/d/OpSec icon

/d/OpSec

15,203 subscribers

Discussion about OpSec, Threat Models, Protection, Assessment and Countermeasures.

An in depth guide to Firefox hardening (Pinned post)

by /u/just_no mercy for bad OpSec · 17 votes · 6 months ago

After seeing the Firefox hardening post by /u/Penguin_With_A_Gun I decided to expand on it a bit for those who really want to lockdown their browsers. There is a lot more to hardening then what was mentioned in that post. Follow along as I break the process down into 3 different categories: 1. about:config 2. Firefox preferences and 3. Extensions

1. about:config

These changes are made in about:config and deal with things such as cookie isolation, disabling telemety, preventing urls from autoloading (less risk of contact with malicious websites) and more.

privacy.firstparty.isolate = true

privacy.resistFingerprinting = true

privacy.trackingprotection.enabled = true

browser.cache.offline.enable = false

browser.safebrowsing.malware.enabled = false [More privacy but less security. Decide if this one is right for you.]

browser.safebrowsing.phishing.enabled = false [Same as above]

browser.sessionstore.max_tabs_undo = 0

browser.urlbar.speculativeConnect.enabled = false

dom.battery.enabled = false [Prevents websites for seeing your battery level, less information for fingerprinting]

dom.event.clipboardevents.enabled = false

geo.enabled = false

security.ssl.enable_false_start = false

media.eme.enabled = false

-Disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc.DRM-controlled content that requires the Adobe Flash or Microsoft Silverlight NPAPI plugins will still play, if installed and enabled in Firefox.

media.gmp-widevinecdm.enabled = false

-Disables the Widevine Content Decryption Module provided by Google Inc., used for the playback of DRM-controlled HTML5 content.

media.navigator.enabled = false

network.cookie.cookieBehavior = 1

Disable cookies

0 = Accept all cookies by default

1 = Only accept from the originating site (block third-party cookies)

2 = Block all cookies by default

network.cookie.lifetimePolicy = 2

cookies are deleted at the end of the session

0 = Accept cookies normally

1 = Prompt for each cookie

2 = Accept for current session only

3 = Accept for N days

network.http.referer.trimmingPolicy = 2

Send only the scheme, host, and port in the Referer header

0 = Send the full URL in the Referer header

1 = Send the URL without its query string in the Referer header

2 = Send only the scheme, host, and port in the Referer header

network.http.referer.XOriginPolicy = 2

Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.)

0 = Send Referer in all cases

1 = Send Referer to same eTLD sites

2 = Send Referer only when the full hostnames match

network.http.referer.XOriginTrimmingPolicy = 2

0 = Send full url in Referer

1 = Send url without query string in Referer

2 = Only send scheme, host, and port in Referer

webgl.disabled = true

WebGL is a potential security risk.

browser.sessionstore.privacy_level = 2

0 = Store extra session data for any site. (Default starting with Firefox 4.)

1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)

2 = Never store extra session data.

network.IDN_show_punycode = true

media.peerconnection.turn.disable = true

media.peerconnection.use_document_iceservers = false

media.peerconnection.video.enabled = false

media.peerconnection.identity.timeout = 1

media.webRTC - all options disabled, set media.webrtc.debug.aec_dump_max_size to 1

security.ssl3.rsa_des_ede3_sha = false

security.ssl.require_safe_negotiation = true

security.tls.enable_0rtt_data = false

browser.formfill.enable = false

browser.cache.disk.enable = false

browser.cache.disk_cache_ssl = false

browser.cache.memory.enable = false

browser.newtabpage.activity-stream.telemetry = false

browser.newtabpage.activity-stream.feeds.telemetry = false

browser.ping-centre.telemetry = false

toolkit.telemetry.archive.enabled = false

toolkit.telemetry.bhrping.enabled = false

toolkit.telemetry.firstshutdownping.enabled = false

toolkit.telemetry.newprofileping.enabled = false

toolkit.telemetry.unified = false

toolkit.telemetry.updateping.enabled = false

toolkit.telemetry.shutdownPingSender.enabled = false

network.http.sendRefererHeader = 0

dom.serviceWorkers.enabled = false

about:memory -> check anonymize box

2. Firefox preferences

Preferences -> Privacy & Security -> Enhanced Tracking Protection -> Strict

Preferences -> Privacy & Security -> Remember history -> Never

Preferences -> Privacy & Security -> Firefox Data Collection and Use -> make sure all of the boxes are unchecked

Preferences -> General -> Network Settings -> Enable DNS over HTTPS [Do not do this if you filter DNS requests locally through your router or something else]

3. Extensions

Ublock Origin- great for blocking ads and malicious connections from malvertising. If you enable "I am an advanced user" then the addon can be used to block scripts as well. I highly recommend enabling this to block third party scripts and frames. An instructional video can be found here https://invidious.fdn.fr/watch?v=2lisQQmWQkY

User Agent Switcher- Allows you to change your user agent string to something more generic. Only about 3% of internet users use Firefox with about 96% of the web are using Chrome. Make your hostname show a different browser and operating system to blend in a bit more.

Cookie Auto Delete- Cookies follow you around the web, and some of them even mine crypto with your browser. One of the best ways to stop this is with Cookie Autodelete. Whenever you close a Tab all of the cookies from that tab will be deleted.

Privacy Badger- blocks trackers from around the web

Privacy Possum- Similar to Privacy Badger but blocks different types of content

If you want to block javascript entirely then go into about:config type "javascript.enabled" then double click for false. No point in using a dedicated extension for that. Keep in mind that this will break a lot of functionality in the web and you might want to save such extreme measures for the Tor browser as it is more sensitive.

If you found this post helpful then please leave an upvote so that more people can see it.

Comments (33)
/u/azrael13 · 2 votes · 6 months ago · Link

very good not a lot of user check their about:config page

/u/[deleted] · 1 votes · 6 months ago · Link

Are you from onionland?

/u/azrael13 · 1 votes · 6 months ago · Link

yeah, such a great forum shame for the spams, is it still online?

/u/[deleted] · 1 votes · 6 months ago · Link

Nope, it was taken down by Aediot...

If you have pgp key, please do send a signed message or anything to prove it was you, personally I respect the onionland community and I miss them :(.

/u/azrael13 · 1 votes · 6 months ago · Link

thats a bummer only if Aediot couldve put someone else in charge to take care of it

I do have a pgp and its available in my profile here as well,

I totally understand it was the only true darknet forum with freedom of speech and literally NO rules

/u/AncientIdai · 2 votes · 6 months ago · Link

privacytools[dot]io is a great place where you can find everything you need for more privacy.

/u/Penguin_With_A_Gun · 2 votes · 6 months ago · Link

I love this post. You went more in depth than I ever did.

/u/just_no mercy for bad OpSec OP · 1 votes · 6 months ago · Link

You gave me the idea. It just needed a bit more expansion.

/u/sheepwolf · 1 votes · 6 months ago · Link

Do these work interchangeably with Firefox/Tor Browser or does the latter have other unique customizations?

/u/just_no mercy for bad OpSec OP · 2 votes · 6 months ago · Link

I would agree with everything /u/silentsound said. I would not mess around in Tor Browser as the TBB team has likely hardened everything better than we can. I would be afraid of accidentally weakening something by making a change that has ramifications I do not understand

/u/FizDing · 1 votes · 2 months ago · Link

I did exactly that, fucked up my browser using one of these guides (not this one). Luckily, I remembered what I had changed and simply changed it back. After that I left things totally alone other than a few simple things like Strict Mode and javascript false

/u/just_no mercy for bad OpSec OP · 1 votes · 2 months ago · Link

You messed up the Tor browser or normal Firefox?

/u/FizDing · 2 votes · 2 months ago · Link

TOR Browser.

/u/just_no mercy for bad OpSec OP · 1 votes · 2 months ago · Link

Well hopefully someone thinking about doing the same thing can read this and learn from your mistake.

/u/FizDing · 1 votes · 2 months ago · Link

Yeah no shit. I'm totally for hardening all aspects of your opsec. If you're doing anything like the OP posted, make sure and take notes so you can recover if you have to.

/u/just_no mercy for bad OpSec OP · 2 votes · 2 months ago · Link

I am the OP. There are no problems with doing this method on Firefox and this post is always here if anybody wishes to revert the changes. Although some things like blocking third party scripts can take some getting used to on the clearweb.

/u/FizDing · 1 votes · 2 months ago · Link

Right on. I imagine your method works perfectly like it's supposed to. I didn't mean to suggest any differently. The method I tried had just a few steps and it hosed my ability to connect.

I do have your post bookmarked and plan on running your example in the future on a different machine. I simply scared myself.

Thanks for taking the time to write the post and share your knowledge with the rest of us!

/u/just_no mercy for bad OpSec OP · 1 votes · 2 months ago · Link

Happy to help.

/u/silentsound · 1 votes · 6 months ago · Link

Tor Browser is based on Firefox, so they should all be interchangeable. However, the fine people behind Tor Browser are experts, so you can probably assume that they already know all about hardening. Just because it appears that something has been overlooked, does not mean that they haven't taken care of it. For example, when the shield in Tor Browser is full, javascript is disabled even though about:config might say javascript.enabled = true.

I say, go ahead and harden your name-brand Firefox all you like, but only change setting in your Tor Browser if you really know what you are doing. It would suck to accidentally make your make your security worse or break your Tor Browser.

Great post @ /u/just_no thanks for the info!

/u/halver · 1 votes · 6 months ago · Link

Thanks for those useful infos.

/u/just_no mercy for bad OpSec OP · 1 votes · 6 months ago · Link

Glad you liked it

/u/saucespillinn · 1 votes · 6 months ago · Link

this is greatly appreciated.

/u/annnnoooooooon · 1 votes · 6 months ago · Link

Is there any use in unckecking "Prevent accessibility services from accessing your browser"?

/u/just_no mercy for bad OpSec OP · 1 votes · 6 months ago · Link

If you don't need them then I would check it. Its one more hole being plugged

/u/[deleted] · 1 votes · 6 months ago · Link

THX. Will definitely be making changes to Firefox once I get home to improve my Privacy on the clearnet.

/u/StarScream999 · 1 votes · 5 months ago · Link

Could you make a script that could all this for us automatically? Or could someone make a Tor browser harder program that takes all the settings and changes them in the .ini file.

Also would look to see a Chrome/Blink Engine hardening guide!

/u/just_no mercy for bad OpSec OP · 2 votes · 5 months ago · Link

You do not need to harden the Tor browser. Too many changes in about:config risks breaking something or possibly changing the fingerprint. Unfortunately I do not have a script to automate this but if someone wants to write one to change all of these boolean values it would make setting up the browser much faster.

/u/StarScream999 · 1 votes · 5 months ago · Link

Ok good to know, thanks.

/u/just_no mercy for bad OpSec OP · 2 votes · 5 months ago · Link

Always happy to help.

/u/st0ke · 1 votes · 3 months ago · Link

very detailed. thanks

/u/CC57 · 1 votes · 1 month ago · Link

Hi top @just_no , I am setup with your guide config, but problem is I can’t change user agent string to something , can you help me ?

/u/CC57 · 1 votes · 1 month ago · Link

please help @just_no

/u/KingLurk · 1 votes · 3 weeks ago · Link

what DNS/DoH provider do you recommend?