This is a user.js configuration file for Mozilla Firefox that's supposed to harden Firefox's settings and make it more secure.
- Limit the possibilities to track the user through web analytics
- Harden the browser, so it doesn't spill it's guts when asked (have you seen what BeEF can do?)
- Limit the browser from storing anything even remotely sensitive persistently (mostly just making sure private browsing is always on)
- Make sure the browser doesn't reveal too much information to shoulder surfers
- Harden the browser's encryption (cipher suites, protocols, trusted CAs)
- Hopefully limit the attack surface by disabling various features
- Still be usable in daily use
There are several parts to all this and they are:
- Running a selected list of browser extensions
- Using the user.js settings file itself
- Using the cas.sh script to limit the CAs
Just drop the user.js file to your Firefox profile directory at ~/.mozilla/firefox/XXXXXXXX.your_profile_name and verify that the settings are effective from about:support (check the "Important Modified Preferences" and "user.js Preferences" sections).
If you want to be able to keep your user.js up-to-date with this repository, you can clone the latter in the main mozilla directory and create a link to the user.js file from your profile:
cd ~/.mozilla/firefox
git clone 'https://github.com/pyllyukko/user.js.git'
cd XXXXXXXX.your_profile_name
ln -s ../user.js/user.js user.js
Do note that these settings alter your browser behaviour quite a bit, so it is recommended to either create a completely new profile for Firefox or backup your existing profile directory before putting the user.js file in place.
Whenever you want to update your local copy of the repository, just use git pull and restart Firefox.
On Firefox for Android (Fennec), you need to drop the file to /data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.your_profile_name. If you use Jolla and run Firefox through Alien Dalvik, the location needs to be prefixed with /opt/alien.
See issue #14 for further details on using this user.js file with Firefox for Android.
On Windows, you need to drop the user.js file to %appdata%\Mozilla\Firefox\Profiles\XXXXXXXX.your_profile_name.
There's a whole lot of settings that this modifies and they are divided in the following sections or categories:
- HTML5 / APIs / DOM
- Miscellaneous
- Extensions / plugins related
- Firefox (anti-)features / components
- Automatic connections
- HTTP protocol related
- Caching
- UI related
- TLS / HTTPS / OCSP related
- Cipher suites
Some of the settings in this user.js file might seem redundant, as some of them are already set to the same values by default. However, the user.js file has this nice property, that even if you go change any of these settings through about:config, they're reset to the user.js defined values after you restart Firefox. So user.js makes sure they're back at the secure default values always when you start your browser. That way, it also makes experimenting with different settings easier.
Here are some of the "highlights" from each category. For a full list of settings and references, check the user.js file itself.
- Disable geolocation
- Don't reveal internal IP addresses (media.peerconnection.enabled)
- browser.send_pings
- Disable WebGL
- Disable Battery API
- Enables Firefox's mixed content blocking (also for "display" content)
- Disables various your-browser-knows-better-let-me-guess-what-you-were-trying features
- Disable this keyword thingie
- Disable Domain Guessing
It is common for client side attacks to target browser extensions, instead of the browser itself (just look at all those Java and Flash vulnerabilities). Make sure your extensions and plugins are always up-to-date.
- Disable flash
- Enable click to play
- Enable add-on updates
- Enables Firefox's built-in tracking protection
- Disables telemetry, Crash Reporter, healt report, heartbeat and other such privacy invading nonsense
This section disables some of Firefox's automatic connections.
- Disables prefetching
- Disable Necko/predictor
- Disable search suggestions
Do note, that some automatic connections are still intentionally left out (as in not disabled), namely the following:
- browser.safebrowsing.malware.enabled
- plugins.update.notifyUser
extensions.update.enabled- extensions.blocklist.enabled
See also #20.
- Referer header:
- Spoofs the referer header with network.http.referer.spoofSource (see: #2)
- "Don't send the Referer header when navigating from a https site to another https site."
- Don't accept 3rd party cookies
- Permanently enables private browsing mode
- Prevents Firefox from storing data filled in web page forms
- Disables password manager
- Don't suggest any URLs while typing at the address bar
- TLS v1.[012] only
- Require OCSP
- Notice that this setting has some privacy implications
- OCSP stapling (enabled by default anyway)
- Disable TLS session tickets
- Enforces pinning
This section tweaks the cipher suites used by Firefox. The idea is to support only the strongest ones with emphasis on forward secrecy, but without compromising compatibility with all those sites on the internet. As new crypto related flaws are discovered quite often, the cipher suites can be tweaked to mitigate these newly discovered threats.
Here's a list of the ciphers with default config and Firefox 27.0.1:
Cipher Suites (23 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Here's the list with this config:
Cipher Suites (8 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Here's some other tips how you can further harden Firefox:
- Keep your browser updated! If you check Firefox's security advisories, you'll see that pretty much every new version of Firefox contains some security updates. If you don't keep your browser updated, you've already lost the game.
- Disable all unnecessary extensions and plugins!
- Create different profiles for different purposes
Here is a list of the most essential security and privacy enhancing add-ons that you should consider using:
- Certificate Patrol
- I recommend setting the 'Store certificates even when in Private Browsing Mode' to get full benefit out of certpatrol, even though it stores information about the sites you visit
- HTTPS Everywhere
- NoScript
- DuckDuckGo Plus (instead of Google)
Tracking protection is one of the most important technologies that you need. The usual recommendation has been to run the Ghostery extension, but as it is made by a potentially evim(tm) advertising company, some people feel that is not to be trusted. One notable alternative is to use uBlock, which can also be found at Mozilla AMO.
Ghostery is still viable option, but be sure to disable the GhostRank feature.
Do note, that this user.js also enables Mozilla's built-in tracking protection, but as that's quite new feature it is to be considered only as a fallback and not a complete solution. As it utilizes Disconnect's list, recommending Disconnect seems redundant.
So to summarize, pick one between Ghostery and uBlock, depending on your personal preferences.
See also:
- Mozilla Lightbeam extension
- Privacy Badger extension from EFF (also to be considered as an additional security measure and not a complete solution)
- Web Browser Addons section in PRISM break
- [Talk] Ghostery Vs. Disconnect.me Vs. uBlock #16
- Ghostery sneaks in new promotional messaging system #47
- Are We Private Yet? site (made by Ghostery)
- Tracking Protection in Firefox For Privacy and Performance paper
- Panopticlick
- www.filldisk.com
- SSL Client Test
- evercookie
- Mozilla Plugin Check
- BrowserSpy.dk
- Testing mixed content
- WebRTC stuff
- Flash player version from Adobe
- Verify your installed Java Version
- Protip: Don't use Oracle's Java!! But if you really need it, update it regulary!
- IP check
- Onion test for CORS and WebSocket
- Firefox Addon Detector
- browserrecon??
- Official WebGL check
- battery.js
- RC4 fallback test
- Battery API
- AmIUnique (Source)
Here's a comparison of the various supported HTML5 features between recent Firefox with these settings, stock Firefox and the Tor Browser:
| Comparison | user.js version | Firefox version | Firefox baseline | Tor Browser |
|---|---|---|---|---|
| html5test | 3041fb7204f2547a34083fba7db2009929ed2326 | 36.0.1 | 35 | 4.0.4 |
There are plenty! Hardening your browser will break your interwebs. Here's some examples:
- If you get "TypeError: localStorage is null", you probably need to enable local storage (
dom.storage.enabled == true) - If you get "sec_error_ocsp_invalid_signing_cert", it probably means that you don't have the required CA
- If you get "ssl_error_unsafe_negotiation", it means the server is vulnerable to CVE-2009-3555 and you need to disable security.ssl.require_safe_negotiation (not enabled currently)
- If you set browser.frames.enabled to false, probably a whole bunch of websites will break
- Some sites require the referer header (usually setting
network.http.sendRefererHeader == 2is enough to overcome this and the referer is still "spoofed") - The IndexedDB is something that could potentially be used to track users, but it is also required by some browser add-ons in recent versions of Firefox. It would be best to disable this feature just to be on the safe side, but it is currently enabled, so that add-ons would work. See the following links for further info:
- Issue #8
- IndexedDB Security Review (this document also states that "IndexedDB is completely disabled in private browsing mode.", but this should still be verified)
- This discussion on mozillaZine Forums
- IndexedDB page at MDN
- Firefox Hello requires WebRTC, so you'll need to enable
media.peerconnection.enabled&media.getusermedia.screensharing.enabledand apparently disablesecurity.OCSP.require. - Captive portals might not let OCSP requests through before authentication, so setting
security.OCSP.require == falsemight be required before internet access is granted - DNT is not set, so you need to enable it manually if you want (see the discussion in issue #11)
- The
network.http.referer.spoofSourceandnetwork.http.sendRefererHeadersettings seems to break the visualization of the 3rd party sites on the Lightbeam extension - You can not view or inspect cookies when in private browsing (see https://bugzil.la/823941)
- Installation of
user.jscauses saved passwords to be removed from the Firefox (see #27)
The web console is your friend, when websites start to break.
It all started when I read this blog post...
So another part of my browser hardening was to somehow reduce the number of CAs trusted by my browser. First I thought I would sniff all the HTTPS connections and extract the certificates from there, to get the list of CAs I really need.
Then I came up with an better idea. I'd use certpatrol to record the certs from the HTTPS sites I visit. There was just one problem, certpatrol only stores the fingerprint of the issuer cert, which is usually a intermediate CA. So I needed to get the root CA of the intermediate CA. The solution for this to use Firefox's cert8.db to extract the intermediate CAs and get the issuer (root CA) from there.
So I wrapped up a script that uses the certpatrol's SQLite DB and Mozilla's certutil to establish a list of required root CAs from the HTTPS sites that you have visited.
There's also a ready made list built in into the script, that has 26 root CAs in it. With this list of CAs you should already be able to browse the web quite freely. Of course there might also be some geographical variations as to what CAs "are required" for normal use.
Do note, that in order for all this to work, you MUST remove or rename Firefox's default CA list that is stored inside libnssckbi.so as described here.
cas.sh -P ~/.mozilla/firefox/XXXXXXXX.current_profile -r
First check which CAs would be imported (dry-run):
cas.sh -p ~/.mozilla/firefox/XXXXXXXX.reference_profile -A
Then import the required CAs to new profile:
cas.sh -p ~/.mozilla/firefox/XXXXXXXX.reference_profile -P ~/.mozilla/firefox/XXXXXXXX.new_profile -a
After you have run the script, verify from Firefox's certificate settings, that the list is indeed limited:
This is the default CA list, that you can use. It should be enough for basic use for the most biggest/popular sites. Of course this still depends on where you are located and what sites/services/etc. you use. If you know some popular site, that is not accessible with this root CA list, please let me know and I'll consider adding it to the list.
| Root CA | Used by |
|---|---|
| AddTrust External CA Root | https://www.debian.org/ |
| Baltimore CyberTrust Root | |
| COMODO Certification Authority | |
| Deutsche Telekom Root CA 2 | |
| DigiCert High Assurance EV Root CA | https://www.facebook.com/ |
| DigiCert Global Root CA | https://duckduckgo.com/ |
| Entrust.net Secure Server Certification Authority | |
| Entrust.net Certification Authority (2048) | |
| Entrust Root Certification Authority | https://www.ssllabs.com/ |
| Equifax Secure Certificate Authority | |
| GTE CyberTrust Global Root | |
| GeoTrust Global CA | https://www.google.com/ |
| GeoTrust Primary Certification Authority | https://www.robtex.com/ |
| GlobalSign Root CA | https://www.wikipedia.org/ |
| Go Daddy Class 2 Certification Authority | |
| Go Daddy Root Certificate Authority - G2 | |
| Starfield Class 2 Certification Authority | https://tools.ietf.org/ |
| StartCom Certification Authority | |
| UTN-USERFirst-Hardware | |
| ValiCert Class 2 Policy Validation Authority | |
| VeriSign Class 3 Public Primary Certification Authority - G3 | https://www.mysql.com/ |
| VeriSign Class 3 Public Primary Certification Authority - G5 | https://twitter.com/ |
| thawte Primary Root CA | |
| thawte Primary Root CA - G3 | |
| SecureTrust CA | |
| QuoVadis Root CA 2 | https://supportforums.cisco.com/ |
Import the default CA list with:
cas.sh -C -P ~/.mozilla/firefox/XXXXXXXX.new_profile -a
- HTML5 canvas
- Address Sanitizer
- Send bogus timezone
Yes please! All issues and pull requests are more than welcome. Please try to break down your pull requests or commits into small / manageable entities, so they are easier to process. All the settings in the user.js file should have some official references to them, so the effect of those settings can be easily verified from Mozilla's documentation.
For more information, see https://github.com/pyllyukko/user.js/blob/master/CONTRIBUTING.md.
- CIS:
- Security Advisories for Firefox
- The Design and Implementation of the Tor Browser
- Bulletproof SSL and TLS
- Polaris
- Mozilla Included CA Certificate List
- Privacy & Security related add-ons
- Mozilla Security Blog
- Security and privacy-related preferences
- How to stop Firefox from making automatic connections
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent