Securing Firefox against Mozilla’s Google and privacy issues

Updates 4-14-2017: Mozilla now publishes instructions on keeping Firefox from making any automatic connections at all, useful when you need a machine that makes no connections you don’t explicitly ask it to. When this is necessary, best practice is to set the clock forward one day with the browser not running, start Wireshark, then start Firefox with the homepage set to about:blank. No data should be sent or received. Do this again at every browser update, as new “services” seem to constantly be added!

First up on a new install is to disconnect from Google and their trackers: be sure to “clear all cookies” immediatly after a new install, disable all of the Google anti-phishing filters, then clear all cookies again. Go to “preferences” and uncheck “block reported attack sites” and “block reported web forgeries” to disconnect this Google service from your browser. Make sure the Google “prefs” cookie does NOT reappear or the browser is unsafe. If you use Google’s phishing filter, Google gets a list of every website you visit! Having disconnected this filter Google no longer gets that list, but you should avoid ever banking or shopping online with no phishing filter at all. Best solution is to avoid those anyway, but if you cannot the use of two different machines is recommended: one for banking etc, one for everything else.

Another serious security hole in Firefox (shared with many other browsers) is geolocation. Geolocation is dangerous, as it allows a malicious website to determine your location. Firefox in recent versions by default allows websites to use Geolocation and connect to a Google database to do so. Google’s own Chrome browser includes a feature buried in preferences to disable this, in Firefox you have to go to about:config and click past the “void your warranty” box to get to this option.

Go to about:config , enter “geo” in the search box, and disable it. Do do this, go to geo.enabled , click on the word “true” and set it to “false.” then, as a further precaution, go to geo-wifi-url and set it to “about:blank” replacing Google’s site they set up by sniffing everyone’s wi-fi.

Next, still in about:config, enter “keyword” in the search bar, set keyword.enabled to “false” to disable prefetch and automatic Google searches of invalid URL’s. Google LOGS ALL THESE SEARCHES and may log every word you type if location bar suggestion is also enable, so be sure to disable that from “preferences.”

Finally, enter “prefetch” in the search bar of about:config and set network.prefetch-next to “false” to prevent individual typed characters from bringing attempts to search for/connect to whatever URL that might go to. In Chrome prefetch generates logged content on Google, assume the same in Firefox.

The above privacy threats are actually worse in Firefox than in Chrome, as they are harder to find for the purpose of disabling them. Mozilla is now coming under fire for bloating Firefox with bullshit like compiled-in support for the “pocket” extension, a commercial service that replaces locally downloading saved pages with unsafe cloud storage. Unknown what this hard to remove extension does when no Pocket account exists, but it can be disabled in about:config by setting every string that “pocket” brings up to a blank string and every boolean option to “false.” It can be removed in any case by removing relevant files from the Firefox install directory, but this has to be repeated every time Firefox is updated.

Update 4-14-2017Not sure if two URLs mentioned in paragraph below are still unblockable in Firefox, as that would be incompatable with Mozilla’s instructions for stopping all automatic connections.
Update Dec 18,2015: recent versions of Firefox have a lot of “telemetry” functions that phone home to Mozilla built in. There are so many of them that the best way to disable them is to fire up Wireshark first, then start the browser with the homepage having been previously set to about:blank. You will want to block every URL that comes up. Most can be cut off by replacing them with blank strings in about: config (use the URL as the filter to bring them up) but as of now at least one will have to be blocked in /etc/hosts. If you are running Linux, add these two lines to the file /etc/hosts :

127.0.0.1 aus4mozilla.org
127.0.0.1 mxr.mozilla.org

These are auto-update URLS, and unlike the extension auto-updating that Mozilla themselves gives instructions for disabling in about:config, these two can only be blocked in /etc/hosts or at the firewall. Only extensions can be set to auto-update in Linux, yet the browser will connect once a day to these URLS. Any auto-updating can be dangerous on a laptop because it could allow an adversary to get a list of most or all of the wifi hotspots you connect to the Internet from.

Having done these things, close your browser, clear Wireshark’s list of IP addresses, then start the browser again. When you can open the browser without any connections showing up in Wireshark until you visit a website, you have protected yourself against Mozilla or anyone else gettting a list of every website you visit by “monetized” browser anti-features. Presumably you could do this even in Chrome by simply adding all the offending URL’s to /etc/hosts but I have not tested that due to Chrome’s status as mostly a frontend to Google services.

There is a dangerous collaboration between Firefox and Google, but Firefox still sends out far less information in the user-agent string than Chrome and most of the spyware (except GEO) either does not exist or is easily disabled in preferences. The fact that Firefox is much harder to “fingerprint” than Chrome is an advantage is stopping cookieless tracking, as is its support for the NoScript and Canvasblocker plugins.

Justin Samual (snitch) and Firefox

Notorious snitch Justin Samuel, responsible for sending multiple activists to jail, was later found to be one of the programmers of Firefox 4, leading many to blacklist that browser. He was said to have worked on “security software” for Firefox 4. Some time ago, that software was found-the “RequestPolicy” extension, whose stated purpose is a useful security improvement. I am NOT sure this is all of it, but this is what he admits to writing. Unfortunately the rest of Mozilla is no longer as trustworthy as they used to be either. Firefox can still be secured against phone-home shit as of version 42 but it now takes some work with Wireshark to fully safe this browser. The torbrowser developers also have to “clean” Firefox as well as add their Tor modifications to create Torbrowser.

On his own website, Justin Samuel lists “requestpolicy” a cross site scripting policy manager plugin, as his main open source project.

The web page for it is

www(dot)requestpolicy.com/

This link should be treated as dangerous, which is why I have disabled it in this page. To follow it, use a browser other than Firefox!

One thing is for sure: Justin Samuel must have had a lot of help from his FBI masters to get a PHD in computer science while his former comrades went to prison thanks to his snitching. He says he feels like the “luckiest person in the world,” he would not have been saying that if he had done his snitching in a place like Afghanistan.

Here are two of his pages, visit with caution:

http://www.justinsamuel.com/
https://www.eecs.berkeley.edu/~jsamuel/

6 Responses to Securing Firefox against Mozilla’s Google and privacy issues

  1. anon says:

    > There is a dangerous collaboration between Firefox
    > and Google

    Yeah, that’s because Google is Mozilla’s biggest donor. Google also get a tax discount contributing to the non-profit Mozilla, even though Mozilla products are a major factor in Google’s business even being a possibility.

    But you really need to acquire a clue when it comes to judging risk from open source software: the author is largely irrelevant when the code is open, the code can be inspected to see if it does exactly and only what the author claims.

    With closed source software this is not the case, and so suspicion based on author is on of the only ways to judge things (eg the Microsoft track record for malware riding on their platforms means the next version of Windows should be distrusted, no matter what MS say about it, whereas if it were open source it could be actually inspected to see if the MS PR claims are true).

    Also, far too many in this world see things in black and white, or try and judge complex situations by boiling things down to good/bad. So there are many Google and Apple fanboys in reaction to MS’s monopoly and abusive business practices. People assume non-MS has to be good. And if someone invests large amounts of time or money on a system then their desire to avoid cognitive dissonance can influence their claimed position. Just think of how Mac owners are prone to fawning over their grossly overpriced intel-compatible machines (aka PCs).

    Geolocation is indeed a privacy threat, but you hardly discovered it. There were plenty of criticisms before it came along. But Google’s influence on Mozilla is what I feel led to geolocation appearing and being enabled by default. The whole functionality should be a browser extension, so users can actually remove the functionality if they do not want it.

    I personally have started using Privoxy to destroy many a web threat before it even gets to the browser. For example, any geolocation functions are deleted, with no regard for how it breaks scripts. If a site is trying to find out where I am, it is already broken as far as I am concerned.

    I have even tried to compile my own copy of FF so that I can remove privacy threats from its code, but with the browser industry’s focus on JS speed the compile requirements are greater than my computing resources! I don’t give a crap about JS, but industry does so that web based applications are possible: they are all about getting applications AND the user’s data off their own computers and onto corporate ones, so that it can be used for business purposes. ie profit, and privacy mooching.

    • dcdirectactionnews says:

      When FF4 came out, my concern was that there had not been time yet for others to examine the code and look for threats. That is of course no longer the case, and some of the folks behind the original report have hopefully been going through the source code with a fine-toothed comb. No way I was using it until it had time for this to happen, which has now been the case. One good thing I learned from Chromium was to go over ALL configuration options in ALL browsers with a fine-toothed comb.

      There have been NO further reports of snitch code in Firefox, the most dangerous things I ever found in browsers myself were geolocation (Thanks Justin Samuel if you had a hand in this) and default searches that can search for a misspelled URL. The most dangerous thing on the Internet right now is browser FINGERPRINTING, attempts to fingerprint hardware, and shit like Scout Analytics fingerprinting of typing cadences. Bluecava (browser fingperprinting /”credit” bureau) and Scout Analytics need to be blocked, I have them all 1.27.0.0.1 ‘ed out in /etc/hosts

      Chromium seens to be the worst in terms of browser fingerprinting, putting it on my “trusted sites only” list. It was written by Google from start to finish-and seemingly designed to be easy for browser fingerprinters to track.Therefore, Google should be presumed to be at least interested in browser fingerprinting via Javascript.

      No easy way in Panopticlick to get Chromium (even with all KNOWN spyware turned off) to not come up as unique. It’s possible to set up Firefox on Linux with Ghostery, NoScript, Torbutton, and even Download Helper (for downloading videos off video sites) to come up as one out of 883 browsers with Javascript blocked, and one out of a few hundred thousand to a million with Javascript enabled. WARNING: If you use an older version of Torbutton to toggle Tor on an off, NEVER toggle between states with pages being interacted with! Close all windows but a blank one, clear private data, THEN toggle. Otherwise one page could get both Tor and non-Tor posts or gets, thus revealing the IP address in use.

      Ghostery blocks all those tracking servers and keeps a current list. NoScript blocks Javascript on things like a sudden surprise link to Google or Youtube (NEVER use Google without Tor-Google seach histories are loved by the FBI). Tor allows doing things like Google searches securely. Once you find what you are looking for, Download Helper will let you force-download many video files, even ones Youtuve says are “not available.” Don’t know if Download Helper uses a protocol a normal Tor/Vidalia setup routes through Tor or not, but downloads through it via Firefox do seem to be “tor slow.”

      Here are some goodies to drop into /etc/hosts to block the worst fingerprinting servers, Google Analytics, and Doubleclick. Some of these are old, a regularily-updated plugin like Ghostery is still needed.

      #block Bluecava device fingerprinting
      127.0.0.1 http://www.bluecava.com
      127.0.0.1 lookup.bluecava.com
      127.0.0.1 ssl.bluecava.com
      **********************************
      Block Iovation and more device fingerprintng

      127.0.0.1 http://www.iovation.com
      127.0.0.1 http://www.threatmetrix.com
      127.0.0.1 http://www.cybersource.com
      127.0.0.1 http://www.arcot.com
      127.0.0.1 http://www.scoutanalytics.com
      127.0.0.1 ssl.scoutanalytics.com

      **********************************
      127.0.0.1 http://www.google-analytics.com
      127.0.0.1 ssl.google-analytics.com
      127.0.0.1 ssl.analytics.com
      127.0.0.1 http://www.analytics.com
      127.0.0.1 http://www.doubleclick.net
      127.0.0.1 ad.doubleclick.net

  2. nonoe says:

    The fact that you know how to compile FF but can’t for resource reasons is emblematic of a kind f security through obscurity that happens in open source software. Basically, the idea is to hide things opensource software by making the malicious code hide in the open. If you can’t compile it, then MOST people can’t compile it either. That reduces the threat of being found out. It’s not possible to look at source code and reason if it does something malicious or not- you have to run it and test it from source you compiled and if you can’t compile the source, then the fact that you HAVE the source is totally worthless.

    This is similar to the way you practice many layered security, just working from the other side. Their layers are- obscure (but open source) code that only experts could understand anyway. Fantasiticaly complex requirements to achieve a build. Plausible deniability wrt to “bugs” (malicious code seee Apple’s infamous “goto fail”.). Given those layers to their security against being found out, 99.999% of people will never make it through to locate the malicious code and when they do get discovered, they’ll already have 10 others at the ready or already deployed.

    Just a passing visitor here, not an activist but here’s my 2 cents to anyone reading this post. Whatever you’re doing that is specifically illegal, it is not to your strategic advantage to do that unless you’re at the level of a Daniel Ellsberg or Deep Throat in which case, that’s just a completely different thing.

    In the case of ALF, the relative effectiveness of what they were doing is somewhere near zero. If the issue is farm animal treatment and research animal treatment then the effective approach is rhetoric and advocacy. You need to convince people that these things need to be banned or reformed or whatever it is you believe in.

    Turning yourselves into targets for LEOs is the worst move you could make if your goal is societal change. Societal change happens through convincing others of the rightness of your viewpoint and that happens through words and media. Even in the face of laws designed to impede the effectiveness with which you can use media- I am thinking of laws banning filming of farms- you can STILL find effective and creative ways to work around those laws. People depict blood and gore and torture everyday to great effect in literature in movies in cartoons in graphic novels without actually having any real instances present. You need to work at it and eevelopa skill set you’re not naturally inclined towards but so what, right? if you’re willing to risk jail for a cause, what is it to you that you have to work hard for a long time? The end result is MORE effective than sitting in jail for a long time and the goal is to be effective, right?

    People who don’t want change fear speech most of all. Just speaking words, the right words at the right time is the most devastating tool you can weild for a shift in cultural attiudes and perceptions.

    Smashing some ATM or burning some SUVs or breaking other laws just puts at risk your ability to even exist in a free state so you can make change happen.

    We probably agree on many points and disagree on others, but breaking the law and engaging in violence is really a total loser’s play. I am not being submissive to authority here, I am being strategic and unemotional in order to maximize my effectiveness.

    Hope this makes some people think.

    • dcdirectactionnews says:

      First things first: if protest is outlawed, only outlaws can protest. If activists will obey laws without limit, than any and all effective activism will be shut down. If filming farm animal torture means the torturers risk being shut down, they will pass “ag-gag” laws to remove the threat. In the real world, such laws are aggressively resisted. Tar sands investors, gas frackers, animal abusers, lobbyists for racist policing laws, and abusive landlords all need to fear that the laws they buy and pay for cannot protect them.

      Consider the 2013 siege of Texas-based gas fracker SouthWest Energy’s staging area for gas exploration on Mi’Kmaq land (in Occupied Canada) back in 2013. A police effort to break the siege and serve the injunction was met with a great deal of force, and cops embarassed themselves with racist statements caught on camera. The injunction was defied and protests escalated. Finally, five cop cars were set on fire on the main highway, and SouthWest Energy threw in the towel and negotiated to retrieve their equipment and leave. Now over a year later there is the threat they may seek to return, but they know damned well Mi’Kmaq warriors will not be deterred by injuntions from what is considered a foreign court of no jurisdiction, nor by the police and armies of the occupiers. If the fight costs more than the fracked gas is worth, Texas Energy will stay away for good.

      OK, back to the browser. A lot of simple backdoors can be found by looking at code with a text editor’s string search features. Things like phone-home URL’s that kind of stuff. Forcing a resort to obfuscated/undrhanded C coding makes it more difficult to insert backdoors and reduces the number of programmers capable of doing it. In closed code whoever the NSA or FBI pays off can insert their shit in the open, making it both easier and more reliable. In open code they have to risk their career on the outcome of a hacking war. For malicious code to be useful it must work in the compiled binary people are actually using, so a behavior examination of the binary does not require being able to compile the source or even have access to it. Guess what would happen to say, Nvidia if someone dropped a keylogger in their closed video driver (which I do NOT use) and someone caught it making connections to Nvidia by comparing network activity between open and closed drivers?

      It was someone using Wireshark who first noticed that Google Chrome by default was sending every keystroke in the address bar to Google and called out the browser as spyware. I caught recent versions of Firefox phoning home by default to check the installation of the Cisco H264 codec by even simpler means: seeing it in terminal. You can disable the “GMPINstallManager” by inserting that string in about:config, then replacing all URL’s for it with blank strings. You will need to have gstreamer installed (linux) for using H264 video, as this disables the default (and limited) codec fetcher. This whole mess comes form the software patent on H264, meaning Mozila cannot distribute it, yet the browser is uncompetitive on Windows machines without it. For Linux you don’t need it,so kill the URL’s and use your native gstreamer codec instead.

      If you make your machines difficult to attack, the FBI and the Secret Service, and certainly the local cops, are going to target the insecure and unsecurable iPhones belonging to other members of your group instead. Until the whole group trashes all that iCrap and vendor-installed Android stuff too, your security only needs to be good enough to either send the attackers after someone else or force use of exploits they can’t afford to talk about in court. At that point your efforts are best spend working to getting everyone else to trash the insecure shit. Also, if you are known to be a hacker, targetting you with exploits aimed at your particular machine (such as an online attempt to insert a keylogger into your BIOS/UEFI) run the risk of the exploit being captured and published so they cannot use it again.

      In short, the same skills in your hands with simultaniously block the low value exploits and deter use of the high value exploits. Nothing is 100%, battlefields never come with guarantees. If your hackers are better than their hackers, the electronic war will usually go in your favor. Yes, sometimes things go to shit and your enemy gets lucky. So long as targetted CEO’s get tired of the harassment from US and divest from (fracking/tar sands/predatory lending/rent gouging/vivisection/fur) faster than activists get driven into retirement, jailed, or killed, we win the war!

      OK, this takes us to the current status of Huntingon Life Sciences. They are like a warship which just sank the last known surface ship fighting them, only to themselves be so shot up in the process that the first storm on the way home will sink them. On top of all else there is still the “submarine threat” of underground action, plus other activists in the role of randomly patrolling warships the HLS battleship can no longer fight. My guess is they are sunk in 5 years, maybe less when that $120M in debt to US Bank comes due.

  3. No bass says:

    I arrived here after discovering that Firefox was sending my Mac address and Wifi accesspoint name to a maps.google.com URl.. every ten seconds.

    Insanity.

    Chromium is also full of nonsense. Is there any browser that is actually good and privacy hardened?

Leave a Reply --WARNING: do not "Comment using Facebook" or using Twitter-you expose your information to 3ed party tracking

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s