/user.js

user.js -- Firefox hardening stuff

Primary LanguageJavaScript

Firefox hardening

What's all this then?

This is a user.js configuration file for Mozilla Firefox that's supposed to harden Firefox's settings and make it more secure.

Main goals

  • Limit the possibilities to track the user through web analytics
  • Harden the browser, so it doesn't spill it's guts when asked (have you seen what BeEF can do?)
  • Limit the browser from storing anything even remotely sensitive persistently (mostly just making sure private browsing is always on)
  • Make sure the browser doesn't reveal too much information to shoulder surfers
  • Harden the browser's encryption (cipher suites, protocols, trusted CAs)
  • Hopefully limit the attack surface by disabling various features
  • Still be at least somewhat usable in daily use

How to achieve this?

There are several parts to all this and they are:

  • Running a selected list of browser extensions
  • Using the user.js settings file itself
  • Using the cas.sh script to limit the CAs

How to use the user.js file

Just drop the user.js file to your Firefox profile directory at ~/.mozilla/firefox/XXXXXXXX.your_profile_name and verify that the settings are effective from about:support (check the "Important Modified Preferences" and "user.js Preferences" sections).

If you want to be able to keep your user.js up-to-date with this repository, you can clone the latter in the main mozilla directory and create a link to the user.js file from your profile:

cd ~/.mozilla/firefox
git clone 'https://github.com/pyllyukko/user.js.git'
cd XXXXXXXX.your_profile_name
ln -s ../user.js/user.js user.js

Whenever you want to update your local copy of the repository, just use git pull and restart firefox.

Android

On Firefox for Android (Fennec), you need to drop the file to /data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name. If you use Jolla and run Firefox through Alien Dalvik, the location needs to be prefixed with /opt/alien.

See issue #14 for further details on using this user.js file with Firefox for Android.

Windows

On Windows, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name.

What does it do?

There's a whole lot of settings that this modifies and they are divided in the following sections or categories:

  • HTML5 / APIs / DOM
  • Miscellaneous
  • Extensios / plugins related
  • Firefox (anti-)features / components
  • Automatic connections
  • HTTP protocol related
  • Caching
  • UI related
  • TLS / HTTPS / OCSP related
  • Cipher suites

Some of the settings in this user.js file might seem redundant, as some of them are already set to the same values by default. However, the user.js file has this nice property, that even if you go change any of these settings through about:config, they're reset to the user.js defined values after you restart Firefox. So user.js makes sure they're back at the secure default values always when you start your browser. That way, it also makes experimenting with different settings easier.

Here are some of the "highlights" from each category. For a full list of settings and references, check the user.js file itself.

HTML5 / APIs / DOM

Miscellaneous

Extensions / plugins related

It is common for client side attacks to target browser extensions, instead of the browser itself (just look at all those Java and Flash vulnerabilities). Make sure your extensions and plugins are always up-to-date.

Firefox features

Automatic connections

HTTP

Caching

  • Permanently enables private browsing mode
  • Prevents Firefox from storing data filled in web page forms

UI related

TLS / HTTPS / OCSP related

Ciphers

This section tweaks the cipher suites used by Firefox. The idea is to support only the strongest ones with emphasis on forward secrecy, but without compromising compatibility with all those sites on the internet. As new crypto related flaws are discovered quite often, the cipher suites can be tweaked to mitigate these newly discovered threats.

Here's a list of the ciphers with default config and Firefox 27.0.1:

Cipher Suites (23 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
    Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Here's the list with this config:

Cipher Suites (8 suites)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

This is not enough!

Here's some other tips how you can further harden Firefox:

  • Keep your browser updated! If you check Firefox's security advisories, you'll see that pretty much every new version of Firefox contains some security updates. If you don't keep your browser updated, you've already lost the game.
  • Disable all unnecessary extensions and plugins!
  • Create different profiles for different purposes

Add-ons

Here is a list of the most essential security and privacy enhancing add-ons that you should consider using:

Tracking protection

Tracking protection is one of the most important technologies that you need. The usual recommendation has been to run the Ghostery extension, but as it is made by a potentially evim(tm) advertising company, some people feel that is not to be trusted. One notable alternative is to use uBlock, which can also be found at Mozilla AMO.

Ghostery is still viable option, but be sure to disable the GhostRank feature.

Do note, that this user.js also enables Mozilla's built-in tracking protection, but as that's quite new feature it is to be considered only as a fallback and not a complete solution. As it utilizes Disconnect's list, recommending Disconnect seems redundant.

So to summarize, pick one between Ghostery and uBlock, depending on your personal preferences.

See also:

Add-ons for mobile platforms

Online tests

HTML5test

HTML5test

Here's a comparison of the various supported HTML5 features between recent Firefox with these settings, stock Firefox and the Tor Browser:

Comparison user.js version Firefox version Firefox baseline Tor Browser
https://html5test.com/compare/browser/614ecc2640198302/firefox-35/24a094263fa9f301.html 3041fb7204f2547a34083fba7db2009929ed2326 36.0.1 35 4.0.4

Known problems

There are plenty! Hardening your browser will break your interwebs. Here's some examples:

  • If you get "TypeError: localStorage is null", you probably need to enable local storage (dom.storage.enabled == true)
  • If you get "sec_error_ocsp_invalid_signing_cert", it probably means that you don't have the required CA
  • If you get "ssl_error_unsafe_negotiation", it means the server is vulnerable to CVE-2009-3555 and you need to disable security.ssl.require_safe_negotiation (not enabled currently)
  • If you set browser.frames.enabled to false, probably a whole bunch of websites will break
  • Some sites require the referer header (usually setting network.http.sendRefererHeader == 2 is enough to overcome this and the referer is still "spoofed")
  • The IndexedDB is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox. It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info:
  • Firefox Hello requires WebRTC, so you'll need to enable media.peerconnection.enabled & media.getusermedia.screensharing.enabled and apparently disable security.OCSP.require.
  • Captive portals might not let OCSP requests through before authentication, so setting security.OCSP.require == false might be required before internet access is granted
  • DNT is not set, so you need to enable it manually if you want (see the discussion in issue #11)
  • The network.http.referer.spoofSource and network.http.sendRefererHeader settings seems to break the visualization of the 3rd party sites on the Lightbeam extension
  • You can not view or inspect cookies when in private browsing (see https://bugzil.la/823941)

The web console is your friend, when websites start to break.

CAs

It all started when I read this blog post...

So another part of my browser hardening was to somehow reduce the number of CAs trusted by my browser. First I thought I would sniff all the HTTPS connections and extract the certificates from there, to get the list of CAs I really need.

Then I came up with an better idea. I'd use certpatrol to record the certs from the HTTPS sites I visit. There was just one problem, certpatrol only stores the fingerprint of the issuer cert, which is usually a intermediate CA. So I needed to get the root CA of the intermediate CA. The solution for this to use Firefox's cert8.db to extract the intermediate CAs and get the issuer (root CA) from there.

So I wrapped up a script that uses the certpatrol's SQLite DB and Mozilla's certutil to establish a list of required root CAs from the HTTPS sites that you have visited.

There's also a ready made list built in into the script, that has 24 root CAs in it. With this list of CAs you should already be able to browse the web quite freely. Of course there might also be some geographical variations as to what CAs "are required" for normal use.

Examples

Do note, that in order for all this to work, you MUST remove or rename Firefox's default CA list that is stored inside libnssckbi.so as described here.

Check the current list of CAs in cert8.db

cas.sh -P ~/.mozilla/firefox/XXXXXXXX.current_profile -r

Import CAs

First check which CAs would be imported (dry-run):

cas.sh -p ~/.mozilla/firefox/XXXXXXXX.reference_profile -A

Then import the required CAs to new profile:

cas.sh -p  ~/.mozilla/firefox/XXXXXXXX.reference_profile -P ~/.mozilla/firefox/XXXXXXXX.new_profile -a

Verify that it worked

After you have run the script, verify from Firefox's certificate settings, that the list is indeed limited:

Firefox certificates

The default list

This is the default CA list, that you can use. It should be enough for basic use for the most biggest/popular sites. Of course this still depends on where you are located and what sites/services/etc. you use. If you know some popular site, that is not accessible with this root CA list, please let me know and I'll consider adding it to the list.

Root CA Used by
AddTrust External CA Root https://www.debian.org/
Baltimore CyberTrust Root
COMODO Certification Authority
Deutsche Telekom Root CA 2
DigiCert High Assurance EV Root CA https://www.facebook.com/
DigiCert Global Root CA https://duckduckgo.com/
Entrust.net Secure Server Certification Authority
Entrust.net Certification Authority (2048)
Entrust Root Certification Authority https://www.ssllabs.com/
Equifax Secure Certificate Authority
GTE CyberTrust Global Root
GeoTrust Global CA https://www.google.com/
GlobalSign Root CA https://www.wikipedia.org/
Go Daddy Class 2 Certification Authority
Go Daddy Root Certificate Authority - G2
Starfield Class 2 Certification Authority https://tools.ietf.org/
StartCom Certification Authority
UTN-USERFirst-Hardware
ValiCert Class 2 Policy Validation Authority
VeriSign Class 3 Public Primary Certification Authority - G3 https://www.mysql.com/
VeriSign Class 3 Public Primary Certification Authority - G5 https://twitter.com/
thawte Primary Root CA
thawte Primary Root CA - G3
SecureTrust CA

How to use the default list

Import the default CA list with:

cas.sh -C -P ~/.mozilla/firefox/XXXXXXXX.new_profile -a

TODO

Contributing

Yes please! All issues and pull requests are more than welcome. Please try to break down your pull requests or commits into small / manageable entities, so they are easier to process. All the settings in the user.js file should have some official references to them, so the effect of those settings can be easily verified from Mozilla's documentation.

References