Hardening your privacy #1
July 13, 2008 at 4:43 pm | In Privacy/Security | Leave a CommentTags: Firefox, privacy, security, settings
With the continuing spread of Phorm, Nebuad, and their ilk and the growing trend for governments and ISPs to record where you go and what you do I felt it would be worthwhile writing a series of articles on how to harden you privacy.
The fist thing I’d suggest is that people use Firefox 3. I find it to be more secure by default, easier to configure to be secure and private , and it has a number of security and privacy related add-ons.
First let me talk about the settings in Firefox 3.
on the “Privacy” page:
History
“Keep my history for at least x days“
I always uncheck this. Having your history hanging around is a privacy nightmare.
“Remember what I enter in forms and search bars“
Another privacy nightmare. I strongly suggest you uncheck it. There are applications out that that will do their best to pull this information out of your browser.
“Remember what I’ve downloaded
I leave this checked but have the browser set to clear all the data from it at the end of the session (when i close the browser). In my more secure profiles (like the one I use for Tor) this option is unchecked
Cookies:
Accept Cookies from sites
I leave this one checked in my standard browser but un-check it in my Tor (secure browser) profile. Again I have the browser set to flush all cookies when it closes.
Accept third party cookies
I always uncheck this one 95% of “third party cookies” are used by advertising and web metric firms to track you. something you definitely don’t need.
keep until:
The most secure setting for this and the one i suggest is “I close firefox“. by setting it this way all cookies are flushed as soon as you close your browser. Which is good. It makes you much harder to track with cookies because the companies are always having to start with a new cookie, It avoids “oopses” caused by forgetting to sign-out of a site. (if the cookie was still there people using the computer after you could/would have access to the account you forgot to log out of).
Private Data:
Always Clear my private data when I close Firefox
I always have this checked and all the options under the associated settings button checked also. doing so returns the browser to a blank slate when you close it. This way even if your machine was broken into the browser cache and settings would be clear (A lot of Trojans, viruses, hackers, go looking in the browsers folder as it can offer a wealth of information if not set to be cleared)
Ask me before clearing private data
This I always uncheck, for me it is just annoying to have the “are you sure” question every time I try to close the browser, and I know I want it cleared.
Now on to the Security Page in the setting:
Warn me when sites try to install add-ons
Best to have this checked and be sure that there are no sites listed under the exceptions that you do not want able to install add-ons (so probably just addons.mozilla.org and update.mozilla.org)
Happily, the next two:
Tell me if the site I’m Visiting is a suspected attack site
Tell me if the site I’m visiting is a suspected forgery
were implemented is a privacy friendly manner and so I’m quite comfortable leaving them checked. I say privacy friendly because Firefox 3 downloads a list of the sites to watch for rather then sending out each URL you enter to a third party for verification.
Remember passwords for sites
Another privacy (and security nightmare). I strongly suggest turning this feature off (unchecking it) and using a secure external password manager such as Revelation or keepass if you are using windows.
Use a master password
I leave this unchecked but ONLY because i never store passwords. If you ever plan to have your browser remember a password for you, I strongly suggest checking this and setting a master password. This will encrypt all the stored passwords. Thus making them a lot harder for someone to retrieve.
add-ons
There are a couple of add-ons I strongly suggest for Firefox. they are Adblock plus, NoScript, and User Agent Switcher.
this is a wonderful add-on that not only will help you get rid of the annoying banner ads everywhere but it can also block tracking sites. I strongly suggest people install this add-on and then subscribe to the following block lists for it. EasyElement+EasyList, ABP Tracking Filter, Fanboy’s List
I find that this blocks 99.9% of advertisements and a huge number of the tracking sites.
This is a wonderful and strongly recommended add-on that blocks java, javascript and plugins by default. It gives you very fine grained control over which sites can do what. It also protects against XSS (cross site Scripting attacks). As the #1 vector of virus infection nowadays is drive by downloads. I can not suggest this add-on strongly enough.
Sadly, it can cause problems with some sites that are poorly written (bounce through 3rd party sites for verification, etc). So some users find it more bothersome then they feel it is worth. I would like to encourage people to take the time and get used to NoScript rather then getting rid of it. I can respect that often people do not have the time or skill to track down why a particular page isn’t working. You can temporarily disable NoScript for such occasions, but I’ve found that people that start going that route tend to start leaving it disables in which case the might as well remove it.
Try it.. Try to stick with it, It really can and will save your computer.
This add-on allows you to set how Firefox reports itself to websites. you can have it tell the website that is is “Internet Explorer 7″, or “Opera”, you can also choose/set what operating system it says you have. This is a good thing for privacy as you can set it to something like “Internet Explorer 7″ on “Windows XP” and blend into the crowd of millions of other using that combination.
As this is getting long I’m going to break this discussion up into several more parts.
People wanting to set Firefox 3 up to use Tor should see this post.
In the upcoming posts
Encryption
freenet, Gnunet, I2P, JAP, etc
gotchas
Tor And Firefox 3.0b5 in Hardy
May 20, 2008 at 6:06 pm | In Tech | 3 CommentsTags: 3.0b5, Firefox, Hardy, heron, howto, tor, torbutton, Ubuntu
I have recently noticed several hits on my blog looking for TOR and Firefox 3.0b5. So Since I use both and Since I know that TorButton does not yet (at least the last time I checked) work with Firefox 3.0b5. I figured I’d write a quick howto on setting up a Safe Tor/Firefox in Hardy Heron.
The instructions below assume that you have already installed TOR and Privoxy and set them up correctly.
The first thing you will need to do is to create a separate profile for Tor browsing. The more paranoid may wish to set up a separate user account for TOR browsing thus further preventing the chance of data leakage.
To set up a separate profile, make sure there are no instances of Firefox running, then open a terminal and enter the command:
firefox -ProfileManager
A window that looks like this should show up:
Create a new profile that you will use for tor only, I called mine TorFox to avoid confusion.
Now we need to create a new launcher to use the TorFox profile.
right click on the desktop and choose Create Launcher
that will bring up this Dialog
Fill it in like this
Type: Leave set to Application
Name: A name you like (I used TorFox)
Command: firefox -P TorFox -no-remote
(The value after the -P should be the name you called you TOR Profile)
Comment: Whatever you want to show up as the tooltip
now click the icon button and if you want the Firefox icon you can find it in:
/usr/share/pixmaps/firefox-3.0.png
then click OK and we are ready to start setting up your TorFox.
Click the launcher (or double click if you system is set to use double clicks)
a Firefox will open up. Just double check that it is not your normal (default) profile firefox. It shouldn’t have any of your favourites, add-ons, or other setting.. It should be a fresh firefox.
once you have that, Click Edit -> Preferences
on the Main Tab
click Manage Add-ons and disable or uninstall all Add-ons (there should only be the Ubuntu firefox modifications as this should be a fresh profile)
Then at the top of the Add-ons window you will see an option for Plugins
Click it and then disable all plugins.
Once that is done exit the add-ons window and click Content on the Preferences window.
on the Content tab uncheck Enable JavaScript and Enable Java
now click Applications at the top of the Preferences window
Set all the action so that they do not use external applications. So either set them to Preview in Firefox or Always Ask or Save File Of these Save File is probably the safest bit some things don’t have that option (Podcast, Video Podcast, Web Feed) so those you will need to set to Preview in Firefox. It should look something like this:
Now click the Privacy tab at the top of the Preferences window
uncheck all the history items.
The more paranoid can uncheck all the cookie options but that will greatly limit the sites you can go to so I personally accept both types of cookies but have the Keep Until option set to clear the cookies when I close firefox.
Check the Always Clear Private Data. Click the Settings button beside it and make sure all options are checked. Uncheck Ask me before clearing private data.
Now we move on to the Security Tab
I uncheck both of the Tell me if the site… options because these most likely leak information by looking up the site you are going to against a on a remote site.
Also uncheck the Remember passwords options. (If you don’t store them they cant leak)
and finally on to the Advanced tab:
under Advanced there are several tabs
we’ll start on the Network Tab, Click the Settings button beside Connections
set it up like this:
Also Check the Tell me when a website asks to store data offline and use the Exceptions button to be sure that are no pre-set exceptions.
On the Update Tab under Advanced
uncheck all the Update options.
Your Tor/Firefox should now be ready for a test drive. If you find you cannot connect to anything you probably need to edit the /etc/privoxy/config file and be sure it has:
forward-socks4a / 127.0.0.1:9050 .
in it. The . at the end of that line is necessary.
I hope this help get people going. If anyone sees something I missed (yes I know that changing user agents might be a good idea but that is a little more advanced then I wanted to get into in this howto) Please let me know.
Enjoy!!
P.S. If you want to use both firefoxes tor and non TOR you will need to edit the launchers for the regular Firefox and add the options -P default -no-remote to their command lines so that it launches the correct profile and does not open a tab in the other browser. This will create the minor annoyance of needing to close out the browser before clicking a link in another program (like evolution) but I feel the assurance that I’m not opening a TOR browser when I meant to open a Regular one worth that minor hassle.
Also you may want to set different Themes for each browser so you can quickly spot which one you are woring in (prevents “ooopses” of accidentaly usinf a TOR browser for something that you’d rather not have going over the TOR network.)
Proud Free Software Foundation Assoicate Member
![[FSF Associate Member]](http://freemor.files.wordpress.com/2009/07/fsfmemlarge.png)
Contact/Follow me
My Dents (identi.ca postings)- freemor: Sigh.. US government still going on illegal fishing expeditions with illegal subpoenas. see http://ur1.ca/fhwe November 10, 2009
- freemor: Good morning world November 7, 2009
- freemor: time to head home November 6, 2009
- freemor: nice to be working uner Sugar on my XO again November 6, 2009
- freemor: Having Coffee and treats @ the HoneyBean's Cafe November 6, 2009
-
Recent Comments
F.O.S.S I use:
Identi.ca
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
