User Tools

Site Tools


project:spyzilla

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
project:spyzilla [2018/04/05 23:54] – thisisunsafe jendaproject:spyzilla [2022/12/24 16:23] (current) – [Thunderbird] jenda
Line 9: Line 9:
 Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https://www.reddit.com/r/privacy/comments/3w07kg/doubleclick_tracking_by_ssl_client_certificates/|Exploited in the wild!]] Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https://www.reddit.com/r/privacy/comments/3w07kg/doubleclick_tracking_by_ssl_client_certificates/|Exploited in the wild!]]
  
-===== Firefox =====+===== Firefox (older versions) =====
  
 This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed: This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed:
Line 16: Line 16:
  
  
-  * Run with parameter -P. Select "Start offline"+  * Run with parameter -P. Select "Start offline". Please note that Firefox at least since version 67 ignore offline parameter for captive portal requests anyway, and perform HTTP requests against detectportal.firefox.com.
   * Visit Preferences. In "Security", turn off "Block reported attack sites" and "Block reported web forgeries"   * Visit Preferences. In "Security", turn off "Block reported attack sites" and "Block reported web forgeries"
   * Uncheck Advanced → Updates   * Uncheck Advanced → Updates
Line 64: Line 64:
  
   * Firefox 52 ESR downloads browser.safebrowsing.provider.mozilla.gethashURL even if safe browsing is turned off in Preferences   * Firefox 52 ESR downloads browser.safebrowsing.provider.mozilla.gethashURL even if safe browsing is turned off in Preferences
 +
 +  * Some webpages are blocking pasting of password for "better security", so you cannot use a password manager. Set dom.event.clipboardevents.enabled=false to disable this. This may also mitigate some attacks with clipboard leaking, or [[https://lifepluslinux.blogspot.cz/2017/01/look-before-you-paste-from-website-to.html|replacing content of clipboard with a malicious command]]
  
 See: [[https://github.com/pyllyukko/user.js|Firefox hardening]] See: [[https://github.com/pyllyukko/user.js|Firefox hardening]]
Line 74: Line 76:
   * https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/   * https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
   * https://www.ghacks.net/2017/07/13/privacy-blunder-firefox-getaddons-page-google-analytics/   * https://www.ghacks.net/2017/07/13/privacy-blunder-firefox-getaddons-page-google-analytics/
 +
 +===== Firefox (v. 64+ basic setup) Work in Progress =====
 +After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions.
 +
 +XXX TODO: How to get rid of: 
 +
 +
 +  - POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=...&pver=2.2 
 +  - GET https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins?_expected=148.....
 +      (once a day? with a bunch of similar requests)
 +  - GET https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2020-07-06-00-19-31.chain
 +
 +
 +==== Edit -> Preferences ====
 +  * General
 +    * Firefox Updates
 +      * Automatically update search engines -> Off
 +    * Browsing
 +      * Search for text when you start typing -> Off
 +      * Recommend extensions as you browse -> Off
 +  * Privacy & security
 +    * Browser Privacy
 +      * Block trackers -> Always
 +      * Send DNT -> Always
 +    * Firefox Data Collection and Use
 +      * Allow Firefox to install and run studies -> Off
 +      * Allow Firefox to send technical and interaction data -> Off
 +    * Security
 +      * Block dangerous downloads -> off
 +      * Warn about unwanted software -> off
 +      * Block dangerous and deceptive content -> off
 +      * Query OCSP -> off (potentially UNSAFE!)
 +  * Home
 +    * Homepage and new windows -> Blank page
 +    * New tabs -> Blank page
 +
 +
 +==== about:config ====
 +<code>
 +# Autocompletion in url bar should *not* connect to google
 +browser.urlbar.searchSuggestionsChoice = false
 +browser.urlbar.speculativeConnect.enabled = false
 +
 +# localserver in url bar should not be translated to www.localserver.com
 +keyword.enabled = false
 +browser.fixup.alternate.enabled = false
 +
 +# Disable WebRTC
 +media.peerconnection.enabled = false
 +media.peerconnection.video.enabled = false
 +
 +# Disable gmp autoupdate, UNTESTED (disabled at compile-time)
 +media.gmp-manager.url = https://localhost
 +
 +# Disable prefetching
 +network.dns.disablePrefetch = true
 +network.prefetch-next = false
 +
 +# IDN phishing
 +network.IDN_show_punycode = true
 +
 +
 +
 +network.http.referer.hideOnionSource = true
 +
 +# This breaks google docs!
 +network.http.referer.spoofSource = true
 +
 +browser.send_pings = false
 +
 +# Disable clipboard control from JS
 +dom.event.clipboardevents.enabled = false
 +
 +# Disable APIs used for fingerprinting
 +dom.webaudio.enabled = false
 +dom.battery.enabled = false
 +geo.enabled = false
 +
 +media.navigator.enabled = false
 +
 +# Disable captive portal
 +network.captive-portal-service.enabled = false
 +# The key above seems to be ignored in some versions, so remove the captive portal address
 +captivedetect.canonicalURL = ""
 +
 +browser.ping-centre.production.endpoint = ""
 +browser.newtabpage.activity-stream.telemetry.ping.endpoint = ""
 +
 +
 +# https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks
 +privacy.firstparty.isolate = true
 +privacy.resistFingerprinting = true
 +
 +# extension blocklists
 +extensions.blocklist.enabled = false
 +
 +# extensions automatic update
 +extensions.systemAddon.update.enabled = false
 +
 +# disable requests to search.services.mozilla.com/...
 +browser.search.geoSpecific.Defaults = false
 +
 +# https://firefox.settings.services.mozilla.com/v1/buckets settings fetching?
 +services.settings.server = ""
 +
 +# some websocket telemetry
 +dom.push.enabled = false
 +
 +# ?
 +app.normandy.enabled = false
 +
 +# ? investigate GET https://services.addons.mozilla.org/api/v3/addons/search/?guid=defau...
 +
 +extensions.systemAddon.update.enabled = false
 +services.sync.engineStatusChanged.addons = false
 +
 +</code>
 +
 +
  
 ===== Thunderbird ===== ===== Thunderbird =====
Line 79: Line 200:
 New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline. New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline.
  
 +When you uncheck "Allow Thunderbird to send technical and interaction data to Mozilla", it sends the following request to Mozilla:
 +
 +<code>
 +POST /submit/telemetry/4e0009de-f8dc-4aad-8b07-30011f7622de/deletion-request\
 +/Thunderbird/78.7.1/default/20210203182138?v=4 HTTP/1.1
 +Host: incoming-telemetry.thunderbird.net
 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
 +
 +{
 +  "type": "deletion-request",
 +  "id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX",
 +  "creationDate": "2021-02-10T18:55:32.926Z",
 +  "version": 4,
 +  "application": {
 +    "architecture": "x86-64",
 +    "buildId": "20210203182138",
 +    "name": "Thunderbird",
 +    "version": "78.7.1",
 +    "displayVersion": "78.7.1",
 +    "vendor": "",
 +    "platformVersion": "78.7.0",
 +    "xpcomAbi": "x86_64-gcc3",
 +    "channel": "default"
 +  },
 +  "payload": {
 +    "scalars": {}
 +  },
 +  "clientId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX"
 +}
 +</code>
 +
 +==== Attachments ====
 +
 +When you open an attachment (tested with PDF), the following request is sent, leaking username, profile name, attachment filename and attachment SHA-256 hash (as raw binary data in the middle):
 +
 +<code>
 +POST /safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY% HTTP/1.1
 +Host: sb-ssl.google.com
 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
  
 +00000000  4e 6d 61 69 6c 62 6f 78  3a 2f 2f 2f 68 6f 6d 65  |Nmailbox:///home|
 +00000010  2f 6a 65 6e 64 61 2f 2e  74 68 75 6e 64 65 72 62  |/jenda/.thunderb|
 +00000020  69 72 64 2f XX XX XX XX  XX XX XX XX 2e 64 65 66  |ird/XXXXXXXX.def|
 +00000030  61 75 6c 74 2f 4d 61 69  6c 2f 4c 6f 63 61 6c 25  |ault/Mail/Local%|
 +00000040  32 30 46 6f 6c 64 65 72  73 2f 49 6e 62 6f 78 12  |20Folders/Inbox.|
 +00000050  22 0a 20 ac a6 20 97 00  fa aa c6 15 80 ed b0 be  |". .. ..........|
 +00000060  5d 60 dd 49 64 4d b8 0c  9a e4 af 46 5b b6 ca b4  |]`.IdM.....F[...|
 +00000070  5b 09 e3 18 ff f4 0d 22  52 0a 4e 6d 61 69 6c 62  |[......"R.Nmailb|
 +00000080  6f 78 3a 2f 2f 2f 68 6f  6d 65 2f 6a 65 6e 64 61  |ox:///home/jenda|
 +00000090  2f 2e 74 68 75 6e 64 65  72 62 69 72 64 2f XX XX  |/.thunderbird/XX|
 +000000a0  XX XX XX XX XX XX 2e 64  65 66 61 75 6c 74 2f 4d  |XXXXXX.default/M|
 +000000b0  61 69 6c 2f 4c 6f 63 61  6c 25 32 30 46 6f 6c 64  |ail/Local%20Fold|
 +000000c0  65 72 73 2f 49 6e 62 6f  78 10 00 30 01 4a 25 50  |ers/Inbox..0.J%P|
 +000000d0  6f 74 76 72 7a 65 6e c3  ad 20 6f 62 6a 65 64 6e  |otvrzen.. objedn|
 +000000e0  c3 a1 76 6b 79 20 31 35  31 30 37 35 36 34 2d 31  |..vky 15107564-1|
 +000000f0  2e 70 64 66 50 00 5a 05  65 6e 2d 55 53           |.pdfP.Z.en-US|
 +</code>
 +To disable this, remove browser.safebrowsing.downloads.remote.url in about:config. [[https://searchfox.org/mozilla-central/source/toolkit/components/reputationservice/ApplicationReputation.cpp#1564|Link to source where this happens.]]
 ===== Firefox for Android ===== ===== Firefox for Android =====
  
project/spyzilla.1522972445.txt.gz · Last modified: 2018/04/05 23:54 by jenda