[[Spyzilla]]
 

Spyzilla

Mozilla products by default send some information to NSA. This guide will show you how to change these settings to other secret service of your choice or how to turn them off completely.

See also list of other applications that do not respect privacy.

Client certificates

Check Advanced → Certificates → Ask me every time, we really don't want to authenticate to the remote server automatically! Exploited in the wild!

Firefox (older versions)

This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed:

  • Run with parameter -P. Select “Start offline”. Please note that Firefox at least since version 67 ignore offline parameter for captive portal requests anyway, and perform HTTP requests against detectportal.firefox.com.
  • Visit Preferences. In “Security”, turn off “Block reported attack sites” and “Block reported web forgeries”
  • Uncheck Advanced → Updates
  • Uncheck Advanced → Certificates → Validation → OCSP (of course this disables fetching certificate revocation info - be sure you know what are you doing)
  • Visit about:config. Set extensions.blocklist.enabled = false.
  • Search for “http”. Change all URLs to nsalitomerice.cz, localhost or other secret service of your choice.
  • Unfortunately, Firefox will still download favicons from Google, Yahoo and Mibbit (incl. cookies) when browsing Preferences in a certain way. Bugreport pending.
  • Since FF 32, on Windows, hashes of certain downloaded files are sent to Google. This can be disabled by the aforementioned settings. 1, 2
  • If you want to test this with an intercepting proxy, make sure you have security.cert_pinning.enforcement_level 0 or 1
  • Disable automatic resolving of local names and URL-like patters: set browser.fixup.alternate.enabled and keyword.enabled to false. PT
  • media.peerconnection.enabled: false (enumhosts, mirror)

  • Every time you open new window, Firefox posts your system information to Mozilla, e.g. this one. This can be avoided by aforementioned URL settings or by setting homepage to about:blank.
  • Yes, we have API for manipulating browser history. I have no idea if something interesting can be done with it. See browser.history.allow* in about:config.
    • Setting this to False breaks webpages, known problems are with zbozi.cz and mapy.cz.
  • Files in local filesystem can read files in current directory and post them to a remote server.
    • Download this image to your home directory and open it in Firefox.
  • HSTS settings cannot be overriden (the decision can be hand-deleted from SiteSecurityServiceState.txt when Firefox is not running (otherwise the file is immediately overwritten), however, if the page sends further broken HSTS headers, subsequent requests will fail anyway). This is in compliance with RFC 6797, section 12.1. NSA Litoměřice believes that this is one of RFCs that are badly designed and should be ignored (the other being e.g. RFC 826, which we describe here)
    • You can override it by adding test.currentTimeOffsetSeconds (integer) = 11491200
    • And in Chrome, you can override it by typing “badidea” on the error page
      • or “thisisunsafe” in newer (2018-03) versions of Chrome
    • Neither it seems to be possible to override revoked certificate
  • The webpage can detect that element inspector is opened. This should be possible to disable too…
  • Recommended: network.IDN_show_punycode = true (more info)
  • Firefox 52 ESR downloads browser.safebrowsing.provider.mozilla.gethashURL even if safe browsing is turned off in Preferences
  • Some webpages are blocking pasting of password for “better security”, so you cannot use a password manager. Set dom.event.clipboardevents.enabled=false to disable this. This may also mitigate some attacks with clipboard leaking, or replacing content of clipboard with a malicious command

See: Firefox hardening

See also this guide. I have downloaded it from an onion service and put it here for those who don't have access to the darknet.

To be investigated:

Firefox (v. 64+ basic setup) Work in Progress

After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions.

XXX TODO: How to get rid of:

(once a day? with a bunch of similar requests)

Edit -> Preferences

  • General
    • Firefox Updates
      • Automatically update search engines → Off
    • Browsing
      • Search for text when you start typing → Off
      • Recommend extensions as you browse → Off
  • Privacy & security
    • Browser Privacy
      • Block trackers → Always
      • Send DNT → Always
    • Firefox Data Collection and Use
      • Allow Firefox to install and run studies → Off
      • Allow Firefox to send technical and interaction data → Off
    • Security
      • Block dangerous downloads → off
      • Warn about unwanted software → off
      • Block dangerous and deceptive content → off
      • Query OCSP → off (potentially UNSAFE!)
  • Home
    • Homepage and new windows → Blank page
    • New tabs → Blank page

about:config

# Autocompletion in url bar should *not* connect to google
browser.urlbar.searchSuggestionsChoice = false
browser.urlbar.speculativeConnect.enabled = false

# localserver in url bar should not be translated to www.localserver.com
keyword.enabled = false
browser.fixup.alternate.enabled = false

# Disable WebRTC
media.peerconnection.enabled = false
media.peerconnection.video.enabled = false

# Disable gmp autoupdate, UNTESTED (disabled at compile-time)
media.gmp-manager.url = https://localhost

# Disable prefetching
network.dns.disablePrefetch = true
network.prefetch-next = false

# IDN phishing
network.IDN_show_punycode = true



network.http.referer.hideOnionSource = true

# This breaks google docs!
network.http.referer.spoofSource = true

browser.send_pings = false

# Disable clipboard control from JS
dom.event.clipboardevents.enabled = false

# Disable APIs used for fingerprinting
dom.webaudio.enabled = false
dom.battery.enabled = false
geo.enabled = false

media.navigator.enabled = false

# Disable captive portal
network.captive-portal-service.enabled = false
# The key above seems to be ignored in some versions, so remove the captive portal address
captivedetect.canonicalURL = ""

browser.ping-centre.production.endpoint = ""
browser.newtabpage.activity-stream.telemetry.ping.endpoint = ""


# https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true

# extension blocklists
extensions.blocklist.enabled = false

# extensions automatic update
extensions.systemAddon.update.enabled = false

# disable requests to search.services.mozilla.com/...
browser.search.geoSpecific.Defaults = false

# https://firefox.settings.services.mozilla.com/v1/buckets settings fetching?
services.settings.server = ""

# some websocket telemetry
dom.push.enabled = false

# ?
app.normandy.enabled = false

# ? investigate GET https://services.addons.mozilla.org/api/v3/addons/search/?guid=defau...
# 
extensions.systemAddon.update.enabled = false
services.sync.engineStatusChanged.addons = false

Thunderbird

New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline.

Firefox for Android

Checks for updates even when the main app is not running. Same as described here.

This update checking does not respect network.proxy.http settings, but connect straight to the network, i.e., a standard intercepting proxy setup won't see it, it won't go through Tor etc.

 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki