Securing Firefox browser

Submitted by rphair on Wed, 09/22/2021 - 17:28

Even if you are going to be keeping this computer "cold" and never connect it to the Internet again -- not for software or any kind of upgrades -- it is still suggested you set more secure Firefox settings in case:

  • the host is accidentally connected to the Internet when booted from Frankenwallet
  • in case some system compromise becomes pending when an HTML file is opened, which by default happens in the browser… with the default browser being Firefox.

This also creates some flexibility in case you end up keeping your Frankenwallet for a while and decide to judiciously connect your Frankenwallet to the Internet under controlled circumstances:

  • It’s likely you’ll need to reconnect the Internet every once in a while and with great prejudice may need a browser to get software.
  • Therefore we must remove institutionalised security breaches from Firefox, whose source code is pretty secure but whose default settings are far too open.
  • Remember Firefox changes and moves these options constantly so there’s no way off assuring this list is complete from one month to the next.
    • i.e. when you see out in your "hot" environment that Firefox has had a substantial upgrade, ou’ll have to go over every setting in Preferences to make sure you’re not divulging your Internet presence in some new way.
  • NOTE following the advice in this section is precautionary only and does not make it “safe” to browse the Internet.

➤ Whenever possible, whether your environment is cold or only "cool", don't use any browser when you can download pages, files & packages with the wget command on the Frankenwallet.

  • Even when software installations are automated, or interactive through a web site, you can often determine the direct download URL from sites like GitHub, GitLab, Ubuntu Launchpad, or the vendor's own web site.
  • Better yet: download those pages, files & packages from your "hot" environment into the host folder, where you can access them in your Frankenwallet without compromising your security at all.

Firefox settings for use in an intermittent air-gap (updated 2021-01-04)

General > Browsing > untick these two options:

  • Recommend extensions as you browse
  • Recommend features as you browse

Home >

  • New Windows and Tabs > New Windows and Tabs: set both to “Blank page”
  • Firefox Home Content: untick EVERYTHING

Search >

  • Search Bar: select “Add search bar in toolbar”
    • to avoid inadvertently searching for something if you type a badly formatted URL
  • Default search engine: DuckDuckGo (doesn’t really matter, since we stop it from searching, so upon general principles)
  • Search Suggestions: untick everything
  • Search Engines: remove everything except DuckDuckGo (Firefox requires you to leave one behind :zany:)
    • We don’t want some commercially provided plugin to ever run in response to something being searched from the browser.
    • FYI Firefox updates may bring these back (if you ever find out how to stop that from happning please let us know.)

Privacy and Security >

  • Enhanced Tracking Protection >
    • select Strict
    • DO NOT send DO NOT TRACK requests (and you will not be going anywhere that tracks you)
  • Cookies: make a point to check which ones are stored every once in a while.
    • if you have more cookies than you would need for a Github or Gitlab login, you are getting yourself into trouble :angry:
  • Logins and Passwords > UNTICK EVERYTHING
    • otherwise it will use the “Firefox Lockwise” service to determine if you’re trying to save a password on a “breached website” (see link)
  • Forms and Autofill > UNTICK EVERYTHING
  • Permissions > nothing to change here, but DO NOT ALLOW Firefox to grant any web site access to ANY of these.
    • Keep in mind that passwords and wallet key phrases can be gleaned from the camera and/or the noise you make when you type on the keyboard.
  • Firefox Data Collection and Use > UNTICK EVERYTHING
  • Deceptive content > UNTICK EVERYTHING
    • Since you're not visiting any deceptive or malicious sites, it's better that you don't telegraph all your Internet visits to analytics services.
  • Certificates > UNTICK box for Query responder servers

Sync > disabled by default.  Don't ever use this!

Note for Google Chrome users

If you are incapacitated on the Internet without Google Chrome, FYI you can install the Chromium package (i.e., the open source part of the browser, without the spyware) but then you will have to make your own audit of the relevant security settings (suggestions welcome):

  • apt install chromium-browser
Page created: 22 September 2021 17:28 UTC
Last updated: 12 February 2023 15:52 UTC