[ale] nailing down firefox security and privacy - PT 1

[Ron Frazier]

Hello all,

I've been spending a good bit of time recently upgrading and configuring 
Firefox because Pandora decided it wasn't going to work after an upgrade 
they did.  I was on Firefox 3.2.? and was holding back upgrading because 
of some UI changes in the new Firefox as well as some plugin 
compatibility problems.  Eventually, I had to bite the bullet and 
upgrade.  As I've mentioned in other posts, I like to keep my shields at 
the paranoid level, whether I'm running Windows or Linux.  In fact, I 
run my Firefox configurations exactly the same on both systems, so this 
applies to this group.  There are a number of security and privacy 
settings which come into play with Firefox, and it's not always obvious 
how to set them.  I'm going to explain how I set mine up in order to 
maintain a high level of security as well as a decent level of 
functionality.  There are also a number of handy plugins which I will 
explain.  Hopefully, the research I've done will help others who want to 
keep their shields high.  Some of you may already know this stuff, but 
some others probably don't.  I have to relate a number of options 
settings.  This will be a bit difficult in text, but bear with me.

So I don't hit the character limit of the message board, I'm breaking 
this into 4 parts as follows.

Part 1 - Firefox security and privacy settings
Part 2 - NoScript and Ghostery plugins
Part 3 - Flash settings and Better Privacy plugin
Part 4 - Allowing persistence for some sites

While not directly related to Firefox, I strongly recommend using the 
OpenDNS ( http://opendns.com ) system to resolve your domain names.  
They automatically apply phishing protection to all DNS queries as far 
as I know.  If you desire to, you can also filter certain sites based on 
category.  So, for example, you could prohibit domains from being 
resolved to porn sites.  This is about 95% effective.  No blacklist 
database is perfect.  You can program their DNS server addresses at two 
levels.  The first is within your home router's control panel.  That 
would route all DNS queries through OpenDNS that go through the router, 
assuming your PC is using it as the default gateway.  The other place 
you can set the DNS servers is in the network configuration of the 
computer itself.  I would do both.  That way, when you're away from your 
home router, your PC will still use the OpenDNS system.  You won't get 
content filtering, which is based on IP address, but you will still get 
phishing protection.  In your network configuration screen or file, you 
can set each network port to use the OpenDNS servers.  In Ubuntu, I 
believe that each physical LAN port has a place to set this.  It also 
appears that each separate wifi connection has it's own settings, so 
each time you add a new wifi connection, you have to set the preferred 
DNS servers if I'm not mistaken.

Now, on to Firefox.  The latest version is 7.0.1.  You should have this 
or later once you upgrade or install anew.  They've been ramping the 
versions up very fast lately.  The big thing in UI design these days 
seems to be to eliminate the menus.  Personally, I hate this design.  
So, the first thing I do in this case is to turn the menus back on.  
Firefox will have a little orange "Firefox" button in the upper left.  
Click that, hover over options, and check menu bar to turn it on.  You 
should now have a menu.  You can select help, about to check the version 
number.  In some systems, you will see a check for updates button in 
this window.  Click View, hover over toolbars, and turn on the Add-on 
bar, if it's not already on.  You can rearrange buttons in Firefox by 
clicking on the empty area to the right of the menu and clicking 
customize.  You can then move things like the back and forward buttons 
around, or drag things from the dialog box to the menu areas or add-on bar.

My objective is to configure Firefox so there is no unauthorized 
scripting, little or no unauthorized tracking, little or no unauthorized 
storage of information on my PC, and no unauthorized pop-ups.  A new 
installation of Firefox should not have any accumulated history.  
However, an upgrade might.  If you want to start with a clean slate, 
clear all your history as follows.  Click Tools, click Clear Recent 
History, select Everything in the drop down box.  Below, you can observe 
check marks which show what will be cleared.  All should be checked.  
Click Clear Now.  Note, if some of the sites you've been using depend on 
history or preferences, you'll have to reset them.

I want websites to be relatively secure and private, but I want the web 
to function.  I do allow session cookies.  In the past, I would have 
Firefox clear all history on exit.  However, this causes problems with 
sites which need persistent data, like Pandora.  So, I will present a 
modified approach which allows for this.  Here's how I set the Firefox 
security and privacy options.

Click Tools, Options or Edit, Preferences depending on the system you're 
running, to get into the options screen.

Once in the Options screen, click the Content tab.  Set the options as 
follows.  (I'm not addressing options not related to security or privacy.)

Block pop-up windows - ON (or checked)
Enable JavaScript - ON (Disabling would be more secure and safer, but 
many websites would break.  We'll deal with this using the NoScript plugin.)

Click the Advanced button beside the JavaScript line and set these options.

Allow scripts to:

Move or resize existing windows - OFF (or unchecked)
Raise or lower windows - OFF
Disable or replace context menus - OFF

Click OK to save these settings.

Click the Privacy tab.  Set the following options.

Tell websites I do not want to be tracked - ON
History - Firefox will - Use custom settings for history

Always use private browsing mode - OFF (You could use this, but it will 
affect other settings as well as site persistence.)
Remember my browsing history - ON
Remember my download history - OFF (You could turn this on if desired.)
Remember my search and form history - OFF  (   ditto  )
Accept cookies from sites - ON (Required for many sites to work.)
Accept third party cookies - OFF
Keep until - I close Firefox (This forces session cookies only for most.)
Clear history when Firefox closes - ON

Click the Settings button beside the Clear history line and set the 
following to clear on exit.

Turn ON all check boxes to clear on exit EXCEPT Cookies and Site 
Preferences.  Leaving Cookies unselected will allow some cookies, which 
we designate, to remain.  However, all others will be session cookies 
and will be cleared when Firefox closes anyway.  Leaving Site 
Preferences unselected allows Firefox to save things like the text zoom 
setting for each site (if altered) as well as pop-up handling 
exceptions, etc.  Note, if using flash, there will also be a Flash 
Cookies option here after we install and configure the Better Privacy 
plugin.  You wont see it now, but you can look at it later.  This option 
should be CHECKED as well.

Click OK to save these settings.

Click the Security tab.  Set the following.

Warn me when sites try to install addons - ON
Block reported attack sites - ON
Block reported web forgeries - ON
Remember passwords for sites - OFF (I prefer to remember my own 
passwords or have something like Lastpass do it.)
Use a master password - ON (Then complete the dialog box to set it.)

Click OK to save all the options and dismiss the options screen.

Now, open a blank browser tab.

Type about:permissions in the web address blank and hit enter.

You will get a screen which allows you to set the default permissions 
for sites as well as override them for specific sites.  Click the All 
Sites line in the upper left.  Set the default permissions as follows.

Store passwords - BLOCK
Share location - BLOCK
Set cookies - ALLOW FOR SESSION
Open Pop-up windows - BLOCK
Maintain offline storage - BLOCK

You can now close this tab, or go to another web page.

That's it for the basic Firefox configuration, but we're just 
beginning.  In the next post, I'll talk about how to set up the NoScript 
and Ghostery plugins.  I hope to complete the other posts tonight and 
tomorrow.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.	
linuxdude AT c3energy.com