spyzilla
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | spyzilla [2020-05-18 02:45:13] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Spyzilla ====== | ||
+ | |||
+ | Mozilla products by default send some information to NSA. This guide will show you how to change these settings to other secret service of your choice or how to turn them off completely. | ||
+ | |||
+ | See also [[:et|list of other applications that do not respect privacy]]. | ||
+ | |||
+ | ===== Client certificates ===== | ||
+ | |||
+ | Check //Advanced → Certificates → Ask me every time//, we really don't want to authenticate to the remote server automatically! [[https:// | ||
+ | |||
+ | ===== Firefox (older versions) ===== | ||
+ | |||
+ | This applies to Firefox <57. We have downloaded Firefox 57, started it, left it for ~30 minutes and were amazed: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | * Run with parameter -P. Select "Start offline" | ||
+ | * Visit Preferences. In " | ||
+ | * Uncheck Advanced → Updates | ||
+ | * Uncheck Advanced → Certificates → Validation → OCSP (of course this disables fetching certificate revocation info - be sure you know what are you doing) | ||
+ | * Visit about: | ||
+ | * Search for " | ||
+ | * Unfortunately, | ||
+ | * Related: [[https:// | ||
+ | * Since FF 32, on Windows, hashes of certain downloaded files are sent to Google. This can be disabled by the aforementioned settings. [[https:// | ||
+ | * If you want to test this with an intercepting proxy, make sure you have [[https:// | ||
+ | * Disable automatic resolving of local names and URL-like patters: set browser.fixup.alternate.enabled and keyword.enabled to false. [[https:// | ||
+ | * media.peerconnection.enabled: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | * Since version 33, [[https:// | ||
+ | * Since version 38, it is not possible to turn this feature off. Additionally, | ||
+ | * media.gmp-gmpopenh264.enabled does not help and media.gmp-gmpopenh264.autoupdate does note exist anymore. Try setting media.gmp-manager.lastCheck to the future and media.gmp-manager.url to some non-existent URL. | ||
+ | * Since version 38 (on Windows), a DRM backdoor from Adobe is downloaded automatically: | ||
+ | * This will be [[https:// | ||
+ | * However, in version 57, another DRM backdoor is downloaded on all platforms. [[http:// | ||
+ | |||
+ | * Every time you open new window, Firefox posts your system information to Mozilla, e.g. [[https:// | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | * Yes, we have [[https:// | ||
+ | * Setting this to False breaks webpages, known problems are with zbozi.cz and mapy.cz. | ||
+ | |||
+ | * devtools.gcli.jquerySrc = https:// | ||
+ | * devtools.gcli.lodashSrc = https:// | ||
+ | * devtools.gcli.underscoreSrc = https:// | ||
+ | |||
+ | * Files in local filesystem can read files in current directory and post them to a remote server. | ||
+ | * Download [[http:// | ||
+ | |||
+ | * [[https:// | ||
+ | |||
+ | * HSTS settings cannot be overriden (the decision can be hand-deleted from SiteSecurityServiceState.txt when Firefox is not running (otherwise the file is immediately overwritten), | ||
+ | * You can override it by adding test.currentTimeOffsetSeconds (integer) = 11491200 | ||
+ | * And in Chrome, you can override it by typing " | ||
+ | * or " | ||
+ | * Neither it seems to be possible to override [[https:// | ||
+ | * The webpage can detect that [[https:// | ||
+ | |||
+ | * Recommended: | ||
+ | |||
+ | * Firefox 52 ESR downloads browser.safebrowsing.provider.mozilla.gethashURL even if safe browsing is turned off in Preferences | ||
+ | |||
+ | * Some webpages are blocking pasting of password for " | ||
+ | |||
+ | See: [[https:// | ||
+ | |||
+ | See also this guide. I have downloaded it from [[http:// | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | To be investigated: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Firefox (v. 64 basic setup) Work in Progress ===== | ||
+ | After these changes, firefox should not open any outgoing connections (if autoupdate was disabled by company policy / Linux distribution maintainers) when starting with a blank page, except for checking updates of installed extensions. | ||
+ | |||
+ | ==== Edit -> Preferences ==== | ||
+ | * General | ||
+ | * Firefox Updates | ||
+ | * Automatically update search engines -> Off | ||
+ | * Browsing | ||
+ | * Search for text when you start typing -> Off | ||
+ | * Recommend extensions as you browse -> Off | ||
+ | * Privacy & security | ||
+ | * Browser Privacy | ||
+ | * Block trackers -> Always | ||
+ | * Send DNT -> Always | ||
+ | * Firefox Data Collection and Use | ||
+ | * Allow Firefox to install and run studies -> Off | ||
+ | * Allow Firefox to send technical and interaction data -> Off | ||
+ | * Security | ||
+ | * Block dangerous downloads -> off | ||
+ | * Warn about unwanted software -> off | ||
+ | * Block dangerous and deceptive content -> off | ||
+ | * Query OCSP -> off (potentially UNSAFE!) | ||
+ | * Home | ||
+ | * Homepage and new windows -> Blank page | ||
+ | * New tabs -> Blank page | ||
+ | |||
+ | |||
+ | ==== about: | ||
+ | < | ||
+ | # Autocompletion in url bar should *not* connect to google | ||
+ | browser.urlbar.searchSuggestionsChoice = false | ||
+ | browser.urlbar.speculativeConnect.enabled = false | ||
+ | |||
+ | # localserver in url bar should not be translated to www.localserver.com | ||
+ | keyword.enabled = false | ||
+ | browser.fixup.alternate.enabled = false | ||
+ | |||
+ | # Disable WebRTC | ||
+ | media.peerconnection.enabled = false | ||
+ | media.peerconnection.video.enabled = false | ||
+ | |||
+ | # Disable gmp autoupdate, UNTESTED (disabled at compile-time) | ||
+ | media.gmp-manager.url = https:// | ||
+ | |||
+ | # Disable prefetching | ||
+ | network.dns.disablePrefetch = true | ||
+ | network.prefetch-next = false | ||
+ | |||
+ | # IDN phishing | ||
+ | network.IDN_show_punycode = true | ||
+ | |||
+ | |||
+ | |||
+ | network.http.referer.hideOnionSource = true | ||
+ | |||
+ | # This breaks google docs! | ||
+ | network.http.referer.spoofSource = true | ||
+ | |||
+ | browser.send_pings = false | ||
+ | |||
+ | # Disable clipboard control from JS | ||
+ | dom.event.clipboardevents.enabled = false | ||
+ | |||
+ | # Disable APIs used for fingerprinting | ||
+ | dom.webaudio.enabled = false | ||
+ | dom.battery.enabled = false | ||
+ | geo.enabled = false | ||
+ | |||
+ | media.navigator.enabled = false | ||
+ | network.captive-portal-service.enabled = false | ||
+ | |||
+ | browser.ping-centre.production.endpoint = "" | ||
+ | browser.newtabpage.activity-stream.telemetry.ping.endpoint = "" | ||
+ | |||
+ | |||
+ | # https:// | ||
+ | privacy.firstparty.isolate = true | ||
+ | privacy.resistFingerprinting = true | ||
+ | |||
+ | # extension blocklists | ||
+ | extensions.blocklist.enabled = false | ||
+ | |||
+ | # extensions automatic update | ||
+ | extensions.systemAddon.update.enabled = false | ||
+ | |||
+ | # disable requests to search.services.mozilla.com/ | ||
+ | browser.search.geoSpecific.Defaults = false | ||
+ | |||
+ | ??? XXX firefox.settings.services.mozilla.com | ||
+ | |||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== Thunderbird ===== | ||
+ | |||
+ | New Account setup wizard sends your e-mail domain to Mozilla. To add an account without this feature, select File → Offline → Work offline. | ||
+ | |||
+ | |||
+ | ===== Firefox for Android ===== | ||
+ | |||
+ | Checks for updates even when the main app is not running. Same as described [[https:// | ||
+ | |||
+ | This update checking does not respect network.proxy.http settings, but connect straight to the network, i.e., a standard intercepting proxy setup won't see it, it won't go through Tor etc. | ||
spyzilla.txt · Last modified: by 127.0.0.1