[SOLVED] Firefox Security Best Practices

oceanus2 · 02-22-2015, 07:40 AM

What are the recommended best security practices for using Firefox on a new Linux system (Centos 7 in my case)? I only access the web using Firefox using my regular, non-root, account. Other than that, what Firefox and/or system settings should I enable/disable in order to safeguard my system from malware scripts, viruses, etc? Also, are there similar Thunderbird settings that should be enabled/disabled?

Thanks in advance from a new Linux user

Head_on_a_Stick · 02-22-2015, 07:55 AM

Use the "noscript" add-on.

gor0 · 02-22-2015, 07:58 AM

NO spyware,virus,blablabla...

U r in Penguin my friend, do not worry bout that:

http://www.whylinuxisbetter.net/item...ndex.php?lang=

Quote:

Why Linux is Better

Forget about viruses.

If your computer shuts itself down without asking you, if strange windows with text you don't understand and all kinds of advertisements appear when you don't ask for them, if emails get sent to all your contacts without your knowing it, then your computer probably has a virus. The main reason for this is because it runs win$UCK$.

Linux hardly has any viruses. And that's not like "Oh well, not very often, you know". That's like "If you've ever heard of a real Linux virus, please tell me". Of course, a Linux virus is not impossible to get. However, Linux makes it very hard for this to happen, for several reasons:

Most people use Microsoft Windows, and pirates want to do as much damage (or control) as possible: therefore, they target Windows. But that's not the only reason; the Apache web server (a web server is a program located on a remote computer that sends web pages to your browser when you ask for them), which is open source software, has the biggest market share (against Microsoft's IIS server), but it still suffers from much fewer attacks/flaws than the Microsoft one.
Linux uses smart authorization management. In Windows you (and any program you install) usually have the right to do pretty much anything to the system. If you feel like punishing your PC because it just let your precious work disappear, you can go inside the system folder and delete whatever you want: Windows won't complain. Of course, the next time you reboot, trouble begins. But imagine that if you can delete this system stuff, other programs can, too, or just mess it up. Linux doesn't allow that. Every time you request to do something that has to do with the system, an administrator password is required (and if you're not an administrator on this system, you simply can't do it). Viruses can't just go around and delete or modify what they want in the system; they don't have the authorization for that.
More eyes make fewer security flaws. Linux is Open source software, which means that any programmer in the world can have a look at the code (the "recipe" of any program), and help out, or just tell other developers "Hey, what if blah blah, isn't this a security flaw?".

Head_on_a_Stick · 02-22-2015, 09:20 AM

It's not quite as simple as that.
https://en.wikipedia.org/wiki/Linux_malware

Personally I always boot up a live distribution to do my internet banking, just in case©...

jross · 02-22-2015, 09:46 AM

Quote:

Originally Posted by Head_on_a_Stick

It's not quite as simple as that.

I agree with that! Never a good idea to think you are immune. Here's a video of malware gotten through firefox and adobe flash in linux: https://www.youtube.com/watch?v=94QsgdXnsmU

A good idea is to always make the browser ask you to enable flash, so you only use it when necessary (and you don't need it for youtube anymore).

ozar · 02-22-2015, 10:14 AM

Quote:

Originally Posted by oceanus2

What are the recommended best security practices for using Firefox on a new Linux system (Centos 7 in my case)? I only access the web using Firefox using my regular, non-root, account. Other than that, what Firefox and/or system settings should I enable/disable in order to safeguard my system from malware scripts, viruses, etc?

Hello

I'd recommend using one or more of the following add-ons:

NoScript
Policeman
uBlock

...and you might also consider setting some or all of the following in Firefox/about:config to help with security:

beacon.enable = false
breakpad.reportURL = blank
browser.cache.disk.enable = false
browser.cache.disk.capacity = 0
browser.cache.offline.enable = false
browser.cache.offline.capacity = 0
browser.safebrowsing.appRepURL = blank
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.enabled = false
browser.safebrowsing.gethashURL = blank
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.malware.reportURL = blank
browser.safebrowsing.reportErrorURL = blank
browser.safebrowsing.reportGenericURL = blank
browser.safebrowsing.reportMalwareErrorURL = blank
browser.safebrowsing.reportMalwareURL = blank
browser.safebrowsing.reportPhishURL = blank
browser.safebrowsing.reportURL = blank
browser.safebrowsing.updateURL = blank
services.sync.prefs.sync.browser.safebrowsing.enabled = false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled = false
browser.send_pings.require_same_host = true
browser.sessionhistory.max_total_viewers = 0
browser.sessionstore.privacy_level = 2
devtools.cache.disabled = true
dom.event.clipboardevents.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = blank (or http://127.0.0.1)
keyword.enabled = false
media.peerconnection.enabled = false
network.dns.disablePrefetch = true
network.http.pipelining = true
network.http.pipelining.ssl = true
network.http.pipelining.maxrequests = 10
network.http.proxy.pipelining = true
network.http.referer.XOriginPolicy = 1
network.http.referer.spoofSource = true
network.http.referer.trimmingPolicy = 2
network.http.sendRefererHeader = 0
network.http.use-cache = false
network.prefetch-next = false
newtabpage.enabled = false
privacy.trackingprotection.enabled = true (may break some sites)
security.ssl3.ecdhe_ecdsa_rc4_128_sha = false
security.ssl3.ecdhe_rsa_rc4_128_sha = false
security.ssl3.rsa_rc4_128_md5 = false
security.ssl3.rsa_rc4_128_sha = false
social.remote-install.enabled = false
webgl.disabled = true

gor0 · 02-22-2015, 10:17 AM

Quote:

Originally Posted by Head_on_a_Stick

Personally I always boot up a live distribution to do my internet bankin

just use TAILS... !!!

and

can U expand?

gor0 · 02-22-2015, 10:19 AM

Quote:

Originally Posted by ozar

...and you might also consider setting some or all of the following in Firefox/about:config to help with security:

beacon.enable = false
breakpad.reportURL = blank
browser.cache.disk.enable = false
browser.cache.disk.capacity = 0
browser.cache.offline.enable = false
browser.cache.offline.capacity = 0
browser.safebrowsing.appRepURL = blank
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.enabled = false
browser.safebrowsing.gethashURL = blank
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.malware.reportURL = blank
browser.safebrowsing.reportErrorURL = blank
browser.safebrowsing.reportGenericURL = blank
browser.safebrowsing.reportMalwareErrorURL = blank
browser.safebrowsing.reportMalwareURL = blank
browser.safebrowsing.reportPhishURL = blank
browser.safebrowsing.reportURL = blank
browser.safebrowsing.updateURL = blank
services.sync.prefs.sync.browser.safebrowsing.enabled = false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled = false
browser.send_pings.require_same_host = true
browser.sessionhistory.max_total_viewers = 0
browser.sessionstore.privacy_level = 2
devtools.cache.disabled = true
dom.event.clipboardevents.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = blank (or http://127.0.0.1)
keyword.enabled = false
media.peerconnection.enabled = false
network.dns.disablePrefetch = true
network.http.pipelining = true
network.http.pipelining.ssl = true
network.http.pipelining.maxrequests = 10
network.http.proxy.pipelining = true
network.http.referer.XOriginPolicy = 1
network.http.referer.spoofSource = true
network.http.referer.trimmingPolicy = 2
network.http.sendRefererHeader = 0
network.http.use-cache = false
network.prefetch-next = false
newtabpage.enabled = false
privacy.trackingprotection.enabled = true (may break some sites)
security.ssl3.ecdhe_ecdsa_rc4_128_sha = false
security.ssl3.ecdhe_rsa_rc4_128_sha = false
security.ssl3.rsa_rc4_128_md5 = false
security.ssl3.rsa_rc4_128_sha = false
social.remote-install.enabled = false
webgl.disabled = true

That's pretty Paranoid !

gor0 · 02-22-2015, 10:22 AM

Quote:

Originally Posted by Head_on_a_Stick

Linux_malware

R U spreadin FUD ???

Head_on_a_Stick · 02-22-2015, 10:22 AM

Quote:

Originally Posted by gor0

just use TAILS... !!!

and

can U expand?

I have heard of ISPs throttling connections used with TAILS.

With a live distribution, everything is "fresh" when you boot it up -- there is zero chance of keyloggers or trojans being on the system (check the md5sums when you download the ISO though) and nothing is saved when you shut down the system.

Head_on_a_Stick · 02-22-2015, 10:23 AM

Quote:

Originally Posted by gor0

R U spreadin FUD ???

Not at all -- maybe @Unspawn or one of the other security experts will chime in and back me up here.

oceanus2 · 02-22-2015, 10:48 AM

I have used live images before and they worked nicely except that they are slow to boot from a CD/DVD. It sounds like I should reconfigure my system with my base/primary Linux image and a second Linux live image so I can boot quickly from my SSD with the live image when necessary to process financial transactions. Can a live image be configured to coexist on a SSD with another image but can't access the other image's file system?

XenaneX · 02-22-2015, 11:17 AM

Use a good hosts file.

http://www.pclinuxos.com/forum/index...tml#msg1103856

http://www.pclinuxos.com/forum/index...tml#msg1103856

metaschima · 02-22-2015, 12:13 PM

Adblock and Noscript are the main addons you need. I also run only in private browsing mode.

Some about:config values:

These stop javascript from messing with the window, there are more than one
user_pref("dom.disable_window*", true);

This limits the number of popups
user_pref("dom.popup_maximum", 2);

Some recent concerns:
http://threatpost.com/webrtc-found-l...dresses/110803
https://www.techdirt.com/articles/20...-attacks.shtml

RobInRockCity · 02-22-2015, 12:57 PM

1.) I would consider adding "AdBlock Plus" which is a free add-on and lets you block out spammy ads and unwanted videos which eat up your bandwidth.

2.) Set your Privacy settings so you block all 3rd party cookies

3.) Set your Privacy settings so you have to Accept/Decline all 1st-party cookies

4.) Erase everything (e.g. Cache, Passwords, etc) when you close FireFox

5.) Don't store browsing or search history

There is quite a bit more that you can do, but those are some basics.

Rob