Mozilla Firefox Privacy and Security (about:config)

Talk about internet security, computer security, personal security, your social security number...
Post Reply
Andreas
Posts: 5
Joined: Wed Jun 16, 2021 5:19 pm

Mozilla Firefox Privacy and Security (about:config)

Post by Andreas »

In this Topic i am gonna share some about:config settings for Mozilla Firefox version 89.0 for better privacy and security broswing.


1.SSL configuration for Secure Browsing, disable weak Cipher Suites.
Enable Forward Secrecy

security.ssl3.rsa_aes_128_gcm_sha256 -> False
security.ssl3.rsa_aes_256_gcm_sha384 -> False
security.ssl3.ecdhe_ecdsa_aes_128_sha -> False
security.ssl3.ecdhe_rsa_aes_128_sha -> False
security.ssl3.rsa_aes_128_sha -> False
security.ssl3.rsa_des_ede3_sha -> False
security.ssl3.ecdhe_ecdsa_aes_256_sha -> False
security.ssl3.ecdhe_rsa_aes_256_sha -> False
security.ssl3.rsa_aes_256_sha -> False

2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used. ( https://cve.mitre.org/cgi-bin/cvename.c ... -2009-3555 )

security.ssl.require_safe_negotiation -> True

3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.
(https://datatracker.ietf.org/doc/html/d ... #section-8 )

security.tls.enable_0rtt_data -> False

4.Disable TLS False Start

This is because it does not allow the client to fully complete its handshake before starting the actual session. There is more info here from the IETF: https://tools.ietf.org/html/rfc7918#section-4 (See section 5. Security Considerations)

security.ssl.enable_false_start -> False

5.Disable Session Identifiers (HIDDEN FEATURE)
https://www.zdnet.com/article/advertise ... esumption/
security.ssl.disable_session_identifiers -> True

6.The Delegated Credentials mechanism decentralizes the problem by allowing a TLS server to issue short-lived authentication credentials (with a validity period of no longer than 7 days) that are cryptographically bound to a CA-issued certificate. These short-lived credentials then serve as the authentication keys in a regular TLS 1.3 connection between a Firefox client and a CDN edge server situated in a low-trust zone (where the risk of compromise might be higher than usual and perhaps go undetected). This way, performance isn’t hindered and the compromise window is limited.

Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called "Delegated Credentials for TLS."

Delegated Credentials for TLS is a new simplified way to implement "short-lived" certificates without sacrificing the reliability of secure connections.

In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.

security.tls.enable_delegated_credentials -> True
security.tls.enable_post_handshake_auth -> True

Find TLS Hello Downgrade check and make sure to deactivate it hence your online surfing does not need encryption downgrade when the site you try to visit uses low grade encryption hence this can ultimately also be used as downgrade attack ie. using low encryption attack and don't accept it hence it will send Hello bounces when in fact this is waste of network bounces just to get tls queries.

security.tls.hello_downgrade_check -> False

7.Disable All Disk Caching – Websites can write temporary information to hard drives such as access tokens, security keys, browsing data, secure scripts, and more. This information is usually deleted after a secure session is terminated, however, deleted information is trivially recoverable if it is not overwritten. Complicated firmware and drivers for flash memory based devices like SSDs introduce features like wear leveling that hide components of the storage from the OS entirely, making it very hard to verify that deleted information is actually deleted in an unrecoverable way.

browser.cache.offline.enable -> False
browser.cache.disk.enable -> False
browser.cache.disk_cache_ssl -> False
browser.cache.memory.enable -> False
browser.cache.insecure.enable -> False

Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.

plugin.scan.plid.all -> False

8.Enable HTTPS

dom.security.https_only_mode -> True
dom.security.https_only_mode.upgrade_local -> True
dom.security.https_only_mode_ever_enabled -> True
dom.security.https_only_mode_ever_enabled_pbm -> True
dom.security.https_only_mode_pbm -> True
dom.security.https_only_mode_send_http_background_request -> False

9.Disable WebGL – WebGL is an application interface that allows websites direct access to your graphics card. This introduces a huge attack surface for potential security risks as well as unique types of fingerprinting. It should be disabled.**** NoScript can also block WebGL***

webgl.disabled -> True
webgl.disable-wgl -> True

10.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.

network.dns.disablePrefetch -> True
network.predictor.enabled -> False
network.prefetch-next -> False

11.Disable WebRTC – WebRTC is a protocol related to digital rights management that helps content websites track users. It has the capability to give up your real IP address even while connected to a VPN or Tor.

media.peerconnection.video.vp9_enabled -> False
media.peerconnection.identity.enabled -> False
media.peerconnection.dtmf.enabled -> False
media.peerconnection.enabled -> False
media.peerconnection.use_document_iceservers -> False
media.peerconnection.video.enabled -> False
media.peerconnection.identity.timeout -> 1
media.getusermedia.screensharing.enabled -> False
media.peerconnection.turn.disable -> True
media.peerconnection.ice.default_address_only -> True

12.Disable ALL Telemetry Features / Data report / Additional analytics
browser.newtabpage.activity-stream.feeds.telemetry -> Falsee
browser.newtabpage.activity-stream.telemetry -> False + Blank Url Pages
browser.newtabpage.activity-stream.filterAdult -> False
browser.newtabpage.activity-stream.feeds.section.topstories -> False
browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts -> False
browser.newtabpage.activity-stream.showSponsored -> False
browser.newtabpage.activity-stream.feeds.discoverystreamfeed -> False
browser.tabs.crashReporting.sendReport -> False
toolkit.telemetry.archive.enabled -> False
toolkit.telemetry.bhrPing.enabled -> False
toolkit.telemetry.firstShutdownPing.enabled -> False
toolkit.telemetry.newProfilePing.enabled -> False
toolkit.telemetry.pioneer-new-studies-available -> False
toolkit.telemetry.reportingpolicy.firstRun -> False
toolkit.telemetry.shutdownPingSender.enabled -> False
toolkit.telemetry.server -> Blank Url
toolkit.telemetry.unified -> False
toolkit.telemetry.updatePing.enabled -> False
breakpad.reportURL -> Blank Url
browser.ping-centre.telemetry -> False
dom.ipc.plugins.flash.subprocess.crashreporter.enabled -> False
dom.ipc.plugins.reportCrashURL -> False
datareporting.healthreport.uploadEnabled -> False
datareporting.policy.dataSubmissionEnabled -> False
datareporting.healthreport.infoURL -> Blank Url
browser.tabs.crashReporting.sendReport -> False
beacon.enabled -> False

13.Perhaps you have come across some bad sites that has images embedded codes hence news of these are becoming the norm of legacy hacking and digital world has brought you attention to this and offers only hardship for those who has fallen victim for these heinous act to rob people of their devices just because nothing is secure on the site or the bad actors are now aware these vulnerabilities can be exploited to harm or overtake your device with,

It's good that there are always improvements and that we demand we need healthier internet and fight these circumstances and ask those who has these site to keep up with the healthier internet surfing by asking developers and any site owner to implement to stop using mixed contents, and it's good that Firefox offers this option to block mixed contents to fight it hence no need to use third-party extensions for these.

security.mixed_content.block_display_content -> True
security.mixed_content.block_object_subrequest -> True
security.mixed_content.upgrade_display_content -> True

14.Encrypted Client Hello if u use DNS
https://blog.mozilla.org/security/2021/ ... n-firefox/
network.dns.echconfig.enabled -> True
network.dns.use_https_rr_as_altsvc -> True

15.This limits the amount of entries in your DNS cache which can give someone who has access to your computer a list of websites you visited. http://kb.mozillazine.org/About:config_entries#Network.

network.dnsCacheEntries --> 100 or 200

16.Disable link-mouseover opening connection to linked server
https://news.slashdot.org/story/15/08/1 ... t-requests

network.http.speculative-parallel-limit --> 0

17.This renders IDNs as punycode (https://en.wikipedia.org/wiki/Punycode) which if not set, may make you vulnerable to hard to notice phishing attacks (https://krebsonsecurity.com/2018/03/loo ... more-42636).

network.IDN_show_punycode -->true

18.This makes websites only able to see "English" and not your set language for enhanced privacy.

privacy.spoof_english --> 2

19.This prevents accessibility services from accessing your browser.
https://wiki.mozilla.org/Electrolysis/A ... references

accessibility.force_disabled --> 1

20.This makes Firefox send the target URL as the referer. https://wiki.mozilla.org/Security/Referrer

network.http.referer.spoofSource --> true

21.Controls how much referrer to send across origins
values:
0 = (default) send the full URL
1 = send the URL without its query string
2 = only send the origin

network.http.referer.XOriginTrimmingPolicy --> 2

22.Controls whether or not to send a referrer across origins
values:
0 = (default) send the referrer in all cases
1 = send a referrer only when the base domains are the same
2 = send a referrer only on same-origin

network.http.referer.XOriginPolicy -> 1

23.This clears cookies at the end of each browser session. https://developer.mozilla.org/en-US/doc ... references

network.cookie.lifetimePolicy --> 2

24.This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. http://kb.mozillazine.org/Browser.sessi ... vacy_level

0 = Store extra session data for any site. (Default starting with Firefox 4.)
1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
2 = Never store extra session data.

browser.sessionstore.privacy_level --> 2

25.This prevents websites from messing with the context menu.

dom.event.contextmenu.enabled --> false

26.This disables playback of DRM controlled content which automatically downloads the Widevine Content Decryption Module by Google. https://support.mozilla.org/en-US/kb/en ... -downloads

media.eme.enabled --> false

27.Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to.
https://www.ghacks.net/2017/07/24/disab ... lete-urls/

browser.urlbar.speculativeConnect.enabled --> false

28.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

dom.event.clipboardevents.enabled -> false

29.This disables the Widevine Content Decryption Module.

media.gmp-widevinecdm.enabled --> false

30.This prevents websites from being able to track your webcam and microphone status.

media.navigator.enabled --> false

31.Display all parts of the url in the location bar

browser.urlbar.trimURLs --> False

32.Disable location bar domain guessing

browser.fixup.alternate.enabled --> False

33.Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.

browser.sessionstore.max_tabs_undo --> 0

34.Limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources hardens against potential credentials phishing

0=don't allow sub-resources to open HTTP authentication credentials dialogs
1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
2=allow sub-resources to open HTTP authentication credentials dialogs

network.auth.subresource-http-auth-allow --> 1

35.Limit events that can cause a popup

dom.popup_allowed_events --> click dblclick mousedown pointerdown

36.Disable UITour backend so there is no chance that a remote page can use it

browser.uitour.enabled --> False

37.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
https://developer.mozilla.org/en-US/doc ... ts.enabled

dom.event.clipboardevents.enabled --> False

38.This setting controls if the option "Display in Firefox" is available in the setting below
and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.

pdfjs.enableScripting --> False
Last edited by barbaz on Thu Jun 17, 2021 12:08 pm, edited 1 time in total.
Reason: By request
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Mozilla Firefox Privacy and Security (about:config)

Post by barbaz »

Nice list, thanks for sharing! I need to review some of my own config based on this.

Few comments, could you (or me if you confirm you're fine with all this) please edit the post accordingly?
[EDIT On second reading, the request to edit coming from me looks like moderation. But I'm asking that only as a regular community member who wants to improve this nice list, not as moderator in this instance.]

- Re: #5, it should specifically say that's a trade-off between privacy and performance. Because isn't security the same either way?

- Re: #9, NoScript can also block WebGL.

- Re: #12, beacon.enabled is *not* Mozilla telemetry and doesn't belong on that list. It's intended for websites to do telemetry (although in practice it is also used for non-telemetry functionality). And anyway I don't recommend that method of disabling it. Because with that method, websites that want use sendBeacon for telemetry will just fall back to some other way to get it, resulting in worse performance for the end user with no benefit to anyone. I say it's better to leave beacon.enabled at its default value true and have NoScript or uBlock Origin block those beacons.

- #14 requires DoH, and this should be noted, but does it require Firefox's DoH implementation? Or can it work with a system-wide DNS setup that chains something like dnsmasq (that can't do DoH itself) to something like dnscrypt-proxy or fdns to provide the DoH functionality?
*Always* check the changelogs BEFORE updating that important software!
-
Andreas
Posts: 5
Joined: Wed Jun 16, 2021 5:19 pm

Re: Mozilla Firefox Privacy and Security (about:config)

Post by Andreas »

Few comments, could you (or me if you confirm you're fine with all this) please edit the post accordingly?

i have this settings over a half year and i can confirm u everything is working fine until now.

(by barbaz )Re: #5, it should specifically say that's a trade-off between privacy and performance. Because isn't security the same either way?

Privacy and security are not the same words have different meanings,but you are right these two words go hand in hand.


(by barbaz) Re: #9, NoScript can also block WebGL.

Imagine i use NoScript for years and i forget that! ; ) . . . . No problem at all , i leave a note at 9.

(by barbaz) Re: #12, beacon.enabled is *not* Mozilla telemetry and doesn't belong on that list......I say it's better to leave beacon.enabled at its default value true and have NoScript or uBlock Origin block those beacons.

I didnt know that thanks for the info, I AM gonna change it and i SUGGEST to readers to leave it as TRUE

(by barbaz )#14 requires DoH, and this should be noted, ........ to something like dnscrypt-proxy or fdns to provide the DoH functionality?

I think require Firefox's DoH implementation to work...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Andreas
Posts: 5
Joined: Wed Jun 16, 2021 5:19 pm

Re: Mozilla Firefox Privacy and Security (about:config)

Post by Andreas »

Thanks barbaz for ur opinions and suggestions, u help a lot.i want to encourage the readers to leave comments and share the personal opinions only with that way we can learn..
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
DrCR
Posts: 3
Joined: Sun Aug 08, 2021 6:26 am

Re: Mozilla Firefox Privacy and Security (about:config)

Post by DrCR »

This is a really nice list. Thanks for posting.
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox Privacy and Security (about:config)

Post by kukla »

For blocking telemetry, I have the following in a user.js in Fx 91.

Wondering If I'm missing anything really essential provided by Andreas in his about:config list? Suggestions appreciated.

Furthermore, what would be the impact, if at all, if I were to use the overlapping about:config list, even with duplicates? Would that provide anything more than the same in a user.js? In other words, is the user.js weakened or made ineffectual if the same about:config prefs are not also utilized?

user_pref("datareporting.healthreport.service.enabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled", false);
user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);
user_pref("toolkit.telemetry.archive.enabled", false);
user_pref("toolkit.telemetry.enabled", false);
user_pref("toolkit.telemetry.unified", false);
user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
user_pref("browser.newtabpage.activity-stream.telemetry", false)
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);
user_pref("toolkit.telemetry.server", "data:,");
user_pref("toolkit.telemetry.archive.enabled", false);
user_pref("toolkit.telemetry.newProfilePing.enabled", false);
user_pref("toolkit.telemetry.shutdownPingSender.enabled", false);
user_pref("toolkit.telemetry.updatePing.enabled", false);
user_pref("toolkit.telemetry.bhrPing.enabled", false);
user_pref("toolkit.telemetry.firstShutdownPing.enabled", false);
user_pref("toolkit.telemetry.coverage.opt-out", true);
user_pref("browser.ping-centre.telemetry", false);
user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "");
user_pref("toolkit.telemetry.hybridContent.enabled", false);
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Mozilla Firefox Privacy and Security (about:config)

Post by barbaz »

kukla wrote: Sat Aug 21, 2021 2:21 pm Wondering If I'm missing anything really essential provided by Andreas in his about:config list? Suggestions appreciated.
datareporting.healthreport.uploadEnabled is the most important pref in that list. toolkit.telemetry.server should be blank as suggested, so that it's a "falsy" value.

I don't know if the Pocket-related and advertising/sponsored stuff Andreas' list disables would also do its own telemetry.
kukla wrote: Sat Aug 21, 2021 2:21 pm Furthermore, what would be the impact, if at all, if I were to use the overlapping about:config list, even with duplicates? Would that provide anything more than the same in a user.js? In other words, is the user.js weakened or made ineffectual if the same about:config prefs are not also utilized?
user.js IS about:config, just a bit more persistent way to set a pref than just using about:config.
kukla wrote: Sat Aug 21, 2021 2:21 pm user_pref("toolkit.telemetry.enabled", false);
Does this actually work? That pref is locked in Firefox and I thought could only be changed by enterprise policies or patching+building Firefox from source.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Mozilla Firefox Privacy and Security (about:config)

Post by kukla »

Thanks barbaz,

>>datareporting.healthreport.uploadEnabled is the most important pref in that list. toolkit.telemetry.server should be blank as suggested, so that it's a "falsy" value.

Have added those two to about:config

>>I don't know if the Pocket-related and advertising/sponsored stuff Andreas' list disables would also do its own telemetry.

Will look into the pocket related ones

>>-user_pref("toolkit.telemetry.enabled", false); seeing that that one is locked in about:config, so no idea if the user.js pref has any effect.

As you say, shows locked in about:config, but perhaps works as a user.js. Suppose its presence there can't hurt
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Post Reply