks and significantly reduced attack vectors); and
- OpenVPN and Tor Browser run in combination.

* The BEST available O/S security for the average (capable) desktop user requires either running a hypervisor over the top e.g. Whonix running in Virtualbox from clean images, or (even better!) a Xen system running off the bare computer metal (e.g. Qubes). This SIGNIFICANTLY reduces attack vectors and limits the potential damage that can be caused by hackers, unless they are really, really good.

* AFAIK, CRITICAL anonymous browsing with forensic considerations necessitates the use of TAILS with a non-persistent volume. Under normal circumstances, data trails are otherwise left on swap partitions and sectors of HDD/SSDs marked as 'dead/clean', even after 'secure, military-grade' wipes of the digital media!

* TAILS can be used safely in infected computers, except (?) those pwned at the firmware level: double-check the TAILS forum for the latest security advice!

* Using FOSS full disk encryption (e.g. LUKS) with a sufficiently large passphrase may be best practice if browsing directly from a standard Linux/Windoze/Mac operating system, or separately encrypting the swap, root and home partitions at the block level.

* Semi-regularly zero out free space on your drives for greater security alongside thorough use of BleachBit.

 

Good luck!

Share this post


Link to post

/********
ULTIMATE HARDENED FIREFOX USER.JS - AIRVPN CLEAN EDITION v2.0        8~]

Based on:

url: http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
url: https://github.com/pyllyukko/user.js

INSTRUCTIONS

1. Save this text as user.js and place it under a newly created FF profile (see steps below). In Linux:

2. Alt-F2

3. Firefox -P

4. "Create New Profile" & "Create a new folder" for this FF profile

5. Uncheck "Use the Selected Profile without asking at startup"

6. Drop this user.js file into ~/.mozilla/Firefox/your_new_profile_name

7. Restart FF with new profile & install add-ons: HTTPS Everywhere, No Script, Privacy Badger, UBlock Origin, Random Agent Spoofer, Canvas Block and Self-destructing Cookies.

*********/

// STARTUP

// 0100: STARTUP

// 0101: Disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.feeds.showFirstRunUI", false);
user_pref("browser.shell.checkDefaultBrowser", false);

// GEO

// 0200: GEO

// 0201: Disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "http://127.0.0.1");
user_pref("browser.search.geoip.url", "");

// 0202: Disable GeoIP-based search results
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");

// QUIET Fox Part 1

// 0300: QUIET FOX [PART 1] - "ET no phone home" for anything - manual updates are still possible

// 0301: Disable browser auto update
user_pref("app.update.enabled", false);

// 0302: Disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);

// 0303: Disable search update
user_pref("browser.search.update", false);

// 0304: Disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);

// 0305: Disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);

// 0306: Disable add-on metadata updating
user_pref("extensions.getAddons.cache.enabled", false);

// 0307: Disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);

// 0308: Disable update plugin notifications
user_pref("plugins.update.notifyUser", false);

// GITHUB #1: Enable Information Bar for Outdated Plugins
user_pref("plugins.hide_infobar_for_outdated_plugin", false);

// 0309: Disable sending plugin crash reports - keep FF quiet
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);

// 0310: Disable sending the URL of the website where a plugin crashed
user_pref("dom.ipc.plugins.reportCrashURL", false);

// 0320: Disable extension discovery
user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");

// 0330: Disable telemetry
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);

// 0331: Remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");

// 0332: Disable archiving pings locally
user_pref("toolkit.telemetry.archive.enabled", false);

// 0333: Disable health report
user_pref("datareporting.healthreport.uploadEnabled",    false);
user_pref("datareporting.healthreport.documentServerURI", "");
user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);

// 0340: Disable experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);

// 0341: Disable mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);

// 0350: Disable crash reports
user_pref("breakpad.reportURL", "");

// 0360: Disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);

// GITHUB #2: Control newtab behaviour
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.url", "about:blank");

// 0370: Control snippet service
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");

// 0371: Disable heartbeat
user_pref("browser.selfsupport.url", "");

// 0372: Disable hello
user_pref("loop.enabled", false);

// 0373: Disable pocket, remove urls for good measure
user_pref("browser.pocket.enabled", false);
user_pref("reader.parse-on-load.enabled", false);
user_pref("browser.pocket.api", "");
user_pref("browser.pocket.site", "");

// 0374: Disable "social" integration
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);

// QUIET Fox Part 2

// 0400: QUIET FOX [PART 2] - Security, tracking and privacy implications

/// 0401: Don't disable extension blocklist
user_pref("extensions.blocklist.enabled", true);

// 0402: Disable block reported web forgeries
user_pref("browser.safebrowsing.enabled", false);

// 0410: Disable block reported attack sites
user_pref("browser.safebrowsing.malware.enabled", false);

// 0411: Disable safebrowsing urls & download
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.appRepURL", "");
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");

// 0420: Disable tracking protection
user_pref("privacy.trackingprotection.enabled", false);
user_pref("browser.polaris.enabled", false);
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.getupdateURL", "");
user_pref("privacy.trackingprotection.pbmode.enabled", false);

// GITHUB #3: Enable IDN Show Punycode
user_pref("network.IDN_show_punycode", true);

// GITHUB #4: Disallow NTLMv1
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
user_pref("network.stricttransportsecurity.preloadlist", true);

// BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

// 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

// 0601: Disable link prefetching
user_pref("network.prefetch-next", false);

// 0602: Disable dns prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);

// 0603: Disable seer/necko
user_pref("network.predictor.enabled", false);

// 0604: Disable search suggestions
user_pref("browser.search.suggest.enabled", false);

// 0605: Disable link-mouseover opening connection to linked server
user_pref("network.http.speculative-parallel-limit", 0);

// 0606: Disable pings (but enforce same host in case)
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);

// LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY etc

// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

// 0801: Disable location bar using search, give error message instead
user_pref("keyword.enabled", false);

// 0802: Disable location bar domain guessing
user_pref("browser.fixup.alternate.enabled", false);

// 0803: Disable location bar dropdown
user_pref("browser.urlbar.maxRichResults", 0);

// 0804: Display all parts of the url
user_pref("browser.urlbar.trimURLs", false);

// 0805: Disable URLbar autofill
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);

// 0806: Disable autocomplete
user_pref("browser.urlbar.autocomplete.enabled", false);

// 0807: Disable history manipulation  
user_pref("browser.history.allowPopState", true);
user_pref("browser.history.allowPushState", true);
user_pref("browser.history.allowReplaceState", true);

// GITHUB #5: Don't remember browsing history
user_pref("places.history.enabled", false);

// GITHUB #6: Delete History and Form Data
user_pref("browser.history_expire_days", 0);
user_pref("browser.history_expire_sites", 0);
user_pref("browser.history_expire_visits", 0);

// 0808: Disable history suggestions
user_pref("browser.urlbar.suggest.history", false);

// 0809: Limit history PER TAB (back/forward)
user_pref("browser.sessionhistory.max_entries", 4);

// 0810: Disable css querying page history
user_pref("layout.css.visited_links_enabled", false);

// 0811: Disable displaying Javascript in history URLs
user_pref("browser.urlbar.filter.javascript", true);

// 0812: Disable saving information entered in web forms AND the search bar
user_pref("browser.formfill. enable", false);

// 0813: Disable saving form data on secure websites (default=true)
user_pref("browser.formfill.saveHttpsForms", false);

// 0814: Disable auto-filling username & password form fields
user_pref("signon.autofillForms", false);

// GITHUB #7: Disable Prompting for Credential Storage
user_pref("security.ask_for_password", 0);

// GITHUB #8: Disallow Credential Storage
user_pref("signon.rememberSignons", false);

// CACHE

// 1000: CACHE

// 1001: Disable disk cache
user_pref("browser.cache.disk.enable", false);

// 1002: Disable disk caching of SSL pages
user_pref("browser.cache.disk_cache_ssl", false);

// 1003: Disable memory cache
user_pref("browser.cache.memory.enable", false);

// 1004: Disable offline cache
user_pref("browser.cache.offline.enable", false);

// 1005: Disable storing extra session data
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);

// GITHUB #9: Remove sessionstore data
user_pref("browser.sessionstore.postdata", 0);
user_pref("browser.sessionstore.enabled", false);

// SSL / OCSP / CIPHERS

// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)

// GITHUB #10: Warn of missing SSL
user_pref("security.ssl.warn_missing_rfc5746", 1);

// GITHUB #11: TLS 1.[012]
user_pref("security.tls.version.min", 1);
user_pref("security.tls.version.max", 3);
user_pref("security.warn_entering_weak", true);

// 1201: Block rc4 fallback and disable whitelist
user_pref("security.tls.unrestricted_rc4_fallback", false);
user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);

// 1203: OSCP stapling
user_pref("security.ssl.enable_ocsp_stapling", false);

// 1204: Security renegotiation
// user_pref("security.ssl.require_safe_negotiation", true);

// 1205: Display warning (red padlock) for "broken security"
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

// 1206: Require certificate revocation check through OCSP protocol
user_pref("security.OCSP.require", false);

// 1207: Query OCSP responder servers to confirm current validity of certificates
user_pref("security.OCSP.enabled", 0);

// 1208: Enforce strict pinning
user_pref("security.cert_pinning.enforcement_level", 2);
user_pref("security.ssl.errorReporting.automatic", false);

// GITHUB #12: Disable null ciphers
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);

// GITHUB #13: Seed
user_pref("security.ssl3.rsa_seed_sha", false);

// GITHUB #14: 40 bits
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);

// GITHUB #15: 56 bits
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);

// GITHUB #16: 128 bits
user_pref("security.ssl3.rsa_camellia_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);

// GITHUB #17: RC4
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
user_pref("security.tls.unrestricted_rc4_fallback", false);

// GITHUB #18: 3DES
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);

// GITHUB #19: Ciphers with ECDH (without /e$/)
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);

// GITHUB #20: 256 bits without PFS
user_pref("security.ssl3.rsa_camellia_256_sha", false);

// GITHUB #21: Ciphers with ECDHE and > 128bits
user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);

// GITHUB #22: GCM, yes please!
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);

// GITHUB #23: Susceptible to the logjam attack
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

// GITHUB #24: Ciphers with DSA (max 1024 bits)
user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);

// GITHUB #25: Fallbacks due compatibility reasons
user_pref("security.ssl3.rsa_aes_256_sha", true);
user_pref("security.ssl3.rsa_aes_128_sha", true);

// FONTS

// 1400: FONTS

// 1401: Disable website downloading fonts
user_pref("browser.display.use_document_fonts", 0);

// 1402: But for FF41+ allow icon fonts (gylphs) through
user_pref("gfx.downloadable_fonts.enabled", true);

// 1403: iSEC Partners Report recommends disabling
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

// HEADERS

// 1600: HEADERS

// 1601: Disable Referer from an SSL Website
user_pref("network.http.sendSecureXSiteReferrer", false);

// 1602: DNT HTTP header
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.donottrackheader.value", 1);

// 1603: Referrer
user_pref("network.http.sendRefererHeader",2);
user_pref("network.http.referer.spoofSource", true);

// PLUGINS

// 1800: PLUGINS

// 1801: Set default plugin state
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);

// 1802: Enable click to play and set to 0 minutes
user_pref("plugins.click_to_play", true);
user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);
user_pref("plugin.state.flash", 0);

// 1803: Remove plugin finder service
user_pref("pfs.datasource.url", "");

// 1804: Disable plugin enumeration
user_pref("plugins.enumerable_names", "");
user_pref("security.xpconnect.plugin.unrestricted", false);

// 1805: Disable scanning for plugins
user_pref("plugin.scan.plid.all", false);

// 1806: Acrobat, Quicktime, WMP are handled separately
user_pref("plugin.scan.Acrobat", 99999);
user_pref("plugin.scan.Quicktime", 99999);
user_pref("plugin.scan.WindowsMediaPlayer", 99999);

// 1807: Disable auto-play of HTML5 media
user_pref("media.autoplay.enabled", false);

// 1808: Disable OpenH264
user_pref("media.gmp-provider.enabled", false);

// MEDIA / CAMERA / MIKE

// 2000: MEDIA / CAMERA / MIKE

// 2001: Disable webRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);

// 2002: Disable WebRTC auto-connections
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");

// 2003: Disable EME bits
user_pref("browser.eme.ui.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.eme.apiVisible", false);

// 2004: GetUserMedia
user_pref("media.navigator.enabled", false);

// 2010: Disable webGL
user_pref("webgl.disabled", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);

// 2020: Disable video statistics fingerprinting vector
user_pref("media.video_stats.enabled", false);

// 2021: Disable speech recognition
user_pref("media.webspeech.recognition.enable", false);

// 2022: Disable screensharing
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");

// 2023: Disable camera stuff
user_pref("camera.control.autofocus_moving_callback.enabled", false);
user_pref("camera.control.face_detection.enabled", false);

// UI meddling

// 2200: UI meddling

// 2201: Disable website control over rightclick context menu
user_pref("dom.event.contextmenu.enabled", false);

// GITHUB #26: Disable DOM web notifications
user_pref("dom.webnotifications.enabled", false);

// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.status", true);
user_pref("dom.disable_window_open_feature.toolbar", true);

// 2203: POPUP windows - prevent or allow javascript UI meddling
user_pref("dom.disable_window_flip", true); // window z-order
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_status_change", true);
user_pref("dom.allow_scripts_to_close_windows", false);

// DOM - JAVASCRIPT

// 2400: DOM - JAVASCRIPT

// GITHUB #27: Disable javascript options
user_pref("javascript.options.methodjit.chrome", false);
user_pref("javascript.options.methodjit.content", false);
user_pref("javascript.options.asmjs", false);

// 2401: Disable dom storage
user_pref("dom.storage.enabled", false);

// 2402: Disable website access to clipboard events
user_pref("dom.event.clipboardevents.enabled", false);

// 2403: Disable scripts changing images eg google maps - will break a lot of web apps
// user_pref("dom.disable_image_src_set", true);

// 2404: Disable JS storing data permanently
user_pref("dom.indexedDB.enabled", false);

// 2405: Web telephony
user_pref("dom.telephony.enabled", false);

// 2406: Disable gamepad API
user_pref("dom.gamepad.enabled", false);

// 2407: Disable battery API
user_pref("dom.battery.enabled", false);

// 2408: Disable network API
user_pref("dom.network.enabled", false);

// 2409: Disable giving away network info
user_pref("dom.netinfo.enabled", false);

// 2410: Disable User Timing API
user_pref("dom.enable_user_timing", false);

// 2411: Disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);

// 2412: Javascript performace fingerprinting
user_pref("dom.enable_performance", false);

// 2413: Disable virtual reality devices
user_pref("dom.vr.enabled", false);

// 2414: Disable shaking the screen
user_pref("dom.vibrator.enabled", false);

// 2415: Max popups from a single non-click event
user_pref("dom.popup_maximum", 3);

// 2416: Disable idle observation
user_pref("dom.idle-observers-api.enabled", false);

// 2417: Disable SharedWorkers for now
user_pref("dom.workers.sharedWorkers.enabled", false);

// 2418: Disbale full-screen API
user_pref("full-screen-api.enabled", false);

// MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

// 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

// 2601: Disable sending additional analytics to web servers
user_pref("beacon.enabled", false);

// 2602: Disable downloading on desktop
user_pref("browser.download.folderList", 2);

// 2603: Always ask the user where to download
user_pref("browser.download.useDownloadDir", false);

// 2604: Delete temp files on exit
user_pref("browser.helperApps.deleteTempFileOnExit", true);

// 2605: Don't integrate activity into windows recent documents
user_pref("browser.download.manager.addToRecentDocs", false);

// GITHUB #28: Delete download history
user_pref("browser.download.manager.retention", 0);

// 2606: Disable hiding mime types in prefs applications tab that are not associated with a plugin
user_pref("browser.download.hide_plugins_without_extensions", false);

// 2607: Disable page thumbnails
user_pref("browser.pagethumbnails.capturing_disabled", true);

// 2608: Disable JAR from opening Unsafe File Types
user_pref("network.jar.open-unsafe-types", false);

// 2609: Disable insecure active content on https pages - mixed content
user_pref("security.mixed_content.block_active_content", true);

// 2610: Disable insecure passive content (such as images) on https pages - mixed context
user_pref("security.mixed_content.block_display_content", true);

// GITHUB #29: Content security policy
user_pref("security.csp.enable", true);
user_pref("security.csp.experimentalEnabled", true);

// 2611: Disable WebIDE to prevent remote debugging and addon downloads
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);

// GITHUB #30: Strict File URI Origin Policy
user_pref("security.fileuri.strict_origin_policy", true);

// GITHUB #31: Sub-resource integrity
user_pref("security.sri.enable", true);

// 2612: Disable SimpleServiceDiscovery
user_pref("browser.casting.enabled", false);
user_pref("gfx.layerscope.enabled", false);

// 2613: Disable device sensor API
user_pref("device.sensors.enabled", false);

// 2614: Disable SPDY
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3-1", false);

// 2615: Disable http/2 for now as well
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);

// 2617: Disable pdf.js
user_pref("pdfjs.disabled", true);

// 2618: When using SOCKS have the proxy server do the DNS lookup
user_pref("network.proxy.socks_remote_dns", true);

// 2619: limit  HTTP redirects
// user_pref("network.http.redirection-limit", 20);

// PERSONAL SETTINGS (with privacy implications)

// 2800: PERSONAL SETTINGS [that have PRIVACY implications]

// 2801: Disable cookies
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.cookie.lifetimePolicy", 2);

// 2082: Enable FF to clear stuff on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);

// 2803: Tell FF what to clear
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.passwords", true);
user_pref("privacy.clearOnShutdown.sessions", true); // active logins
user_pref("privacy.clearOnShutdown.siteSettings", true);

// 2804: (To match above)
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", true);
user_pref("privacy.cpd.sessions", true);
user_pref("privacy.cpd.siteSettings", true);

// GITHUB #32: Always use private browsing
user_pref("browser.privatebrowsing.autostart", true);

// Personal Handy Settings

// 3000: PERSONAL HANDY SETTINGS

// 3001: Disable annoying warnings
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);

// 3001a  Disable warning when a domain requests full screen
// user_pref("full-screen-api.warning.timeout", 0); // FF43+

// 3002: Disable closing browser with last tab
user_pref("browser.tabs.closeWindowWithLastTab", false);

// 3003: Disable new search panel UI
user_pref("browser.search.showOneOffButtons", false);

// 3004: Disable backspace
user_pref("browser.backspace_action", 2);

// 3005: Disable autocopy default
user_pref("clipboard.autocopy", false);

//3006: Turn on full native HTML5 player support
user_pref ("media.fragmented-mp4.enabled", true);
user_pref ("media.fragmented-mp4.exposed", true);
user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);
user_pref ("media.fragmented-mp4.gmp.enabled", true);
user_pref ("media.fragmented-mp4.use-blank-decoder", false);

Share this post


Link to post

/********
HARDENED FIREFOX USER.JS v2.1 - "Codename cmOs"

Based on:

1. url: http://www.ghacks.ne...urity-settings/
2. url: https://github.com/pyllyukko/user.js
3. Compatible Tor Browser v5.5a4 about:config changes
4. Deprecated items noted by Martin Brinkman (GHacks) @ 11/11/15
5. Additional author items

INSTRUCTIONS

1. Save this text as user.js and place it under a newly created FF profile (see steps below). In Linux:

2. Alt-F2

3. Firefox -P

4. "Create New Profile" & "Create a new folder" for this FF profile

5. Uncheck "Use the Selected Profile without asking at startup"

6. Drop this user.js file into ~/.mozilla/Firefox/your_new_profile_name

7. Restart FF with new profile

8. Immediately install these add-ons: HTTPS Everywhere, No Script, Privacy Badger, UBlock Origin, Random Agent Spoofer, Canvas Block and Self-Destructing Cookies.

*********/

// STARTUP

// 0100: STARTUP

// 0101: Disable "slow startup" warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.feeds.showFirstRunUI", false);
user_pref("browser.shell.checkDefaultBrowser", false);

// GEO

// 0200: GEO

// 0201: Disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "http://127.0.0.1");
user_pref("browser.search.geoip.url", "");

// 0202: Disable GeoIP-based search results
user_pref("browser.search.countryCode", "US");
user_pref("browser.search.region", "US");

// QUIET FOX PART 1

// 0300: QUIET FOX [PART 1] - Don't phone home for anything; manual updates are still possible

// 0301: Disable browser auto update
user_pref("app.update.enabled", false);

// 0302: Disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);

// 0303: Disable search update
user_pref("browser.search.update", false);

// 0304: Disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);

// 0305: Disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);

// 0306: Disable add-on metadata updating
user_pref("extensions.getAddons.cache.enabled", false);

// 0307: Disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);

// 0308: Disable update plugin notifications
user_pref("plugins.update.notifyUser", false);

// 0309: Enable Information Bar for Outdated Plugins
user_pref("plugins.hide_infobar_for_outdated_plugin", false);

// 0310: Disable sending plugin crash reports - keep FF quiet
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);

// 0311: Disable sending the URL of the website where a plugin crashed
user_pref("dom.ipc.plugins.reportCrashURL", false);

// 0320: Disable extension discovery
user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");

// 0330: Disable telemetry
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);

// 0331: Remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");

// 0332: Disable archiving pings locally
user_pref("toolkit.telemetry.archive.enabled", false);

// 0333: Disable health report
user_pref("datareporting.healthreport.uploadEnabled",    false);
user_pref("datareporting.healthreport.documentServerURI", "");
user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);

// 0340: Disable experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);

// 0341: Disable mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);

// 0350: Disable crash reports
user_pref("breakpad.reportURL", "");

// 0360: Disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);

// 0361: Control newtab behaviour
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.url", "about:blank");

// 0370: Control snippet service
user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");

// 0371: Disable heartbeat
user_pref("browser.selfsupport.url", "");

// 0372: Disable hello
user_pref("loop.enabled", false);

// 0373: Disable pocket, remove urls for good measure
user_pref("browser.pocket.enabled", false);
user_pref("reader.parse-on-load.enabled", false);
user_pref("browser.pocket.api", "");
user_pref("browser.pocket.site", "");

// 0374: Disable "social" integration
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);

// QUIET FOX PART 2

// 0400: QUIET FOX [PART 2] - Security, tracking and privacy implications

// 0401: Don't disable extension blocklist
user_pref("extensions.blocklist.enabled", true);

// 0402: Disable block reported web forgeries
user_pref("browser.safebrowsing.enabled", false);

// 0410: Disable block reported attack sites
user_pref("browser.safebrowsing.malware.enabled", false);

// 0411: Disable safebrowsing urls & download
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.appRepURL", "");
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");

// 0420: Disable tracking protection
user_pref("privacy.trackingprotection.enabled", false);
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.getupdateURL", "");
user_pref("privacy.trackingprotection.pbmode.enabled", false);

// 0430: Enable IDN Show Punycode
user_pref("network.IDN_show_punycode", true);

// 0440: Disallow NTLMv1
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
user_pref("network.stricttransportsecurity.preloadlist", true);

// BLOCK IMPLICIT OUTBOUND

// 0600: BLOCK IMPLICIT OUTBOUND (not explicitly asked for - eg clicked on)

// 0601: Disable link prefetching
user_pref("network.prefetch-next", false);

// 0602: Disable dns prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true);

// 0603: Disable seer/necko
user_pref("network.predictor.enabled", false);

// 0604: Disable search suggestions
user_pref("browser.search.suggest.enabled", false);

// 0605: Disable link-mouseover opening connection to linked server
user_pref("network.http.speculative-parallel-limit", 0);

// 0606: Disable pings (but enforce same host in case)
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);

// LOCATION / SEARCH / HISTORY etc

// 0800: LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

// 0801: Disable location bar using search, give error message instead
user_pref("keyword.enabled", false);

// 0802: Disable location bar domain guessing
user_pref("browser.fixup.alternate.enabled", false);

// 0803: Disable location bar dropdown
user_pref("browser.urlbar.maxRichResults", 0);

// 0804: Display all parts of the url
user_pref("browser.urlbar.trimURLs", false);

// 0805: Disable URLbar autofill
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);

// 0806: Disable autocomplete
user_pref("browser.urlbar.autocomplete.enabled", false);

// 0807: Disable history manipulation  
user_pref("browser.history.allowPopState", true);
user_pref("browser.history.allowPushState", true);
user_pref("browser.history.allowReplaceState", true);

// 0808: Don't remember browsing history
user_pref("places.history.enabled", false);

// 0809: Delete History and Form Data
user_pref("browser.history_expire_days", 0);
user_pref("browser.history_expire_sites", 0);
user_pref("browser.history_expire_visits", 0);

// 0810: Disable history suggestions
user_pref("browser.urlbar.suggest.history", false);

// 0811: Limit history PER TAB (back/forward)
user_pref("browser.sessionhistory.max_entries", 4);

// 0812: Disable css querying page history
user_pref("layout.css.visited_links_enabled", false);

// 0813: Disable displaying Javascript in history URLs
user_pref("browser.urlbar.filter.javascript", true);

// 0814: Disable saving information entered in web forms AND the search bar
user_pref("browser.formfill. enable", false);

// 0815: Disable saving form data on secure websites (default=true)
user_pref("browser.formfill.saveHttpsForms", false);

// 0816: Disable auto-filling username & password form fields
user_pref("signon.autofillForms", false);

// 0817: Disable Prompting for Credential Storage
user_pref("security.ask_for_password", 0);

// 0818: Disallow Credential Storage
user_pref("signon.rememberSignons", false);

// CACHE

// 1000: CACHE

// 1001: Disable disk cache
user_pref("browser.cache.disk.enable", false);

// 1002: Disable disk caching of SSL pages
user_pref("browser.cache.disk_cache_ssl", false);

// 1003: Disable memory cache
user_pref("browser.cache.memory.enable", false);

// 1004: Disable offline cache
user_pref("browser.cache.offline.enable", false);

// 1005: Disable storing extra session data
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);

// 1006: Remove sessionstore data
user_pref("browser.sessionstore.postdata", 0);
user_pref("browser.sessionstore.enabled", false);

// SSL / OCSP / CIPHERS

// 1200: SSL / OCSP / CERTS / ENCRYPTION (CIPHERS)

// 1201: Warn of missing SSL
user_pref("security.ssl.warn_missing_rfc5746", 1);

// 1202: TLS 1.[012]
user_pref("security.tls.version.min", 1);
user_pref("security.tls.version.max", 3);
user_pref("security.warn_entering_weak", true);

// 1203: OSCP stapling
user_pref("security.ssl.enable_ocsp_stapling", false);

// 1204: Security renegotiation
// user_pref("security.ssl.require_safe_negotiation", true);

// 1205: Display warning (red padlock) for "broken security"
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

// 1206: Require certificate revocation check through OCSP protocol
user_pref("security.OCSP.require", false);

// 1207: Query OCSP responder servers to confirm current validity of certificates
user_pref("security.OCSP.enabled", 0);

// 1208: Enforce strict pinning
user_pref("security.cert_pinning.enforcement_level", 2);
user_pref("security.ssl.errorReporting.automatic", false);

// 1209: Disable null ciphers
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);

// 1210: Seed
user_pref("security.ssl3.rsa_seed_sha", false);

// 1211: 40 bits
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);

// 1212: 56 bits
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);

// 1213: 128 bits
user_pref("security.ssl3.rsa_camellia_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);

// 1214: RC4
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);

// 1215: 3DES
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);

// 1216: Ciphers with ECDH (without /e$/)
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);

// 1217: 256 bits without PFS
user_pref("security.ssl3.rsa_camellia_256_sha", false);

// 1218: Ciphers with ECDHE and > 128bits
user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);

// 1219: GCM, yes please!
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", true);
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", true);

// 1220: Susceptible to the logjam attack
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

// 1221: Ciphers with DSA (max 1024 bits)
user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);

// 1222: Fallbacks due compatibility reasons
user_pref("security.ssl3.rsa_aes_256_sha", true);
user_pref("security.ssl3.rsa_aes_128_sha", true);

// FONTS

// 1400: FONTS

// 1401: Disable website downloading fonts
user_pref("browser.display.use_document_fonts", 0);

// 1402: But for FF41+ allow icon fonts (gylphs) through
user_pref("gfx.downloadable_fonts.enabled", true);

// 1403: iSEC Partners Report recommends disabling
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

// HEADERS

// 1600: HEADERS

// 1601: Disable Referer from an SSL Website
user_pref("network.http.sendSecureXSiteReferrer", false);

// 1602: DNT HTTP header
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.donottrackheader.value", 1);

// 1603: Referrer
user_pref("network.http.sendRefererHeader",2);
user_pref("network.http.referer.spoofSource", true);

// PLUGINS

// 1800: PLUGINS

// 1801: Set default plugin state
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);

// 1802: Enable click to play and set to 0 minutes
user_pref("plugins.click_to_play", true);
user_pref("plugin.sessionPermissionNow.intervalinminutes", 0);
user_pref("plugin.state.flash", 0);

// 1803: Remove plugin finder service
user_pref("pfs.datasource.url", "");

// 1804: Disable plugin enumeration
user_pref("security.xpconnect.plugin.unrestricted", false);

// 1805: Disable scanning for plugins
user_pref("plugin.scan.plid.all", false);

// 1806: Acrobat, Quicktime, WMP are handled separately
user_pref("plugin.scan.Acrobat", 99999);
user_pref("plugin.scan.Quicktime", 99999);
user_pref("plugin.scan.WindowsMediaPlayer", 99999);

// 1807: Disable auto-play of HTML5 media
user_pref("media.autoplay.enabled", false);

// 1808: Disable OpenH264
user_pref("media.gmp-provider.enabled", false);

// MEDIA / CAMERA / MIKE

// 2000: MEDIA / CAMERA / MIKE

// 2001: Disable webRTC
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);

// 2002: Disable WebRTC auto-connections
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.url", "");

// 2003: Disable EME bits
user_pref("browser.eme.ui.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.eme.apiVisible", false);

// 2004: GetUserMedia
user_pref("media.navigator.enabled", false);

// 2010: Disable webGL
user_pref("webgl.disabled", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);

// 2020: Disable video statistics fingerprinting vector
user_pref("media.video_stats.enabled", false);

// 2021: Disable speech recognition
user_pref("media.webspeech.recognition.enable", false);

// 2022: Disable screensharing
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");

// 2023: Disable camera stuff
user_pref("camera.control.autofocus_moving_callback.enabled", false);
user_pref("camera.control.face_detection.enabled", false);

// UI meddling

// 2200: UI meddling

// 2201: Disable website control over rightclick context menu
user_pref("dom.event.contextmenu.enabled", false);

// 2202: Disable DOM web notifications
user_pref("dom.webnotifications.enabled", false);

// 2203: UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.status", true);
user_pref("dom.disable_window_open_feature.toolbar", true);

// 2204: POPUP windows - prevent or allow javascript UI meddling
user_pref("dom.disable_window_flip", true); // window z-order
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_status_change", true);
user_pref("dom.allow_scripts_to_close_windows", false);

// DOM - JAVASCRIPT

// 2400: DOM - JAVASCRIPT

// 2401: Disable javascript options
user_pref("javascript.options.methodjit.chrome", false);
user_pref("javascript.options.methodjit.content", false);
user_pref("javascript.options.asmjs", false);

// 2402: Disable dom storage
user_pref("dom.storage.enabled", false);

// 2403: Disable website access to clipboard events
user_pref("dom.event.clipboardevents.enabled", false);

// 2404: Disable scripts changing images eg google maps - will break a lot of web apps
// user_pref("dom.disable_image_src_set", true);

// 2405: Disable JS storing data permanently
user_pref("dom.indexedDB.enabled", false);

// 2406: Web telephony
user_pref("dom.telephony.enabled", false);

// 2407: Disable gamepad API
user_pref("dom.gamepad.enabled", false);

// 2408: Disable battery API
user_pref("dom.battery.enabled", false);

// 2409: Disable network API
user_pref("dom.network.enabled", false);

// 2410: Disable giving away network info
user_pref("dom.netinfo.enabled", false);

// 2411: Disable User Timing API
user_pref("dom.enable_user_timing", false);

// 2412: Disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);

// 2413: Javascript performace fingerprinting
user_pref("dom.enable_performance", false);

// 2414: Disable virtual reality devices
user_pref("dom.vr.enabled", false);

// 2415: Disable shaking the screen
user_pref("dom.vibrator.enabled", false);

// 2416: Max popups from a single non-click event
user_pref("dom.popup_maximum", 3);

// 2417: Disable idle observation
user_pref("dom.idle-observers-api.enabled", false);

// 2418: Disable SharedWorkers for now
user_pref("dom.workers.sharedWorkers.enabled", false);

// 2419: Disbale full-screen API
user_pref("full-screen-api.enabled", false);

// MISC - LEAKS

// 2600: LEAKS / FINGERPRINTING / PRIVACY / SECURITY

// 2601: Disable sending additional analytics to web servers
user_pref("beacon.enabled", false);

// 2602: Disable downloading on desktop
user_pref("browser.download.folderList", 2);

// 2603: Always ask the user where to download
user_pref("browser.download.useDownloadDir", false);

// 2604: Delete temp files on exit
user_pref("browser.helperApps.deleteTempFileOnExit", true);

// 2605: Don't integrate activity into windows recent documents
user_pref("browser.download.manager.addToRecentDocs", false);

// 2606: Delete download history
user_pref("browser.download.manager.retention", 0);

// 2607: Disable hiding mime types in prefs applications tab that are not associated with a plugin
user_pref("browser.download.hide_plugins_without_extensions", false);

// 2608: Disable page thumbnails
user_pref("browser.pagethumbnails.capturing_disabled", true);

// 2609: Disable JAR from opening Unsafe File Types
user_pref("network.jar.open-unsafe-types", false);

// 2610: Disable insecure active content on https pages - mixed content
user_pref("security.mixed_content.block_active_content", true);

// 2611: Disable insecure passive content (such as images) on https pages - mixed context
user_pref("security.mixed_content.block_display_content", true);

// 2612: Content security policy
user_pref("security.csp.enable", true);
user_pref("security.csp.experimentalEnabled", true);

// 2613: Disable WebIDE to prevent remote debugging and addon downloads
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);

// 2614: Strict File URI Origin Policy
user_pref("security.fileuri.strict_origin_policy", true);

// 2615: Sub-resource integrity
user_pref("security.sri.enable", true);

// 2616: Disable SimpleServiceDiscovery
user_pref("browser.casting.enabled", false);
user_pref("gfx.layerscope.enabled", false);

// 2617: Disable device sensor API
user_pref("device.sensors.enabled", false);

// 2618: Disable SPDY
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.v3-1", false);

// 2619: Disable http/2 for now as well
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);

// 2620: Disable pdf.js
user_pref("pdfjs.disabled", true);

// 2621: When using SOCKS have the proxy server do the DNS lookup
user_pref("network.proxy.socks_remote_dns", true);

// 2622: limit  HTTP redirects
// user_pref("network.http.redirection-limit", 20);

// PERSONAL SETTINGS (with privacy implications)

// 2800: PERSONAL SETTINGS [that have PRIVACY implications]

// 2801: Disable cookies
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.cookie.lifetimePolicy", 2);

// 2802: Enable FF to clear stuff on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);

// 2803: Tell FF what to clear
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.passwords", true);
user_pref("privacy.clearOnShutdown.sessions", true); // active logins
user_pref("privacy.clearOnShutdown.siteSettings", true);

// 2804: (To match above)
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", true);
user_pref("privacy.cpd.sessions", true);
user_pref("privacy.cpd.siteSettings", true);

// 2805: Always use private browsing
user_pref("browser.privatebrowsing.autostart", true);

// HANDY SETTINGS

// 3000: PERSONAL HANDY SETTINGS

// 3001: Disable annoying warnings
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);

// 3002: Disable warning when a domain requests full screen
// user_pref("full-screen-api.warning.timeout", 0); // FF43+

// 3003: Disable closing browser with last tab
user_pref("browser.tabs.closeWindowWithLastTab", false);

// 3004: Disable new search panel UI
user_pref("browser.search.showOneOffButtons", false);

// 3005: Disable backspace
user_pref("browser.backspace_action", 2);

// 3006: Disable autocopy default
user_pref("clipboard.autocopy", false);

//3007: Turn on full native HTML5 player support
user_pref ("media.fragmented-mp4.enabled", true);
user_pref ("media.fragmented-mp4.exposed", true);
user_pref ("media.fragmented-mp4.ffmpeg.enabled", true);
user_pref ("media.fragmented-mp4.gmp.enabled", true);
user_pref ("media.fragmented-mp4.use-blank-decoder", false);

// 4000: TOR BROWSER BUNDLE ABOUT:CONFIG CHANGES

// 4001: Compatible Tor Browser config changes v5.5a4
user_pref ("accessibility.typeaheadfind.flashBar", 0); //The Find Toolbar has flashed before; don’t flash when text is found
user_pref ("browser.cache.disk.capacity", 0); //Tor = 358400. 0 = do not cache files on the hard-drive
user_pref ("browser.cache.disk.smart_size.first_run", false); //Indicates whether or not this is the first time smart sizing has been used
user_pref ("browser.cache.frecency_experiment", -1); //Tor = 1. -1 disables experimental HTTP_CACHE_MISS_HALFLIFE_EXPERIMENT telemetry and the preferred value for frecency is set to 6hrs
user_pref ("gfx.font_rendering.graphite.enabled", false);
user_pref ("javascript.options.baselinejit", false); //Tor setting is javascript.options.baselinejit.content
user_pref ("javasscript.options.ion", false); //Tor setting is javascript.options.ion.content
user_pref ("network.jar.block-remote-files", true); //.jar are rarely used and potentially dangerous
user_pref ("network.predictor.cleaned-up", true); //Unclear what it does, but recommended in multiple forums

// 5000: DESTROY ADDITIONAL CACHES & URL REPORTING

// 5001: Eliminate additional caches
user_pref ("browser.cache.check_doc_frequency", 2); //Compare the page in cache to the page on the network (1 = Every time I view the page, 0 = Once per session, 3 = When the page is out of date (default), 2 = Never)
//user_pref ("browser.cache.disk.filesystem_reported", 0); //Unclear, so left at default (1) for the moment
user_pref ("browser.cache.disk.free_space_hard_limit", 0); //Zero space
user_pref ("browser.cache.disk.free_space_soft_limit", 0); //Zero space
user_pref ("browser.cache.disk.max_chunks_memory_usage", 0); //Zero space
user_pref ("browser.cache.disk.max_entry_size", 0); //Zero space
user_pref ("browser.cache.disk.max_priority_chunks_memory_usage", 0); //Zero space
user_pref ("browser.cache.disk.metadata_memory_limit",0); //Zero space
user_pref ("browser.cache.disk.preload_chunk_count", 0); //Zero space
user_pref ("browser.cache.disk.smart_size.use_old_max", false); //Indicates whether to use old cache disk smart size
//user_pref ("browser.cache.frecency_half_life_hours", 0); //Redundant, as set browser.cache.frecency_experiment to -1 defaults frecency to 6hrs
user_pref ("browser.cache.memory.max_entry_size", 0); //The maximum size of an entry in the disk cache
user_pref ("browser.cache.offline.capacity", 0); //Total offline capacity for cache

// 5002: Disable reporting safebrowsing mistake URLs / geo-specific results
user_pref ("browser.safebrowsing.reportMalwareMistakeURL", ""); //Disable further reporting
user_pref ("browser.safebrowsing.reportPhishMistakeURL", ""); //Disable further reporting
user_pref ("browser.search.geoSpecificDefaults.url", ""); //Disable geo-specific results

Share this post


Link to post

I am having hell on the Windows side attempting to get Firefox v42 to accept the user.js file at all. It simply does not ever apply. Yes, I made a new profile and put it in there before it was ever started. I tried restarting repeatedly, but it never even accesses the file.

 

Anyone have any ideas on how to get this working without hoping into about:config and manually adding/changing each and every one of these?

 

*Edit* 24 hours has passed. No comments. I guess there is no choice anymore. It will take DAYS to get all this shit straightened out if I do nothing else. Please do comment if you have an idea or solution that could work.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

There is a new project that might be more useful.

At least it is fully customizable and easy to understand and integrate.

 

 

https://ffprofile.com

This works well. But the newest version of FF cannot use all the extensions I am using, so I am sticking to an old profile for the moment.

 

Thank you for the idea. This really is as close to perfect as possible.


Debugging is at least twice as hard as writing the program in the first place.

So if you write your code as clever as you can possibly make it, then by definition you are not smart enough to debug it.

Share this post


Link to post

I've tried a few different days that ffprofile site and keep getting error 500 (that means it's on their end).  how have y'all been able to get it done?

Share this post


Link to post

I am having hell on the Windows side attempting to get Firefox v42 to accept the user.js file at all. It simply does not ever apply. Yes, I made a new profile and put it in there before it was ever started. I tried restarting repeatedly, but it never even accesses the file.

 

Anyone have any ideas on how to get this working without hoping into about:config and manually adding/changing each and every one of these?

 

I had the same problem.  I couldn't figure out why it was not working.  Then, I noticed on exisiting "default" profile that I did not have a user.js but had something called prefs.  So following are the steps that should work, as it worked for me.

 

1) Find you "user.js" file and save as "prefs.js" file. 

2) Create a new profile.

3) Next, add this "prefs.js" file to the profile.  Make sure you do this before starting Firefox. 

4) Start Firefox using the new profile.  All the changes as shown in "user.js" file should get applied. 

5) You now can add your extension, bookmarks, etc. 

 

I hope this helps.

Share this post


Link to post

This is incredible work!!

 

I've only just been referred to this resource and am still getting my head around it so I apologise if the following question is inappropriate

 

I've been reviewing the recommendations at https://privacytools.io and am wondering if the following additions might be necessary for the latest version of Firefox?

 

user_pref ("privacy.firstparty.isolate", true);

user_pref ("privacy.resistFingerprinting", true);
user_pref ("browser.urlbar.speculativeConnect.enabled", false);
user_pref ("media.gmp-widevinecdm.enabled", false);
user_pref ("media.navigator.enabled", false);
user_pref ("network.http.referer.trimmingPolicy", 2);
user_pref ("network.http.referer.XOriginPolicy", 2);
user_pref ("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref ("browser.sessionstore.privacy_level", 2);

Share this post


Link to post

And you dont have any issues? With such setting aliexpress errors out on payments 

Share this post


Link to post

I do all that kind of stuff using my clearnet identity on Windows in Chrome cos yeah these settings will break a lot of sites that need to, well, compromise your privacy! lol

SWIM (Someone I might know) tells me these settings render a lot of adult content sites inoperable too.

 

And you dont have any issues? With such setting aliexpress errors out on payments 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...