[ale] nailing down firefox security and privacy - PT 1
Michael B. Trausch
mike at trausch.us
Wed Oct 12 11:22:34 EDT 2011
On 10/11/2011 05:38 PM, Ron Frazier wrote:
> I've been spending a good bit of time recently upgrading and configuring
> Firefox because Pandora decided it wasn't going to work after an upgrade
> they did. I was on Firefox 3.2.? and was holding back upgrading because
> of some UI changes in the new Firefox as well as some plugin
> compatibility problems. Eventually, I had to bite the bullet and
> upgrade. As I've mentioned in other posts, I like to keep my shields at
> the paranoid level, whether I'm running Windows or Linux. In fact, I
> run my Firefox configurations exactly the same on both systems, so this
> applies to this group. There are a number of security and privacy
> settings which come into play with Firefox, and it's not always obvious
> how to set them. I'm going to explain how I set mine up in order to
> maintain a high level of security as well as a decent level of
> functionality. There are also a number of handy plugins which I will
> explain. Hopefully, the research I've done will help others who want to
> keep their shields high. Some of you may already know this stuff, but
> some others probably don't. I have to relate a number of options
> settings. This will be a bit difficult in text, but bear with me.
I have said it before, and I will say it again: The only way to "keep
the shields high" is to provide education. Technology (in particular,
things like you advocate here) can *not* save users from anything.
Something has been bugging me the past month or two. Ron called me
(anonymously) "unethical" a while back on the list (though he didn't
name me in particular). I'll provide a bit of context so that the rest
of the group can recall. But before I do, I'm going to say this: I
find this brand of advice to, itself, be unethical. It propagates the
mindset that technology can solve our problems better than education,
and actively serves to lower the collective expectations of not only
end-users, but that of IT support people like myself who then have to do
even more hard work to try to get people to understand that they are the
key, not the software that is running on their computer. This way of
thinking costs me time and money simply because people are given a false
sense of security and truly believe that the technology will save them.
It is wrong to teach this to people because it is, and it ALWAYS WILL
BE, patently false.
At one of the recent meetings, I was talking about how I had an open
wireless network, and how people who were unwelcome and used it were
redirected to a rather gruesome site, regardless of what they were
aiming for. Ron called this "unethical". Seeing as one must first be
unethical and steal my bandwidth in order to get to the thing, I fail to
understand how that is unethical. It is my personal, paid-for bandwidth
and equipment, and I can configure and use it in any way I desire as
long as I cause nobody harm. If someone causes harm to his or her self
by using my equipment (indeed, by unethically using my bandwidth), well,
them's the spoils. It is unethical to steal. Back when I was running
an open network (because I had devices that literally were unable to
perform secure encryption and I failed to see the point of WEP), if
someone would have asked me to use my network I would have quite likely
allowed it. I had no reason *not* to allow it. But you can't just join
my network and use it without permission.
It seems that Ron thinks that an open wireless network somehow conveys
implicit permission to use it---and this is a problem with a lot of
society. They think the same thing. They think that if there isn't a
safeguard in place on something that they have the entitlement to go
through it.
You know, there was a time when one could forget one's keys in their
ignition and the car would, with a very high degree of probability,
still be there when you got back to it. Today this doesn't happen. A
few months ago, I encountered a car for sale in a parking lot not far
from my home. The car was unlocked, and it had the keys in the
ignition. I called the number on the "for sale" sign in the window, and
let the guy know that the keys were still in the ignition and that the
car was unlocked. He was genuinely surprised that I did that. Why?
Because we expect people in today's society to generally suck, that's
why. I, too, would be surprised to receive such a phone call. People
feel that they are entitled to whatever they find, these days,
regardless of where they found it. An open network connection, an iPod
in an unlocked (or hell, even a locked) car, whatever. It is
disgusting. Our society is full of truly unethical elements.
And no, for the record, I don't feel that it is in any way unethical to
do what I did, and if I were to, for whatever reason, be compelled to
run an open network again, I would do the very same thing that I did
before. It accomplished a very real goal: Unwelcome people only ever
joined my wireless network a single time. They never, ever came back.
It served its purpose, and it entertained me in the process. I see
absolutely nothing wrong with that at all.
> While not directly related to Firefox, I strongly recommend using the
> OpenDNS ( http://opendns.com ) system to resolve your domain names.
> They automatically apply phishing protection to all DNS queries as far
> as I know. If you desire to, you can also filter certain sites based on
I would strongly recommend that people NOT use OpenDNS. Why? Because:
* They break the DNS standard. They do not return NXDOMAIN when they
should. Unfortunately, a fair number of ISPs engage in this
destructive behavior as well. This means that when you ping a
non-existent site, you actually wind up pinging a machine that is
alive and well and getting an erroneous result. This is bad.
Such behavior also breaks SSL sessions in certain circumstances and
gives users a far more cryptic error than "the server appears to be
down". In the normal circumstance, a downed server or domain results
in an error saying that it wasn't found. In the case of using one
of these broken DNS servers and encountering a downed domain (or one
mistakenly identified as "bad", FSVO "bad"), you instead get a
very nasty message in your Web browser saying that your security
is in danger.
* They are a blacklist. Blacklists contain errors. More on that
below.
* They actively go through the data they collect, such as what users
are visiting what sites. They can use that information to "improve"
their database. More to the point, I don't trust them to not misuse
that information. Do you?
* Even more to the point, do you think that the people you advocate
OpenDNS to are even capable of making the realization that they are
engaging in a decision that indicates that they trust the system
and the people behind it not to screw them in some way?
> Now, on to Firefox. The latest version is 7.0.1. You should have this
> or later once you upgrade or install anew. They've been ramping the
> versions up very fast lately. The big thing in UI design these days
> seems to be to eliminate the menus. Personally, I hate this design.
> So, the first thing I do in this case is to turn the menus back on.
> Firefox will have a little orange "Firefox" button in the upper left.
> Click that, hover over options, and check menu bar to turn it on. You
> should now have a menu. You can select help, about to check the version
> number. In some systems, you will see a check for updates button in
> this window. Click View, hover over toolbars, and turn on the Add-on
> bar, if it's not already on. You can rearrange buttons in Firefox by
> clicking on the empty area to the right of the menu and clicking
> customize. You can then move things like the back and forward buttons
> around, or drag things from the dialog box to the menu areas or add-on bar.
Minor technical nit, here: I've always had to enable the streamlined
menu. I don't understand why you dislike it, but I find it to be more
efficient, and it does yield more (albeit only slightly) real-estate to
the browser window.
> My objective is to configure Firefox so there is no unauthorized
> scripting, little or no unauthorized tracking, little or no unauthorized
> storage of information on my PC, and no unauthorized pop-ups.
I am sure that you realize that this is completely impossible without
causing damage to the user experience. Even if you get an end user to
install all the cruft, you will find yourself (or people like me, find
ourselves) supporting these users and having to explain to them that
it's their software that is causing the problem. Then they want to know
why their software isn't smart enough to just do what they mean. They
then want to know why they have to know anything about the whole bloody
mess, when all they want to do is get to their stupid games on Facebook.
> A new installation of Firefox should not have any accumulated history.
> However, an upgrade might. If you want to start with a clean slate,
> clear all your history as follows. Click Tools, click Clear Recent
> History, select Everything in the drop down box. Below, you can observe
> check marks which show what will be cleared. All should be checked.
> Click Clear Now. Note, if some of the sites you've been using depend on
> history or preferences, you'll have to reset them.
Great way to lock people out of their accounts, this is. A lot of
people rely on their Web browser to store their credentials for them.
Tell them to do this and they'll be fighting for a long time (and
usually unnecessarily frustrated while doing so) getting password resets
done for them on all of their common things like Facebook or their
bank/credit card/whatever sites. Especially those stupid sites that
think that the lack of a cookie means that you have to go through
special verification processes.
> Block pop-up windows - ON (or checked)
That is the default.
> Enable JavaScript - ON (Disabling would be more secure and safer, but
> many websites would break. We'll deal with this using the NoScript plugin.)
NoScript isn't a solution, either.
> Click the Advanced button beside the JavaScript line and set these options.
>
> Allow scripts to:
>
> Move or resize existing windows - OFF (or unchecked)
> Raise or lower windows - OFF
> Disable or replace context menus - OFF
Most excellent. Now software like Redmine won't work. Congrats!
> Remember my download history - OFF (You could turn this on if desired.)
What does this accomplish?
> Remember my search and form history - OFF ( ditto )
What does this accomplish?
> Clear history when Firefox closes - ON
What does this accomplish? The so-called "awesome bar" is a lot more
useful to users when their history is kept. So by doing this, you
effectively disable the additional (and quite useful) functionality.
> Click the Security tab. Set the following.
>
> Warn me when sites try to install addons - ON
This is the default.
> Block reported attack sites - ON
> Block reported web forgeries - ON
I have only ever encountered false positives with these settings; I view
them as useless.
> Remember passwords for sites - OFF (I prefer to remember my own
> passwords or have something like Lastpass do it.)
You're in the minority, unfortunately.
> Use a master password - ON (Then complete the dialog box to set it.)
Why do that if you're not saving passwords in Firefox?
> Click OK to save all the options and dismiss the options screen.
>
> Now, open a blank browser tab.
>
> Type about:permissions in the web address blank and hit enter.
>
> You will get a screen which allows you to set the default permissions
> for sites as well as override them for specific sites. Click the All
> Sites line in the upper left. Set the default permissions as follows.
>
> Store passwords - BLOCK
Again, you're in the minority. I have never managed to convince anyone
not to use the built-in password storage.
> Share location - BLOCK
What's wrong with "Always Ask"? Most people ignore the request anyway,
and the rest often say no when asked.
> Set cookies - ALLOW FOR SESSION
> Open Pop-up windows - BLOCK
> Maintain offline storage - BLOCK
What does this truly accomplish, other than a false sense of security?
> You can now close this tab, or go to another web page.
>
> That's it for the basic Firefox configuration, but we're just
> beginning. In the next post, I'll talk about how to set up the NoScript
> and Ghostery plugins. I hope to complete the other posts tonight and
> tomorrow.
NoScript, and plugins like it, are nice in theory. In practice most
users view them as a burden and something else that they have to manage.
It is far easier to get people to understand that they shouldn't just
click every single stupid link in their email, on the Web, or in a program.
That said, there is very little *true* problem with running JavaScript.
Today's Web developers require JavaScript be enabled. After all, we
can even have that on phones these days.
If we were running Python in the browser, that'd be a little bit
different since there is (at least to my knowledge) no truly sandboxed
version of Python available. But JavaScript is virtually always
sandboxed, and cannot do any real harm to your system.
Keeping a computer secure is all about what the person sitting at the
keyboard knows, not about what software is running on the computer. It
has always been this way and it will always continue to be this way.
Educate users; tell them why they shouldn't go browsing every possible
link they find, give them an idea of what types of sites can be trusted
versus not trusted, tell them why they should have some idea of what is
on the other end and whether or not they should trust it.
And tell them why they shouldn't have ad blocking software installed,
too. People keep that shit up, we'll have to pay for everything on the
Internet out of our wallets, instead of just the things that aren't
ad-supported. I suspect that you disagree with me on that, too.
Wouldn't surprise me, when I had heavy traffic to my blog and I had
Google AdWords on it (hey, they're quite non-intrusive), I had something
like 99% of people blocking the ads. Everybody expects something for
nothing these days.
--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20111012/a1e6e43e/attachment-0001.bin
More information about the Ale
mailing list