Paranoid Firefox


The web is a wild place. What is the most secure and private configuration that we can wring out of Firefox?

Preventing Exploits

The most common way of exploiting Firefox is, ironically, third party plugins. One example of this is the Eleonore exploit kit, which has a good description here. This has become such an issue that there now exists a plugin check facility on the Mozilla site to easily check all plugins are up-to-date.

As for Firefox itself, the most common source of exploits is JavaScript. If you browse through the Mozilla security advisories, you will find many of these exploits can be stopped by disabling JavaScript. JavaScript vulnerabilities can be protected against by using NoScript. NoScript is not a panacea, since this can often be circumvented by a website using an ‘enable JavaScript to continue’ page. However, it puts the user back in control, and also offers protection against XSS and ClickJacking.

Ideally, the whole browser would be sandboxed (and indeed, many researchers use VMs for this). This isn’t yet an option for Firefox, but make sure you enable DEP (and ASLR where possible) on your OS.

Privacy

Privacy, as with many things in security, is not an absolute. The level of privacy desired varies, so I will consider all the data that surfing exposes, namely cookies, cache, search terms, user agent string and IP address. Nonetheless, you must also consider sites that require authentication – even a perfectly anonymised browser is no good if you login, especially if you use your real name.

Cookies

Cookies are the most common way for websites to store data on your system that identifies you. Firefox offers two levels of control of cookies, distinguishing between third party and first party cookies. Third party cookies are much more likely to be tracking cookies and can be disabled or set to be deleted at the end of the session (Preferences > Privacy > Keep Until). A stronger form of privacy may be achieved by deleting all cookies at the end of each session (Preferences > Privacy > Clear History When Firefox Closes Settings > Tick Cookies). This does not stop any sites working, since the only useful purpose of non-session cookies is staying logged in, and the remember password facilities are a perfectly adequate replacement.

Flash cookies are also often overlooked. These are cookie-like pieces of local data that are handled by the Flash plugin and hence immune to your cookie removal settings. There is a simple solution here, the BetterPrivacy add-on enables you to view and delete all these so-called ‘SuperCookies’.

Search Engines

Another privacy concern is your search engine. This is probably Google. Other search engines have had privacy scandals and Google’s CEO has made a number of interesting quotes. Sadly, moving to other search engines usually gives you less accurate search results. My preferred solution here is Scroogle (HTTP version or even better the HTTPS version), which is a Google anonymiser. You can add easily use Scroogle in your search bar.

Of course, this then raises the question: Why should I trust Scroogle? It’s “turtles all the way down” – you are forced to trust someone unless you run your own spider and search engine. In Scroogle’s favour is their privacy statement which says “we don’t save search terms, we don’t use cookies, and we delete IP logs after 48 hours”. This is a substantial improvement over Google’s privacy policy.

However, this isn’t the only source of data that is sent to Google. If you type the string “the free encyclopedia” into the address bar and press enter, this will be used as a Google search term with the ‘I feel lucky’ option. However, there is no need for this to be Google. To change this to Scroogle, go to about:config > keyword.URL > and change it to ‘http://ssl.scroogle.org/cgi-bin/nbbw.cgi?Gw=’.

Finally, Google is contacted to obtain lists of sites that are are suspected web forgeries or attack sites as part of Firefox’s Phishing protection. Unlike IE, Firefox only compares the current URL with this locally stored list so Google is not informed of every URL you visit. However, many attack sites are compromised sites that are quickly cleaned up. When the user visits an ‘evil’ site in the blacklist, Firefox queries Google to see whether the site is still blacklisted. This is probably not a security issue, but you can disable the phishing protection in Preferences > Security if it’s a concern. To see what data is sent, load up your favourite traffic sniffer and visit the test page.

Cache

Generally, the cache isn’t a problem. However, I’m aware that at least two researchers are researching into tracking users using only the cache (using iframes or ETags). The truly paranoid Firefox user will therefore want Firefox to regularly clear its cache.

History

History shouldn’t be something you have to worry about. Unfortunately, there’s a nasty feature interaction with CSS in most browsers that leaks your history, so be aware.

User Agents

Even when you don’t allow the remote host to store any identifying data on your system, the remote host is free to keep logs on its own system. This then enables the remote system to be able to identify you uniquely. Every site you visit receives information about the browser name, version, plugin versions, operating system and various other strings. This is a lot of information and is often sufficient to identify you uniquely. The EFF has a fantastic service called Panopticlick which shows how much data you share and to what extent it exposes you.

The solution to maintaining privacy here is to change these strings to the most common values. There is no complete solution, but add-ons like Modify Headers exist to allow you to control a number of these strings. If you experiment with Panopticlick you will also find that more of these strings are exposed when you permit JavaScript and Flash, so again here NoScript helps you.

IP Addresses

Tracing users by IP address is an inexact science. Dynamic IPs, NAT and proxies all naturally occur and make tracking difficult. However the average user is only behind NAT to share their Internet connection with a small number of people. ISPs also keep sufficient logs that users can often be traced later given an IP address and a time of access.

Changing your IP can be achieved in a number of ways. One common option is a proxy, and lists of many open proxies exist online (presumably compromised systems). A popular alternative option (particularly with dissidents) is Psiphon, which arranges for someone else to run a proxy server which you can access in an encrypted manner. Proxies may also be chained, so that each node in the chain only knows its immediate predecessor (as well as all the following nodes).

A more extreme way of hiding your IP address is Tor, an onion routing scheme. This offers a fairly strong form of anonymity, but browsing can be painfully slow (depending on where in the world you are). Tor is also even more susceptible to problems with plugins not honouring proxy settings, so any dynamic site may compromise your anonymity.

As with any proxying system, you gain anonymity at the expense of also gaining visibility (a Tor end-node operator may keep logs out of simple curiosity). The proxy may well be keeping logs (although your ISP is almost certainly also doing this anyway) and any HTTP traffic may be intercepted by the proxy. With any proxy technology you need to understand its limitations. In many cases you are safe if you use HTTPS.

DNS

For the sake of completeness, I will also consider DNS. Every time you visit a site, your DNS server (typically run by your ISP) receives a request for the IP address of that domain. Since the release of Firefox 3.5, Firefox uses DNS prefetching (following the example of Google’s Chrome). Links on the current page which point to other domains will also have their domains looked up to minimise latency. The best case scenario is that this prefetching introduces some noise into any logs made by the DNS server. The worst case scenario is that it enables a finer granularity of information to be inferred from the logs – if a.com/a.html is the only page that has a link to b.com, and a user requests DNS records for both a.com and b.com in a short period of time, we can infer that he visited a.html.

There are no easy solutions for increased DNS privacy. Very aggressive DNS caching will prevent the remote DNS server learning visit frequency for sites. Alternatively many proxying technologies enable the DNS lookups to also use the proxy.

Conclusions

You may well not wish to put into practice all these suggestions. Nonetheless, awareness of what risks you are taking is important. If you have any doubts about what data is going to and from your browser, sniff the traffic and examine it yourself.

Recent Posts

These Weeks in Remacs

This Week in Remacs

Announcing Remacs: Porting Emacs to Rust

Introspecting Glue Code

Searching A Million Lines Of Lisp