5480 Firefox configuration - Telecomix Crypto Munitions Bureau

Firefox configuration

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search


[edit] Configuration

It's very easy to configure Firefox and the configuration is very powerful. To get a simple look under the hood, open a new tab (press ctrl+t) and enter "about:config" in the address bar.

[edit] Search

Firefox is being very Google-friendly by default. You should not.

  • Search suggestions: Send all characters you type (before you've even hit enter) to Google in order to make Google try to guess what you're going to type. How to disable:

[edit] Visited history (the Javascript/CSS History Hack)

Demonstration of the History Hack, a vulnerability that was discovered some years ago in a couple of browsers. When you click a link in firefox - or most other browsers - the page linked to gets status of "visited". Links linking to visited pages get another color by default. Using cascading style sheets (CSS) or javascript it is possible to check the current color of a link and perform an action based on this. The History Hack exploits these circumstances to generate lots of links to various page and check how the browser colors them, effectively revealing where you have been. UPDATE! Firefox 3.5 >= has a fix!

  • The idea is to disable all differences between visited and unvisited links. It might be an annoyance to some users, though :-(

Go to about:config and change the following variable to false:


Read about the patch here: Preventing attacks on a user's history through CSS :visited selectors

  • A less radical approach could be installing the Stanford SafeHistory plugin which seems to allow for a more fine-tuned solution (I haven't tested it).

The authors also made this rather cool-looking extension: SafeCache, by the way.

[edit] Cool addons/plugins/extensions

  • Certificate Patrol shows you new certificates and compares old and new ones when they are exchanged.
  • NoScript keeps Javascript from executing randomly (good to disable Google Analytics etc).
    • TODO: add configuration notes (especially of the "force https"-feature - really awesome when combined with Certificate Patrol)
      • [1] <-- this does kind of the same, except the fact that other people help grow the list of sites :-)
    • SSLGuard does just that: It enforces https on sites that provide both protocols. It comes with a little list of popular presets and needs manual work to learn more.
  • Perspectives can be used manually when you really need a second opinion on the credibility of a certificate.
  • Safe to avoid submitting login data over unencrypted lines.
  • CipherFox shows the name of the cipher currently used.
  • IPFuck is a firefox addon created to simulate the use of a proxy.
  • BetterPrivacy is a safeguard which protects from usually not deletable LSO's on Google, YouTube, etc.
  • TorButton is currently the only addon that will safely manage your Tor browsing to prevent IP address leakage, cookie leakage, and general privacy attacks. Deprecated, use Tor Browser Bundle instead.
  • Adblock Plus removes advertising from websites. (note : by default an option is checked to allow non-intrusive advertising)
  • HTTPS Everywhere encrypts communications with a number of major websites.
  • FireGPG use GPG in your Browser(further development discontinued)
  • ShareMeNot Protecting against tracking from third-party social media buttons while still allowing you to use them
  • Ghostery Protect against trackers (tags, web bugs/cookies, pixels and beacons)
  • AutoProxy chooses proxy server depending on the site you are viewing. Useful for switching between Tor, I2P and direct connection automatically.
  • Calomel SSL Validation Addon to show current SSL "strength", disable insecure ciphers, etc.
  • FireGloves extension to limit browser fingerprinting by the sites you visit while maintaining most functionality. During limited testing worked for the vast majority of websites with the exception of LastPass addon's configuration dialogs.
Personal tools