Differences

This shows you the differences between two versions of the page.

--- project:spyzilla [2018/02/17 15:34] – info on how to override HSTS jenda
+++ project:spyzilla [2021/08/07 04:35] – [Thunderbird] update source code line jenda
@@ Line 9: / Line 9: @@
 Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https://www.reddit.com/r/privacy/comments/3w07kg/doubleclick_tracking_by_ssl_client_certificates/|Exploited in the wild!]]
-===== Firefox =====
+===== Firefox (older versions) =====
 This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed:
@@ Line 16: / Line 16: @@
-  * Run with parameter -P. Select "Start offline"
+  * Run with parameter -P. Select "Start offline". Please note that Firefox at least since version 67 ignore offline parameter for captive portal requests anyway, and perform HTTP requests against detectportal.firefox.com.
   * Visit Preferences. In "Security", turn off "Block reported attack sites" and "Block reported web forgeries"
   * Uncheck Advanced → Updates
@@ Line 57: / Line 57: @@
     * You can override it by adding test.currentTimeOffsetSeconds (integer) = 11491200
     * And in Chrome, you can override it by typing "badidea" on the error page
+      * or "thisisunsafe" in newer (2018-03) versions of Chrome
     * Neither it seems to be possible to override [[https://www.grc.com/revocation.htm|revoked certificate]]
   * The webpage can detect that [[https://stackoverflow.com/questions/7798748/find-out-whether-chrome-console-is-open|element inspector is opened]]. This should be possible to disable too…
@@ Line 63: / Line 64: @@
   * Firefox 52 ESR downloads browser.safebrowsing.provider.mozilla.gethashURL even if safe browsing is turned off in Preferences
+  * Some webpages are blocking pasting of password for "better security", so you cannot use a password manager. Set dom.event.clipboardevents.enabled=false to disable this. This may also mitigate some attacks with clipboard leaking, or [[https://lifepluslinux.blogspot.cz/2017/01/look-before-you-paste-from-website-to.html|replacing content of clipboard with a malicious command]]
 See: [[https://github.com/pyllyukko/user.js|Firefox hardening]]
@@ Line 73: / Line 76: @@
   * https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
   * https://www.ghacks.net/2017/07/13/privacy-blunder-firefox-getaddons-page-google-analytics/
+===== Firefox (v. 64+ basic setup) Work in Progress =====
+After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions.
+XXX TODO: How to get rid of:
+  - POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=...&pver=2.2
+  - GET https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins?_expected=148.....
+      (once a day? with a bunch of similar requests)
+  - GET https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-07-06-00-19-31.chain
+==== Edit -> Preferences ====
+  * General
+    * Firefox Updates
+      * Automatically update search engines -> Off
+    * Browsing
+      * Search for text when you start typing -> Off
+      * Recommend extensions as you browse -> Off
+  * Privacy & security
+    * Browser Privacy
+      * Block trackers -> Always
+      * Send DNT -> Always
+    * Firefox Data Collection and Use
+      * Allow Firefox to install and run studies -> Off
+      * Allow Firefox to send technical and interaction data -> Off
+    * Security
+      * Block dangerous downloads -> off
+      * Warn about unwanted software -> off
+      * Block dangerous and deceptive content -> off
+      * Query OCSP -> off (potentially UNSAFE!)
+  * Home
+    * Homepage and new windows -> Blank page
+    * New tabs -> Blank page
+==== about:config ====
+<code>
+# Autocompletion in url bar should *not* connect to google
+browser.urlbar.searchSuggestionsChoice = false
+browser.urlbar.speculativeConnect.enabled = false
+# localserver in url bar should not be translated to www.localserver.com
+keyword.enabled = false
+browser.fixup.alternate.enabled = false
+# Disable WebRTC
+media.peerconnection.enabled = false
+media.peerconnection.video.enabled = false
+# Disable gmp autoupdate, UNTESTED (disabled at compile-time)
+media.gmp-manager.url = https://localhost
+# Disable prefetching
+network.dns.disablePrefetch = true
+network.prefetch-next = false
+# IDN phishing
+network.IDN_show_punycode = true
+network.http.referer.hideOnionSource = true
+# This breaks google docs!
+network.http.referer.spoofSource = true
+browser.send_pings = false
+# Disable clipboard control from JS
+dom.event.clipboardevents.enabled = false
+# Disable APIs used for fingerprinting
+dom.webaudio.enabled = false
+dom.battery.enabled = false
+geo.enabled = false
+media.navigator.enabled = false
+# Disable captive portal
+network.captive-portal-service.enabled = false
+# The key above seems to be ignored in some versions, so remove the captive portal address
+captivedetect.canonicalURL = ""
+browser.ping-centre.production.endpoint = ""
+browser.newtabpage.activity-stream.telemetry.ping.endpoint = ""
+# https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
+privacy.firstparty.isolate = true
+privacy.resistFingerprinting = true
+# extension blocklists
+extensions.blocklist.enabled = false
+# extensions automatic update
+extensions.systemAddon.update.enabled = false
+# disable requests to search.services.mozilla.com/...
+browser.search.geoSpecific.Defaults = false
+# https://firefox.settings.services.mozilla.com/v1/buckets settings fetching?
+services.settings.server = ""
+# some websocket telemetry
+dom.push.enabled = false
+# ?
+app.normandy.enabled = false
+# ? investigate GET https://services.addons.mozilla.org/api/v3/addons/search/?guid=defau...
+#
+extensions.systemAddon.update.enabled = false
+services.sync.engineStatusChanged.addons = false
+</code>
 ===== Thunderbird =====
@@ Line 78: / Line 200: @@
 New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline.
+When you uncheck "Allow Thunderbird to send technical and interaction data to Mozilla", it sends the following request to Mozilla:
+<code>
+POST /submit/telemetry/4e0009de-f8dc-4aad-8b07-30011f7622de/deletion-request\
+/Thunderbird/78.7.1/default/20210203182138?v=4 HTTP/1.1
+Host: incoming-telemetry.thunderbird.net
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
+{
+  "type": "deletion-request",
+  "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
+  "creationDate": "2021-02-10T18:55:32.926Z",
+  "version": 4,
+  "application": {
+    "architecture": "x86-64",
+    "buildId": "20210203182138",
+    "name": "Thunderbird",
+    "version": "78.7.1",
+    "displayVersion": "78.7.1",
+    "vendor": "",
+    "platformVersion": "78.7.0",
+    "xpcomAbi": "x86_64-gcc3",
+    "channel": "default"
+  },
+  "payload": {
+    "scalars": {}
+  },
+  "clientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
+}
+</code>
+When you open an attachment (tested with PDF), the following request is sent, leaking username, profile name, attachment filename and attachment SHA-256 hash (as raw binary data in the middle):
+<code>
+POST /safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY% HTTP/1.1
+Host: sb-ssl.google.com
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
+00000000  4e 6d 61 69 6c 62 6f 78  3a 2f 2f 2f 68 6f 6d 65  |Nmailbox:///home|
+00000010  2f 6a 65 6e 64 61 2f 2e  74 68 75 6e 64 65 72 62  |/jenda/.thunderb|
+00000020  69 72 64 2f XX XX XX XX  XX XX XX XX 2e 64 65 66  |ird/XXXXXXXX.def|
+00000030  61 75 6c 74 2f 4d 61 69  6c 2f 4c 6f 63 61 6c 25  |ault/Mail/Local%|
+00000040  32 30 46 6f 6c 64 65 72  73 2f 49 6e 62 6f 78 12  |20Folders/Inbox.|
+00000050  22 0a 20 ac a6 20 97 00  fa aa c6 15 80 ed b0 be  |". .. ..........|
+00000060  5d 60 dd 49 64 4d b8 0c  9a e4 af 46 5b b6 ca b4  |]`.IdM.....F[...|
+00000070  5b 09 e3 18 ff f4 0d 22  52 0a 4e 6d 61 69 6c 62  |[......"R.Nmailb|
+00000080  6f 78 3a 2f 2f 2f 68 6f  6d 65 2f 6a 65 6e 64 61  |ox:///home/jenda|
+00000090  2f 2e 74 68 75 6e 64 65  72 62 69 72 64 2f XX XX  |/.thunderbird/XX|
+a0  XX XX XX XX XX XX 2e 64  65 66 61 75 6c 74 2f 4d  |XXXXXX.default/M|
+b0  61 69 6c 2f 4c 6f 63 61  6c 25 32 30 46 6f 6c 64  |ail/Local%20Fold|
+c0  65 72 73 2f 49 6e 62 6f  78 10 00 30 01 4a 25 50  |ers/Inbox..0.J%P|
+d0  6f 74 76 72 7a 65 6e c3  ad 20 6f 62 6a 65 64 6e  |otvrzen.. objedn|
+e0  c3 a1 76 6b 79 20 31 35  31 30 37 35 36 34 2d 31  |..vky 15107564-1|
+f0  2e 70 64 66 50 00 5a 05  65 6e 2d 55 53           |.pdfP.Z.en-US|
+</code>
+To disable this, remove browser.safebrowsing.downloads.remote.url in about:config. [[https://searchfox.org/mozilla-central/source/toolkit/components/reputationservice/ApplicationReputation.cpp#1564|Link to source where this happens.]]
 ===== Firefox for Android =====