Spyzilla
Client certificates
Check Advanced → Certificates → Ask me every time, we really don't want to authenticate to the remote server automatically! Exploited in the wild!
Firefox (older versions)
This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed:
Run with parameter -P. Select “Start offline”. Please note that Firefox at least since version 67 ignore offline parameter for captive portal requests anyway, and perform HTTP requests against detectportal.firefox.com.
Visit Preferences. In “Security”, turn off “Block reported attack sites” and “Block reported web forgeries”
Uncheck Advanced → Updates
Uncheck Advanced → Certificates → Validation → OCSP (of course this disables fetching certificate revocation info - be sure you know what are you doing)
Visit about:config. Set extensions.blocklist.enabled = false.
Search for “http”. Change all URLs to nsalitomerice.cz, localhost or other secret service of your choice.
Unfortunately, Firefox will still download favicons from Google, Yahoo and Mibbit (incl. cookies) when browsing Preferences in a certain way.
Bugreport pending.
Since FF 32, on Windows, hashes of certain downloaded files are sent to Google. This can be disabled by the aforementioned settings.
1,
2
-
Disable automatic resolving of local names and
URL-like patters: set browser.fixup.alternate.enabled and keyword.enabled to false.
PT
-
-
-
media.gmp-gmpopenh264.enabled does not help and media.gmp-gmpopenh264.autoupdate does note exist anymore. Try setting media.gmp-manager.lastCheck to the future and media.gmp-manager.url to some non-existent
URL.
-
-
However, in version 57, another DRM backdoor is downloaded on all platforms.
How to disable.
Every time you open new window, Firefox posts your system information to Mozilla, e.g.
this one. This can be avoided by aforementioned
URL settings or by setting homepage to about:blank.
HSTS settings cannot be overriden (the decision can be hand-deleted from SiteSecurityServiceState.txt when Firefox is not running (otherwise the file is immediately overwritten), however, if the page sends further broken HSTS headers, subsequent requests will fail anyway). This is in compliance with
RFC 6797, section 12.1. NSA Litoměřice believes that this is one of RFCs that are badly designed and should be ignored (the other being e.g.
RFC 826, which we describe
here)
You can override it by adding test.currentTimeOffsetSeconds (integer) = 11491200
And in Chrome, you can override it by typing “badidea” on the error page
-
-
Recommended: network.IDN_show_punycode = true (
more info)
Some webpages are blocking pasting of password for “better security”, so you cannot use a password manager. Set dom.event.clipboardevents.enabled=false to disable this. This may also mitigate some attacks with clipboard leaking, or
replacing content of clipboard with a malicious command
See: Firefox hardening
See also this guide. I have downloaded it from an onion service and put it here for those who don't have access to the darknet.
To be investigated:
Firefox (v. 64+ basic setup) Work in Progress
After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions.
XXX TODO: How to get rid of:
-
-
(once a day? with a bunch of similar requests)
-
Edit -> Preferences
General
Privacy & security
Home
about:config
# Autocompletion in url bar should *not* connect to google
browser.urlbar.searchSuggestionsChoice = false
browser.urlbar.speculativeConnect.enabled = false
# localserver in url bar should not be translated to www.localserver.com
keyword.enabled = false
browser.fixup.alternate.enabled = false
# Disable WebRTC
media.peerconnection.enabled = false
media.peerconnection.video.enabled = false
# Disable gmp autoupdate, UNTESTED (disabled at compile-time)
media.gmp-manager.url = https://localhost
# Disable prefetching
network.dns.disablePrefetch = true
network.prefetch-next = false
# IDN phishing
network.IDN_show_punycode = true
network.http.referer.hideOnionSource = true
# This breaks google docs!
network.http.referer.spoofSource = true
browser.send_pings = false
# Disable clipboard control from JS
dom.event.clipboardevents.enabled = false
# Disable APIs used for fingerprinting
dom.webaudio.enabled = false
dom.battery.enabled = false
geo.enabled = false
media.navigator.enabled = false
# Disable captive portal
network.captive-portal-service.enabled = false
# The key above seems to be ignored in some versions, so remove the captive portal address
captivedetect.canonicalURL = ""
browser.ping-centre.production.endpoint = ""
browser.newtabpage.activity-stream.telemetry.ping.endpoint = ""
# https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
# extension blocklists
extensions.blocklist.enabled = false
# extensions automatic update
extensions.systemAddon.update.enabled = false
# disable requests to search.services.mozilla.com/...
browser.search.geoSpecific.Defaults = false
# https://firefox.settings.services.mozilla.com/v1/buckets settings fetching?
services.settings.server = ""
# some websocket telemetry
dom.push.enabled = false
# ?
app.normandy.enabled = false
# ? investigate GET https://services.addons.mozilla.org/api/v3/addons/search/?guid=defau...
#
extensions.systemAddon.update.enabled = false
services.sync.engineStatusChanged.addons = false
Thunderbird
New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline.
When you uncheck “Allow Thunderbird to send technical and interaction data to Mozilla”, it sends the following request to Mozilla:
POST /submit/telemetry/4e0009de-f8dc-4aad-8b07-30011f7622de/deletion-request\
/Thunderbird/78.7.1/default/20210203182138?v=4 HTTP/1.1
Host: incoming-telemetry.thunderbird.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
{
"type": "deletion-request",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
"creationDate": "2021-02-10T18:55:32.926Z",
"version": 4,
"application": {
"architecture": "x86-64",
"buildId": "20210203182138",
"name": "Thunderbird",
"version": "78.7.1",
"displayVersion": "78.7.1",
"vendor": "",
"platformVersion": "78.7.0",
"xpcomAbi": "x86_64-gcc3",
"channel": "default"
},
"payload": {
"scalars": {}
},
"clientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
}
Attachments
When you open an attachment (tested with PDF), the following request is sent, leaking username, profile name, attachment filename and attachment SHA-256 hash (as raw binary data in the middle):
POST /safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY% HTTP/1.1
Host: sb-ssl.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
00000000 4e 6d 61 69 6c 62 6f 78 3a 2f 2f 2f 68 6f 6d 65 |Nmailbox:///home|
00000010 2f 6a 65 6e 64 61 2f 2e 74 68 75 6e 64 65 72 62 |/jenda/.thunderb|
00000020 69 72 64 2f XX XX XX XX XX XX XX XX 2e 64 65 66 |ird/XXXXXXXX.def|
00000030 61 75 6c 74 2f 4d 61 69 6c 2f 4c 6f 63 61 6c 25 |ault/Mail/Local%|
00000040 32 30 46 6f 6c 64 65 72 73 2f 49 6e 62 6f 78 12 |20Folders/Inbox.|
00000050 22 0a 20 ac a6 20 97 00 fa aa c6 15 80 ed b0 be |". .. ..........|
00000060 5d 60 dd 49 64 4d b8 0c 9a e4 af 46 5b b6 ca b4 |]`.IdM.....F[...|
00000070 5b 09 e3 18 ff f4 0d 22 52 0a 4e 6d 61 69 6c 62 |[......"R.Nmailb|
00000080 6f 78 3a 2f 2f 2f 68 6f 6d 65 2f 6a 65 6e 64 61 |ox:///home/jenda|
00000090 2f 2e 74 68 75 6e 64 65 72 62 69 72 64 2f XX XX |/.thunderbird/XX|
000000a0 XX XX XX XX XX XX 2e 64 65 66 61 75 6c 74 2f 4d |XXXXXX.default/M|
000000b0 61 69 6c 2f 4c 6f 63 61 6c 25 32 30 46 6f 6c 64 |ail/Local%20Fold|
000000c0 65 72 73 2f 49 6e 62 6f 78 10 00 30 01 4a 25 50 |ers/Inbox..0.J%P|
000000d0 6f 74 76 72 7a 65 6e c3 ad 20 6f 62 6a 65 64 6e |otvrzen.. objedn|
000000e0 c3 a1 76 6b 79 20 31 35 31 30 37 35 36 34 2d 31 |..vky 15107564-1|
000000f0 2e 70 64 66 50 00 5a 05 65 6e 2d 55 53 |.pdfP.Z.en-US|
To disable this, remove browser.safebrowsing.downloads.remote.url in about:config. Link to source where this happens.
Firefox for Android
Checks for updates even when the main app is not running. Same as described here.
This update checking does not respect network.proxy.http settings, but connect straight to the network, i.e., a standard intercepting proxy setup won't see it, it won't go through Tor etc.