Moderate Hardening for Firefox

The modern web consists of many different technologies that provide the most different possibilities ... but also create a considerable number of threats. Modern browsers have become the most complex applications on a computer long ago, having overtaken even the core of the OS in complexity (Firefox has several times more code lines than Linux kernel or office suites). We spend most of our time in the browser, so it’s not surprising that the browser is under the gun: they constantly try to hack it, use it in a botnet, try to steal our data from it, listen to its traffic, track the sites we visit and our actions on these sites .

Now is the time to say that everything is not so bad, and with all these problems you can cope ... but it is not. Out of the box, browsers are already doing quite a lot: they are regularly updated, they are trying to plug security holes, introduce new technologies for protection, provide an opportunity to expand their functionality with third-party extensions. But there is no serious protection out of the box , and it is unlikely that it will ever appear: it comes complete with the complexity of the browser interface and partial disabling of its functionality, which “breaks” websites and is unlikely to appeal to ordinary users. But the saddest thing is that even at such a price it is impossible to fully protect the browser - it has become too complicated.

However, to enhance browser security, you can do a lot of things. There are a couple of good (English-speaking) projects that offer integrated approaches to additional Firefox protection: the article Firefox Configuration Guide for Freaks and Performance Buffs (or its variant for regular users The Firefox Privacy Guide For Dummies! ) From 12bytes.org and ghacks-user .js from Thorin-Oakenpants, earthlng and claustromaniac. They focus on maximum protection, but using such a browser for common daily tasks becomes extremely problematic and inconvenient. In my opinion, it is worthwhile to limit ourselves to Firefox’s moderate protection in order to strike a balance between enhancing protection, preserving the functionality of the sites we need, and the effort expended on all of this .

Content:

Threat model
Security
Privacy
Fingerprinting
Tracking
Anonymity (Anonymity)
Available ways to enhance security
Extensions
CanvasBlocker
CSS Exfil Protection
Decentraleyes
ETag Stoppa
Header editor
HTTPS Everywhere
Neat URL
uBlock Origin
uMatrix
ghacks user.js
I have a little moderate Hardening, I want everything to the maximum!
The site does not work - who is to blame, where to fix?
Fun facts

Threat model

To begin with, let's analyze the threat model, what exactly we are protecting and from what.

Security

This is a fairly general concept, but in our case it’s about preventing others from using the browser in an irregular way: this includes a wide range of threats from hacking the browser with exploits to protecting against phishing.

Obviously, there will always be holes, so 100% protection here cannot be in principle. For the most part, it’s about turning off some browser or web technologies to reduce the attack surface.

Privacy

No one except the sender and the recipient should be able to read the transmitted information.

Here we are talking mainly about enhancing the protection of https connections. The default browser settings are more focused on making the connection possible, even at the cost of losing the ability to guarantee its confidentiality.

Fingerprinting

The user should be able to prevent the website from determining that past and current site views were performed by the same user.

Here hell begins. Forget those blessed times when it was enough to clean the cookies and enter the site from another IP, so that in principle it could not link these two visits to each other. Now sites have access to so many diverse and unique data about the browser, operating system and user hardware that prevent them from becoming impossible. To be honest, in the process of preparing this article I learned a lot of things that I now would like to "see" - although I knew a lot about what was happening in this area before, I didn’t imagine the scale of the disaster.

After looking at this list, the required by the websites websites notification of users about the use of cookies looks like a mockery.

There are two approaches to protection: reducing the entropy of prints (so that many users have the same fingerprint) and increasing the entropy (so that the fingerprint of one user is different from the previous one). Usually, entropy reduction works better, but more or less fully it can be implemented only in a Tor browser, because for this it is necessary to severely limit the users' ability to customize the browser, but general-purpose browsers cannot afford it. As for the increase in entropy, the main problem is that the fact of randomization of a fingerprint can be determined (by making two fingerprints in a row), after which instead of a specific fingerprint value the feature “forges a fingerprint” is used, which in itself puts you in a very narrow category of users and makes it easy to get a print that is unique to you.

For us, all this means that even trying to prevent the collection of our prints makes no sense, unless it can be obtained "for free" - without sacrificing the efficiency of sites and browser usability.

Tracking

It should not be possible to link together the browsing of different websites by one user, unless he himself informed one site about his account on another site.

Usually, tracking is done through connecting resources (JS / CSS / image) of the same third-party site to many other sites. It would seem that using extensions to block trackers and advertisements should solve this problem ... but, alas, it is not. Yes, it helps, but the harsh truth is that sites sell these data, so even if you visit two sites that block all third-party resources, these sites can still sell data on your visits to the same ad network that will allow her to link these visits among themselves (given the above-mentioned possibilities of obtaining a unique user's fingerprint - this will not be a problem).

Nevertheless, blocking third-party resources is still worth it - it speeds up the loading of sites, eliminates advertising, makes tracking more difficult and expensive, and also reduces the sources of attacks on the browser.

Anonymity (Anonymity)

It should not be possible to associate the browsing of the website with the real identity of the user, if he did not register on this site under his real name and did not log in to him from the IP address registered to him by the provider.

Considering the possibilities of obtaining fingerprints and tracking - the anonymity of the user, who at least one of the sites visited allowed him to find out his real personality, turns into a fiction.

Increased anonymity is beyond the scope of our task. In short, keep in mind: there is no anonymity when using your main browser, and there never will be. Anonymity is needed - look towards specialized virtual locks (with default settings and without saving the results to disk after turning off the virtual one), VPN + Tor and Tor browser instead of the usual Firefox.

Available ways to enhance security

So what can we do? In order of increasing complexity of use:

• You can use the browser’s built-in capabilities to monitor and isolate websites on an individual basis:
  
  • Containers.
  • Private window
  • Manage access rights for websites.
  • Blocking third-party cookies and famous trackers.
  • Deleting data / cache saved by websites.
• You can install a variety of extensions.
• You can pick among the thousands of available browser settings in about:config and change some of them.

With the first paragraph, everything is trivial, but I would like to highlight the containers. This is a relatively new feature of Firefox, which allows you to isolate a group of sites in one container from a group of sites in another. In fact, the use of different containers in one browser should work the same way as the simultaneous use of several different browsers - but to make it more user-friendly. Insulation of containers is still slightly weaker than when using different browsers, but it is quite good and containers can be used. However, the containers themselves do not enhance the protection of any of the items considered in our threat model - maximum, they slightly impede the user's fingerprint by isolating the data stores ( cookies, cache, etc. ).

Extensions come across very different - some are enough to install and they will work without requiring attention and fine-tuning, others need to be constantly configured to restore the functionality of new sites, and still others are a threat to security, privacy and tracking. Therefore, you should very carefully consider the choice of installed extensions, their privacy policies and their updates.

As for changing the settings, about:config is the most difficult way to enhance security. Too many of these settings, too little information about what may break when each setting changes, not too obvious effect on most of them, plus each new version of Firefox brings with it a bunch of new settings and removes some of the old ones.

Extensions

Consider whether it is worth using the automatic update of extensions (you can turn it off on about:addons ). There are many reasons why it should be turned off (but it is still necessary to update them, just manually and carefully tracking changes, including privacy policies):

• Developers regularly decide to start monetizing the expansion in ways that, in the context of this article, you will definitely not like.
• Developers sometimes sell extensions, and their new owner usually makes changes to them that you can hardly like.
• Extensions occasionally "hijack" the developer.
• Newer versions may break compatibility with your current configuration and / or fail.

Some extensions use CSP to implement individual features. Unfortunately, at the moment, the Firefox architecture is such that only one of the extensions will be able to modify the CSP when loading a website - and you cannot be sure which one is in advance. Since it is very critical to ensure the correct operation of uMatrix , it is necessary to carefully monitor the settings of other extensions to make sure that all features that use CSP are disabled in them:

• uBlock Origin : Turn off the → → → [ ] (not exactly sure, but it is logical to assume that for individual sites it is also better not to include).
• HTTPS Everywhere : Disable → [ ] (EASE) .
• CanvasBlocker : Disable → → [ ] Block data URL pages (to see this item you need to enable → [✓] ).

If you decide not to limit the installation of extensions, and put the following user.js , then consider the additional details:

• The recommended user.js requires the use of the uMatrix extension.
• Some settings in user-overrides.js are needed in order not to break the work of some extensions - adjust them according to what extensions you have installed.

CanvasBlocker

• Link
• Protects: Imprints.
• Description: Prevents fingerprinting through various APIs: Canvas, WebGL, Audio, History, Window (disabled by default - can break websites), DOMRect.
• Use: Works automatically, does not require attention. Shows a separate icon at the end of the address bar on sites that are trying to use protected APIs (through it, you can disable blocking on a specific site).
• Icon: You can hide in the advanced menu.
• Setup:
  

   [✓]   [✓] Block data URL pages` (  CSP  uMatrix) 

CSS Exfil Protection

• Link
• Protects: Privacy.
• Description: Blocks attacks like CSS data exfiltration (theft of data from the page through the use of specific CSS selectors).
• Use: Works automatically, does not require attention.
• Icon: You can hide in the advanced menu.
• Setup: Not required.

Decentraleyes

• Link
• Protects: Tracking.
• Description: Protects against tracking by “free” CDNs. Contains popular files, which are usually requested via CDN, and gives them to the browser without performing a real network request on a CDN. A side effect is that it speeds up the loading of sites a bit.
• Use: Works automatically, does not require attention.
• Icon: You can hide in the advanced menu.
• Setup: Not required.

Unfortunately, at me it hangs up the Firefox interface while in the background some sites are loaded , so I had to turn it off for now.

ETag Stoppa

• Link
• Protects: Imprints.
• Description: Removes the ETag: header from the server response.
• Use: Works automatically, does not require attention.
• Icon: None.
• Setup: Not required.

Instead of using this extension, you can add a rule in the Header Editor (it makes sense if it is used for other rules):

• Rule type: Modify response header
• Match type: All
• Execute type: Custom function
• Custom function:
  

   for (const a in val) { if (val[a].name.toLowerCase() === 'etag') { val[a].value = ''; } } 

Header editor

• Link
• Protects: Depends on how to use it.
• Description: Allows you to set your own rules for blocking or redirecting requests, as well as changing the request or response headers.
• Use: Works automatically, does not require attention.
• Icon: You can hide in the advanced menu.
• Setting: By itself, he does nothing at all - you have to define the rules for him.

One example of the rules is mentioned above in the description of ETag Stoppa . But if there are no other rules, it is easier to use ETag Stoppa instead of this extension.

Another example: I found that the ImTranslator extension for some reason sends two cookies to all sites: BL_D_PROV=undefined; BL_T_PROV=undefined BL_D_PROV=undefined; BL_T_PROV=undefined . Maybe this is just a bug, but I do not like that it tells all sites that I use this extension. The problem is solved by this rule:

• Rule type: Modify request header
• Match type: All
• Execute type: Custom function
• Custom function:
  

   for (const a in val) { if (val[a].name.toLowerCase() === 'cookie') { val[a].value = val[a].value.split(/;\s*/).filter((kv)=>{ return !kv.match(/^BL_[DT]_PROV=/) }).join('; '); if (val[a].value === '') { delete val[a]; } } } 

HTTPS Everywhere

• Link
• Protects: Privacy.
• Description: Automatically switches to https wherever possible.
• Usage: It works automatically, almost does not require attention (the last time a site broke down because of this extension a year and a half ago).
• Icon: Used to customize sites.
• Setup: Not required.

Neat URL

• Link
• Protects: Tracking.
• Description: Removes trash options from URLs.
• Use: Works automatically, does not require attention.
• Icon: You can hide in the advanced menu.
• Setup: Not required.

uBlock Origin

• Link
• Protects: Security, Imprints, Tracking.
• Description: An automatic blocker (based on third-party lists) of any garbage by type and / or url, as well as individual elements of the page: from advertising and notifications about the use of the site cookies to trackers and malware.
• Use: Occasionally you need to set up a new site.
• Icon: Required to configure the current site, including manual blocking of individual elements of the page.
• Setup: (filter lists - a matter of personal preference)
  

    [✓]     →  [✓]    IP-  WebRTC [✓]  CSP-   →  [✓] uBlock filters – Annoyances   →  [✓] Adblock Warning Removal List   →  [✓] Fanboy's Enhanced Tracking List   →   [✓] Malvertising filter list by Disconnect [✓] Spam404   →   [✓] AdGuard Annoyances filter [✓] Fanboy's Cookie List [✓] Fanboy's Annoyance List   →  [✓] Dan Pollock's hosts file [✓] hpHosts' Ad and tracking servers   → ,  [✓] RUS: RU AdList 

uMatrix

• Link
• Protects: Security, Imprints, Tracking.
• Description: Manual blocker of individual resources by type and domain.
• Use: Regularly need to customize the new site.
• Icon: Required to configure the current site.

• Setup:

  
  

    →  [✓]      →  [✓]      [1440]     [✓]       [✓]     [1440]  #   referer  uMatrix    user.js: [ ]   HTTP referrer      [✓]  HTTPS:    #  " ",    ""  "":  →   * * script block 

  
  

This extension provides the most serious protection, but it has a price: many sites will be broken, and they will need to be repaired manually. For example, the newly added rule "* * script block" disabled JS execution on all sites - which, of course, has broken many of them. But do not rush to remove this rule: firstly, it does not help much, because loading of many types of resources including JS from third-party sites is still disabled (which also breaks many sites); and secondly, the white list approach : everything that was not explicitly allowed is forbidden in the modern web is the only acceptable one, since you want to increase the security of Firefox.

The good news is that repairing sites is not difficult - usually two or three clicks in the matrix, which is shown by the extension icon, and then re-reading the current page are enough. The main thing is not to forget to save changes in the same matrix after you repair the site.

And prepare yourself mentally that at first you will have to repair almost every site you often visit - this is due to the fact that on actively used sites you will almost certainly need to include at least JS of the site itself, plus, perhaps, some resources from third-party sites. Be patient the first days, then it will become much easier, honestly! :)

It should be noted that the uMatrix interface is very clear and convenient - after you figure it out. In other words, it cannot be called intuitive. Therefore, it is highly desirable to read the documentation! At a minimum, the uMatrix basic usage section (with pictures) from the aforementioned Firefox article in the Configuration Guide for Freaks and Performance Buffs . In general, I highly recommend reading the wiki uMatrix - there are a lot of things, but the information is very necessary and useful.

There is another additional set of rules that can make sense to add to → - it will help block access to Internet resources for websites on the local network (this is not a defense against DNS rebinding attacks). If you installed uMatrix a long time ago, you must first delete the "matrix-off: localhost true" rule (new versions of uMatrix do not install it).

 * localhost * block * 127 * block * 10 * block * 192.168 * block * 169.254 * block * 172.16 * block * 172.17 * block * 172.18 * block * 172.19 * block * 172.20 * block * 172.21 * block * 172.22 * block * 172.23 * block * 172.24 * block * 172.25 * block * 172.26 * block * 172.27 * block * 172.28 * block * 172.29 * block * 172.30 * block * 172.31 * block * [::1] * block * [fc00::] * block * [fd00::] * block * [fe80::] * block * [fe80::1%lo0] * block * [ff02::1] * block * [ff02::2] * block localhost localhost * allow 127 127 * allow 10 10 * allow 192.168 192.168 * allow 169.254 169.254 * allow 172.16 172.16 * allow 172.17 172.17 * allow 172.18 172.18 * allow 172.19 172.19 * allow 172.20 172.20 * allow 172.21 172.21 * allow 172.22 172.22 * allow 172.23 172.23 * allow 172.24 172.24 * allow 172.25 172.25 * allow 172.26 172.26 * allow 172.27 172.27 * allow 172.28 172.28 * allow 172.29 172.29 * allow 172.30 172.30 * allow 172.31 172.31 * allow [::1] [::1] * allow [fc00::] [fc00::] * allow [fd00::] [fd00::] * allow [fe80::] [fe80::] * allow [fe80::1%lo0] [fe80::1%lo0] * allow [ff02::1] [ff02::1] * allow [ff02::2] [ff02::2] * allow 

ghacks user.js

With extensions everything was simple (yes, and even with uMatrix - although it complicates the use of the browser, it also gives the basic protection), and now we have reached the difficult part.

The ghacks user.js project provides us with a base user.js file, plus scripts for updating it and resetting remote settings. This file contains (for now) a change of 488 settings in about:config ! And they consider it to be basic not without a reason: using it as is, without making the changes you need - almost guaranteed to lead to a catastrophe (for example, its default settings regularly delete the entire browser history, block Firefox Russification, break many sites and extensions).

This project is making very serious efforts to protect Fingerprints and Tracking ... so serious that it becomes so inconvenient to use the browser to such an extent that it is more honest to say “impossible”. And at the same time, it still noticeably loses in the protection of the Tor browser in the virtual machine. This in no way means that the project is useless for users - just to use it, you need to spend a lot of time creating your own user-overrides.js .

For this reason, before using it, you must:

• Carefully read the user.js (about 2300 lines).
• Carefully read all the wiki pages of the project .
• Create your own user-overrides.js file with all the changes regarding user.js that you personally need.
• Make a backup of your Firefox profile !!!
• And only then activate user.js

It takes time, and a lot. Is it worth it? Complex issue.

To answer it, I compiled a (incomplete) list of what it improves besides Imprints and Tracking — look and decide for yourself:

• Security:
  
  • Disable HTTP Auth cross-origin (phishing accounts).
  • Strengthens protection when using memorized passwords .
  • Strengthens security when using TLS and certificates .
  • Limits font support (high probability of vulnerabilities).
  • Disables DRM plugins .
  • Disables WebGL (high probability of vulnerabilities).
  • Limits the features of WebGL if enabled (high probability of vulnerabilities).
  • Turns off all kinds of options for workers (miners, Meltdown / Specter).
  • Disables asm.js (high probability of vulnerabilities).
  • Disables WebAssembly .
  • Turns off Shared Memory (Specter).
  • Adds rel=noopener for links with target=_blank (security).
  • Strengthens protection when interacting with third-party local applications .
  • Disables MathML (decrease attack surface).
  • Forcing Punycode for IDN (anti-spoofing).
  • Enables experimental support for CSP 1.1 .
  • Includes first party isolation .
• Leaks, handling:
  
  • Disables Firefox telemetry and features tied to it (recommendations, etc.).
  • Disables third-party services like Pocket.
  • Blocks the downloading of links that are not clicked (ping, pre-fetch, etc.).
  • Disables network features through which you can bypass proxy / VPN and learn IP (including IPv6 and WebRTC).
  • Limits the leakage of the history of previous pages in the current tab.
  • Disables : visited (history leak).
  • Blocks a leak in the process of typing in the address bar / text search through the search engine tips .
  • Disables screen sharing .
  • Denies access to the clipboard .
  • Disables the Intersection Observer API (stability, ad blocker definition).

To simplify the preparation of your user-overrides.js author of the aforementioned articles on 12bytes.org has posted his own user-overrides.js . He categorically did not suit me, because I need moderate protection, which preserves the usability of the browser, even at the price of weakening the protection against Impressions and Tracking.

I also laid out my user-overrides.js , maybe it will simplify your use of ghacks user.js

So, to start using ghacks user.js , do the following:

• MANDATORY! Backup your current Firefox profile.
• Download the following files from the ghacks user.js project to your current profile directory :
  
  • user.js
  • updater.sh (and make it doable) or updater.bat
  • prefsCleaner.sh (and make it executable) or prefsCleaner.bat
• Create a file user-overrides.js in your current profile directory.
  
  • You can simply download my user-overrides.js , then enter your current dom.push.userAgentID value dom.push.userAgentID and make the changes you need.
• Run ./updater.sh or updater.bat . He will update user.js and add the contents of user-overrides.js to the end.
• Exit Firefox and run ./prefsCleaner.sh or prefsCleaner.bat . It will remove all the settings mentioned in user.js (including commented out) from the prefs.js file (containing your current settings about:config ).
• Launch Firefox. Press Ctrl-Shift-Del and delete (for all time):
  
  • Cookies
  • Cache.
  • Offline website data.
• Look in about:config , the _user.js.parrot parameter should be set to "SUCCESS" - otherwise user.js syntax error somewhere in your user.js

Keep in mind that all settings specified in user.js will be applied each time Firefox is launched. So if you change some of them through about:config , and want to save these changes when you restart Firefox, you need to duplicate them in user-overrides.js , and then run ./updater.sh or updater.bat .

Do not forget to periodically run ./updater.sh or updater.bat to update user.js (at least after the release of the new version of Firefox). The update process is described in more detail in the project wiki .

I have a little moderate Hardening, I want everything to the maximum!

Well, in this case, here's what to do next:

• Discard security-weakening changes in user-overrides.js .
  
  • Instead of unlocking Workers, block them globally in uMatrix.
• Hide IP via Tor and / or public VPN service.
• Install the Privacy-Oriented Origin Policy .
• Put the extension Skip Redirect .
• Put the extension Temporary Containers .
• Read Firefox Search Engine Cautions, Recommendations and clean up the search engine settings in Firefox.
• Remove the embedded extensions from / usr / lib / firefox / browser / features /.
• Enable Referer global spoofing for third-party sites in uMatrix.

The site does not work - who is to blame, where to fix?

I made a list of changes that may disrupt the site so that you can quickly find someone to blame. The mark "(Blocked)" means that this change is in the original user.js , but it is disabled by my user-overrides.js .

• Extension: CanvasBlocker
  
  • Canvas 2D .
  • WebGL .
  • Audio API .
  • history.length .
  • window.name window.opener .
  • DOMRect API .
  • data:// .
• : CSS Exfil Protection
  
  • / CSS .
• : ETag Stoppa
  
  • ETag: .
• : Firefox Multi-Account Containers
  
  • ( , localStorage , etc.) .
• : HTTPS Everywhere
  
  • http:// https:// .
• : Neat URL
  
  • url .
• : uBlock Origin
  
  • DOM .
  • / url .
  • popup .
  • .
  • pre-fetching .
  • <a ping> sendBeacon .
  • CSP .
• : uMatrix
  
  • .
  • mixed content .
  • workers .
  • Referer: .
  • <noscript> .
  • <a ping> sendBeacon .
• ghacks user.js
  
  • () en-US.
  • pre-fetching (, DNS, onMouseOver, etc.).
  • <a ping> .
  • IPv6 ( MAC, .. VPN).
  • () HTTP/2 Alt-Svc: (fingerprinting).
  • () /etc/hosts DNS SOCKS.
  • () :visited ( ).
  • () date/time picker ( ).
  • cross-origin HTTP Auth ( ).
  • () https- OCSP .
  • SHA1 https- ( /MITM).
  • Public Key Pinning ( /MITM).
  • () mixed content .
  • mixed content Flash.
  • () (fingerprinting).
  • ( ).
  • cross-origin Referer: .
  • DRM- .
  • () OpenH264 Video Codec - WebRTC.
  • () WebRTC ( IP, .. VPN).
  • WebGL ( ).
  • () WebGL ( ).
  • screen sharing .
  • canvas (fingerprinting).
  • () - HTML5 media .
  • window.open .
  • .
  • popup click dblclick.
  • () workers (, Meltdown/Spectre).
  • clipboard .
  • beforeunload .
  • asm.js ( ).
  • WebAssembly .
  • Intersection Observer API (, ).
  • Shared Memory (Spectre).
  • rel=noopener target=_blank ().
  • hardware acceleration (fingerprinting).
  • Web Audio API (fingerprinting).
  • sendBeacon .
  • - file:// .
  • MathML ( ).
  • () .
  • offline cache .
  • () first party isolation ( - ).
  • () resist fingerprinting ( / , , , , ; ; , ; Shift Alt; etc.).
• user-overrides.js
  
  • .
  • TLS 1.0, 1.1 .
  • TLS .

Firefox, , , : Mozilla. , ALSA PulseAudio , PulseAudio. " , PulseAudio, " , , (, , — PulseAudio, ).

Firefox , : , FPI (first party isolation) RFP (resist fingerprinting). - Temporary Containers ( , " Hardening") — , . , . , , .

https://html5test.com HTML5 508 555 ( , user.js ) 493 ( user.js user-overrides.js ).