project:spyzilla
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
project:spyzilla [2018/05/08 14:52] – [Firefox] jenda | project:spyzilla [2022/12/24 16:23] (current) – [Thunderbird] jenda | ||
---|---|---|---|
Line 9: | Line 9: | ||
Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https:// | Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https:// | ||
- | ===== Firefox ===== | + | ===== Firefox |
This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed: | This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed: | ||
Line 16: | Line 16: | ||
- | * Run with parameter -P. Select "Start offline" | + | * Run with parameter -P. Select "Start offline" |
* Visit Preferences. In " | * Visit Preferences. In " | ||
* Uncheck Advanced → Updates | * Uncheck Advanced → Updates | ||
Line 76: | Line 76: | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | |||
+ | ===== Firefox (v. 64+ basic setup) Work in Progress ===== | ||
+ | After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions. | ||
+ | |||
+ | XXX TODO: How to get rid of: | ||
+ | |||
+ | |||
+ | - POST https:// | ||
+ | - GET https:// | ||
+ | (once a day? with a bunch of similar requests) | ||
+ | - GET https:// | ||
+ | |||
+ | |||
+ | ==== Edit -> Preferences ==== | ||
+ | * General | ||
+ | * Firefox Updates | ||
+ | * Automatically update search engines -> Off | ||
+ | * Browsing | ||
+ | * Search for text when you start typing -> Off | ||
+ | * Recommend extensions as you browse -> Off | ||
+ | * Privacy & security | ||
+ | * Browser Privacy | ||
+ | * Block trackers -> Always | ||
+ | * Send DNT -> Always | ||
+ | * Firefox Data Collection and Use | ||
+ | * Allow Firefox to install and run studies -> Off | ||
+ | * Allow Firefox to send technical and interaction data -> Off | ||
+ | * Security | ||
+ | * Block dangerous downloads -> off | ||
+ | * Warn about unwanted software -> off | ||
+ | * Block dangerous and deceptive content -> off | ||
+ | * Query OCSP -> off (potentially UNSAFE!) | ||
+ | * Home | ||
+ | * Homepage and new windows -> Blank page | ||
+ | * New tabs -> Blank page | ||
+ | |||
+ | |||
+ | ==== about: | ||
+ | < | ||
+ | # Autocompletion in url bar should *not* connect to google | ||
+ | browser.urlbar.searchSuggestionsChoice = false | ||
+ | browser.urlbar.speculativeConnect.enabled = false | ||
+ | |||
+ | # localserver in url bar should not be translated to www.localserver.com | ||
+ | keyword.enabled = false | ||
+ | browser.fixup.alternate.enabled = false | ||
+ | |||
+ | # Disable WebRTC | ||
+ | media.peerconnection.enabled = false | ||
+ | media.peerconnection.video.enabled = false | ||
+ | |||
+ | # Disable gmp autoupdate, UNTESTED (disabled at compile-time) | ||
+ | media.gmp-manager.url = https:// | ||
+ | |||
+ | # Disable prefetching | ||
+ | network.dns.disablePrefetch = true | ||
+ | network.prefetch-next = false | ||
+ | |||
+ | # IDN phishing | ||
+ | network.IDN_show_punycode = true | ||
+ | |||
+ | |||
+ | |||
+ | network.http.referer.hideOnionSource = true | ||
+ | |||
+ | # This breaks google docs! | ||
+ | network.http.referer.spoofSource = true | ||
+ | |||
+ | browser.send_pings = false | ||
+ | |||
+ | # Disable clipboard control from JS | ||
+ | dom.event.clipboardevents.enabled = false | ||
+ | |||
+ | # Disable APIs used for fingerprinting | ||
+ | dom.webaudio.enabled = false | ||
+ | dom.battery.enabled = false | ||
+ | geo.enabled = false | ||
+ | |||
+ | media.navigator.enabled = false | ||
+ | |||
+ | # Disable captive portal | ||
+ | network.captive-portal-service.enabled = false | ||
+ | # The key above seems to be ignored in some versions, so remove the captive portal address | ||
+ | captivedetect.canonicalURL = "" | ||
+ | |||
+ | browser.ping-centre.production.endpoint = "" | ||
+ | browser.newtabpage.activity-stream.telemetry.ping.endpoint = "" | ||
+ | |||
+ | |||
+ | # https:// | ||
+ | privacy.firstparty.isolate = true | ||
+ | privacy.resistFingerprinting = true | ||
+ | |||
+ | # extension blocklists | ||
+ | extensions.blocklist.enabled = false | ||
+ | |||
+ | # extensions automatic update | ||
+ | extensions.systemAddon.update.enabled = false | ||
+ | |||
+ | # disable requests to search.services.mozilla.com/ | ||
+ | browser.search.geoSpecific.Defaults = false | ||
+ | |||
+ | # https:// | ||
+ | services.settings.server = "" | ||
+ | |||
+ | # some websocket telemetry | ||
+ | dom.push.enabled = false | ||
+ | |||
+ | # ? | ||
+ | app.normandy.enabled = false | ||
+ | |||
+ | # ? investigate GET https:// | ||
+ | # | ||
+ | extensions.systemAddon.update.enabled = false | ||
+ | services.sync.engineStatusChanged.addons = false | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
===== Thunderbird ===== | ===== Thunderbird ===== | ||
Line 81: | Line 200: | ||
New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline. | New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline. | ||
+ | When you uncheck "Allow Thunderbird to send technical and interaction data to Mozilla", | ||
+ | |||
+ | < | ||
+ | POST / | ||
+ | / | ||
+ | Host: incoming-telemetry.thunderbird.net | ||
+ | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/ | ||
+ | |||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Attachments ==== | ||
+ | |||
+ | When you open an attachment (tested with PDF), the following request is sent, leaking username, profile name, attachment filename and attachment SHA-256 hash (as raw binary data in the middle): | ||
+ | |||
+ | < | ||
+ | POST / | ||
+ | Host: sb-ssl.google.com | ||
+ | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/ | ||
+ | 00000000 | ||
+ | 00000010 | ||
+ | 00000020 | ||
+ | 00000030 | ||
+ | 00000040 | ||
+ | 00000050 | ||
+ | 00000060 | ||
+ | 00000070 | ||
+ | 00000080 | ||
+ | 00000090 | ||
+ | 000000a0 | ||
+ | 000000b0 | ||
+ | 000000c0 | ||
+ | 000000d0 | ||
+ | 000000e0 | ||
+ | 000000f0 | ||
+ | </ | ||
+ | To disable this, remove browser.safebrowsing.downloads.remote.url in about: | ||
===== Firefox for Android ===== | ===== Firefox for Android ===== | ||
project/spyzilla.1525791121.txt.gz · Last modified: 2018/05/08 14:52 by jenda