[ale] nailing down firefox security and privacy - PT 1
Ron Frazier
atllinuxenthinfo at c3energy.com
Wed Oct 12 16:58:51 EDT 2011
comments inline
On 10/12/2011 11:22 AM, Michael B. Trausch wrote:
> On 10/11/2011 05:38 PM, Ron Frazier wrote:
>
>> I've been spending a good bit of time recently upgrading and configuring
>> Firefox because Pandora decided it wasn't going to work after an upgrade
>> they did. I was on Firefox 3.2.? and was holding back upgrading because
>> of some UI changes in the new Firefox as well as some plugin
>> compatibility problems. Eventually, I had to bite the bullet and
>> upgrade. As I've mentioned in other posts, I like to keep my shields at
>> the paranoid level, whether I'm running Windows or Linux. In fact, I
>> run my Firefox configurations exactly the same on both systems, so this
>> applies to this group. There are a number of security and privacy
>> settings which come into play with Firefox, and it's not always obvious
>> how to set them. I'm going to explain how I set mine up in order to
>> maintain a high level of security as well as a decent level of
>> functionality. There are also a number of handy plugins which I will
>> explain. Hopefully, the research I've done will help others who want to
>> keep their shields high. Some of you may already know this stuff, but
>> some others probably don't. I have to relate a number of options
>> settings. This will be a bit difficult in text, but bear with me.
>>
> I have said it before, and I will say it again: The only way to "keep
> the shields high" is to provide education. Technology (in particular,
> things like you advocate here) can *not* save users from anything.
>
>
I agree that users should be educated, and should practice smart safe
computing. But the fact is, they're human, and they make mistakes. I
could not disagree more that technology will not save users from
anything, in that you stated it as an all encompassing universal
negative statement. When stated as a universal statement, that is
patently false. It is entirely possible, sort of practical, and
frequently preferable to use technology in addition to user education,
to create a layered defense against attack.
I have a personal real world example. One of my family members is a
fairly knowledgeable, fairly computer savvy, and fairly security savvy
user. Recently, she happened on a malicious website by mistake while
searching around for something else. Immediately, a dialog box pops up
on the screen, which says something like Windows Security 2000 Warning,
or something. It has a nice graph going across the screen, showing a
virus scan in progress (supposedly). It posts a message saying that
malware has been found on her system, and asks if she'd like to
disinfect it now. It looks VERY real. In the 5 seconds of indecision
she had, she clicked the YES button, and that let the virus in the
door. Everything on the screen was fake. Then, she thought about it
and called me and I logged in remotely to look at it. I told her
everything on the screen was fake. I spent the next week rebuilding her
machine. I know, beyond the shadow of a doubt, that if she had the
technology set up the way I recommend, the popup windows would never
have happened and her system would not have been infected on that
occasion. Now, those of us that keep up with security news have heard
about those ruses. She'd heard about it too, but she'd never SEEN it.
When she actually saw it, that little bit of indecision and panic is
what got her.
> Something has been bugging me the past month or two. Ron called me
> (anonymously) "unethical" a while back on the list (though he didn't
> name me in particular). I'll provide a bit of context so that the rest
>
I don't believe I called you unethical. I believe I called some
behavior potentially unethical. There is a subtle, but important
difference. I didn't mention any names, because I don't know the
members names by sight, except for a few. I was citing a generic
example, not attempting to single any one person out.
> of the group can recall. But before I do, I'm going to say this: I
> find this brand of advice to, itself, be unethical. It propagates the
> mindset that technology can solve our problems better than education,
> and actively serves to lower the collective expectations of not only
> end-users, but that of IT support people like myself who then have to do
> even more hard work to try to get people to understand that they are the
> key, not the software that is running on their computer. This way of
> thinking costs me time and money simply because people are given a false
> sense of security and truly believe that the technology will save them.
> It is wrong to teach this to people because it is, and it ALWAYS WILL
> BE, patently false.
>
>
I totally agree that the users should be educated and taught how to deal
with the risks that are out there. I have NEVER advocated that taking
any set of steps technologically absolves the user of using his / her
brain. However, there is nothing unethical about me teaching people who
are interested how to lock the doors, so to speak, on their computer.
Furthermore, just because I advise you to lock your doors at home, that
doesn't mean that I'm encouraging you to do something silly like walking
through a bad neighborhood waving 1 Million dollars around so thieves
can follow you home, break down your door with a sledge hammer, and rob
you and kill you. It is entirely expedient for the safety and risk
conscious computer user to use technology to augment the behavioral
steps they're taking and reduce their radar cross section on the
attacker's screen. Indeed, it would be unethical for me NOT to teach
interested users how to do this!
> At one of the recent meetings, I was talking about how I had an open
> wireless network, and how people who were unwelcome and used it were
> redirected to a rather gruesome site, regardless of what they were
> aiming for. Ron called this "unethical". Seeing as one must first be
> unethical and steal my bandwidth in order to get to the thing, I fail to
> understand how that is unethical. It is my personal, paid-for bandwidth
> and equipment, and I can configure and use it in any way I desire as
> long as I cause nobody harm. If someone causes harm to his or her self
> by using my equipment (indeed, by unethically using my bandwidth), well,
> them's the spoils. It is unethical to steal. Back when I was running
> an open network (because I had devices that literally were unable to
> perform secure encryption and I failed to see the point of WEP), if
> someone would have asked me to use my network I would have quite likely
> allowed it. I had no reason *not* to allow it. But you can't just join
> my network and use it without permission.
>
>
I remember the event, but don't remember the exact verbiage of what you
said, and cannot quote it. However, what I thought you were saying at
the time was that you had posted this open wifi in order to entice and
entrap users (my words, not yours) and then redirect them to this ugly
site. That is what I meant to say I thought was unethical. And, I
believe my original comment was that it borders on being unethical, or
something similar. So, what you're saying now is that you basically
want to give a bloody nose (in effect) to squatters who are using your
hotspot without your permission. I see your motivation to do that. I
see three potential problems with that. A) Many people feel that they
are entitled to connect to any available hotspot, like it's breathing
air or something. I don't agree, but that's what they think. B) Many
people don't know what hotspot to connect to in an unfamiliar city or
whatever, so they simply choose one from a list. C) Many PC's are set
up to automatically connect to the strongest signal they find. So, the
user may not even know he's connected to your hotspot. So, even if
you're not enticing people or entrapping people, there is a significant
chance that innocent or relatively innocent people will connect to the
hotspot, and get to your gruesome site. What if a 10 year old connects
on his ipod, etc. So, even if the practice is not unethical, I see many
potential problems with it.
> It seems that Ron thinks that an open wireless network somehow conveys
> implicit permission to use it---and this is a problem with a lot of
> society. They think the same thing. They think that if there isn't a
> safeguard in place on something that they have the entitlement to go
> through it.
>
I never said that, don't believe it, don't condone it. However, to
prevent either intentional or inadvertent squatting by others of your
wifi connection, I recommend strong WPA / WPA2 encryption with a very
beefy cryptographically strong password, if you can.
> You know, there was a time when one could forget one's keys in their
> ignition and the car would, with a very high degree of probability,
> still be there when you got back to it. Today this doesn't happen. A
> few months ago, I encountered a car for sale in a parking lot not far
> from my home. The car was unlocked, and it had the keys in the
> ignition. I called the number on the "for sale" sign in the window, and
> let the guy know that the keys were still in the ignition and that the
> car was unlocked. He was genuinely surprised that I did that. Why?
> Because we expect people in today's society to generally suck, that's
> why. I, too, would be surprised to receive such a phone call. People
> feel that they are entitled to whatever they find, these days,
> regardless of where they found it. An open network connection, an iPod
> in an unlocked (or hell, even a locked) car, whatever. It is
> disgusting. Our society is full of truly unethical elements.
>
Yes, it is disgusting. We agree on that one.
> And no, for the record, I don't feel that it is in any way unethical to
> do what I did, and if I were to, for whatever reason, be compelled to
> run an open network again, I would do the very same thing that I did
> before. It accomplished a very real goal: Unwelcome people only ever
> joined my wireless network a single time. They never, ever came back.
> It served its purpose, and it entertained me in the process. I see
> absolutely nothing wrong with that at all.
>
>
>> While not directly related to Firefox, I strongly recommend using the
>> OpenDNS ( http://opendns.com ) system to resolve your domain names.
>> They automatically apply phishing protection to all DNS queries as far
>> as I know. If you desire to, you can also filter certain sites based on
>>
> I would strongly recommend that people NOT use OpenDNS. Why? Because:
>
> * They break the DNS standard. They do not return NXDOMAIN when they
> should. Unfortunately, a fair number of ISPs engage in this
> destructive behavior as well. This means that when you ping a
> non-existent site, you actually wind up pinging a machine that is
> alive and well and getting an erroneous result. This is bad.
>
> Such behavior also breaks SSL sessions in certain circumstances and
> gives users a far more cryptic error than "the server appears to be
> down". In the normal circumstance, a downed server or domain results
> in an error saying that it wasn't found. In the case of using one
> of these broken DNS servers and encountering a downed domain (or one
> mistakenly identified as "bad", FSVO "bad"), you instead get a
> very nasty message in your Web browser saying that your security
> is in danger.
>
> * They are a blacklist. Blacklists contain errors. More on that
> below.
>
> * They actively go through the data they collect, such as what users
> are visiting what sites. They can use that information to "improve"
> their database. More to the point, I don't trust them to not misuse
> that information. Do you?
>
> * Even more to the point, do you think that the people you advocate
> OpenDNS to are even capable of making the realization that they are
> engaging in a decision that indicates that they trust the system
> and the people behind it not to screw them in some way?
>
>
I can't speak to the technical merits of OpenDNS. I use it because it
provides me phishing protection and content filtering. I stated the
content filtering was only effective 95% of the time. The same may be
true of the phishing protection. However, I'd rather have shields for
95% than 0%. I trust the motives of the OpenDNS folks more than I do of
Comcast and other major ISP's.
>> Now, on to Firefox. The latest version is 7.0.1. You should have this
>> or later once you upgrade or install anew. They've been ramping the
>> versions up very fast lately. The big thing in UI design these days
>> seems to be to eliminate the menus. Personally, I hate this design.
>> So, the first thing I do in this case is to turn the menus back on.
>> Firefox will have a little orange "Firefox" button in the upper left.
>> Click that, hover over options, and check menu bar to turn it on. You
>> should now have a menu. You can select help, about to check the version
>> number. In some systems, you will see a check for updates button in
>> this window. Click View, hover over toolbars, and turn on the Add-on
>> bar, if it's not already on. You can rearrange buttons in Firefox by
>> clicking on the empty area to the right of the menu and clicking
>> customize. You can then move things like the back and forward buttons
>> around, or drag things from the dialog box to the menu areas or add-on bar.
>>
> Minor technical nit, here: I've always had to enable the streamlined
> menu. I don't understand why you dislike it, but I find it to be more
> efficient, and it does yield more (albeit only slightly) real-estate to
> the browser window.
>
>
Different strokes for different folks. Some say PO-TAA-TO. Some say
PO-TAH-TO. Some like shiny laptop screens. Some like matte. Personal
preference. What I don't like is them suddenly and fairly radically
changing the UI during an upgrade and me having to spend 2 hours
googling just to put my browser back the way I like it. If they want to
give me a choice, then they should actually give me a choice.
>> My objective is to configure Firefox so there is no unauthorized
>> scripting, little or no unauthorized tracking, little or no unauthorized
>> storage of information on my PC, and no unauthorized pop-ups.
>>
> I am sure that you realize that this is completely impossible without
> causing damage to the user experience. Even if you get an end user to
> install all the cruft, you will find yourself (or people like me, find
> ourselves) supporting these users and having to explain to them that
> it's their software that is causing the problem. Then they want to know
> why their software isn't smart enough to just do what they mean. They
> then want to know why they have to know anything about the whole bloody
> mess, when all they want to do is get to their stupid games on Facebook.
>
>
Yup. I do indeed realize this. Security and ease of use are ALWAYS
contradictory. I'm not advocating these settings for every user out
there, or even average users, or even for everyone in my extended
family. I'm A) presenting one possible way to set things up, and B)
advocating this for those users who are security conscious enough and
technical enough to set it up and put up with a little hassle in order
to gain a bit more security and privacy. If I go to a website that
doesn't work just right, I will lower the security and privacy settings
for that site, on a site by site basis, IF the following two criteria
are true: 1) I really really need the site to work in some special way,
as opposed to just displaying information. 2) I have some reason to
believe the site is credible and trustworthy, other than what the site
itself says. My bank, other financial sites, Amazon, Pandora, my ISP,
etc. are all sites which I make these exceptions for. But this list is
only about 20 sites or less. 95% of everything I do on the web works
well enough without scripting, tracking, cookies, stored information, or
pop-ups.
>> A new installation of Firefox should not have any accumulated history.
>> However, an upgrade might. If you want to start with a clean slate,
>> clear all your history as follows. Click Tools, click Clear Recent
>> History, select Everything in the drop down box. Below, you can observe
>> check marks which show what will be cleared. All should be checked.
>> Click Clear Now. Note, if some of the sites you've been using depend on
>> history or preferences, you'll have to reset them.
>>
> Great way to lock people out of their accounts, this is. A lot of
> people rely on their Web browser to store their credentials for them.
> Tell them to do this and they'll be fighting for a long time (and
> usually unnecessarily frustrated while doing so) getting password resets
> done for them on all of their common things like Facebook or their
> bank/credit card/whatever sites. Especially those stupid sites that
> think that the lack of a cookie means that you have to go through
> special verification processes.
>
>
My last sentence in the above paragraph is a disclaimer to this effect.
Again, I'm not advocating that every user try this. For the most part,
the readers of this group are a highly technical sort. When I get a
chance to advise anyone, I recommend that they DON'T rely on stored
credentials.
>> Block pop-up windows - ON (or checked)
>>
> That is the default.
>
>
I'm not assuming everyone has the settings at the default. Just
documenting what's on my system.
>> Enable JavaScript - ON (Disabling would be more secure and safer, but
>> many websites would break. We'll deal with this using the NoScript plugin.)
>>
> NoScript isn't a solution, either.
>
>
There is no single silver bullet solution to most real world problems.
NoScript is a valuable tool which helps prevent a certain genera of
problems. See the story of my wayward family member at the top.
NoScript would, or equivalent settings in IE, would have prevented the
problem.
>> Click the Advanced button beside the JavaScript line and set these options.
>>
>> Allow scripts to:
>>
>> Move or resize existing windows - OFF (or unchecked)
>> Raise or lower windows - OFF
>> Disable or replace context menus - OFF
>>
> Most excellent. Now software like Redmine won't work. Congrats!
>
>
Make exceptions for trusted sources that need it. In this case, I don't
know if you can change this on a site by site basis. The very real
possibility exists that malicious JavaScript code can use these options,
if enabled, to confuse the user and prevent them from seeing warning
signs of an attempted attack.
>> Remember my download history - OFF (You could turn this on if desired.)
>>
> What does this accomplish?
>
>
>> Remember my search and form history - OFF ( ditto )
>>
> What does this accomplish?
>
>
>> Clear history when Firefox closes - ON
>>
> What does this accomplish? The so-called "awesome bar" is a lot more
> useful to users when their history is kept. So by doing this, you
> effectively disable the additional (and quite useful) functionality.
>
>
Partly personal preference. Should the machine be compromised, the less
privacy invading history information on the system, the better, in my
opinion. Also, I've heard of malicious scripts looking into history to
find out what other sites you're going to, etc. It also relates to
reducing your trackability. Many people routinely clear cookies. This
is just an extension of that philosophy.
>> Click the Security tab. Set the following.
>>
>> Warn me when sites try to install addons - ON
>>
> This is the default.
>
>
>> Block reported attack sites - ON
>> Block reported web forgeries - ON
>>
> I have only ever encountered false positives with these settings; I view
> them as useless.
>
>
I've never knowingly encountered it at all. However, if Firefox thinks
the site is a problem, I'd rather it block it and then try to figure out
why.
>> Remember passwords for sites - OFF (I prefer to remember my own
>> passwords or have something like Lastpass do it.)
>>
> You're in the minority, unfortunately.
>
>
>> Use a master password - ON (Then complete the dialog box to set it.)
>>
> Why do that if you're not saving passwords in Firefox?
>
>
In the case of some family members who's computers I maintain, I don't
want them changing the settings without me knowing it. Also, if anyone
else or any software tries to change the settings, I want to know it.
Furthermore, if the user does decide to start storing passwords within
FF, they'll already be protected by the master password.
>> Click OK to save all the options and dismiss the options screen.
>>
>> Now, open a blank browser tab.
>>
>> Type about:permissions in the web address blank and hit enter.
>>
>> You will get a screen which allows you to set the default permissions
>> for sites as well as override them for specific sites. Click the All
>> Sites line in the upper left. Set the default permissions as follows.
>>
>> Store passwords - BLOCK
>>
> Again, you're in the minority. I have never managed to convince anyone
> not to use the built-in password storage.
>
>
>> Share location - BLOCK
>>
> What's wrong with "Always Ask"? Most people ignore the request anyway,
> and the rest often say no when asked.
>
>
Personal preference. For the PC's I maintain, there is never a time
when I'll want to share location data unless I specifically go to the
trouble to turn it on on a site by site basis. I don't even want to see
the dialog box. Keep in mind, these are default settings which can be
overridden if desired.
>> Set cookies - ALLOW FOR SESSION
>> Open Pop-up windows - BLOCK
>> Maintain offline storage - BLOCK
>>
> What does this truly accomplish, other than a false sense of security?
>
>
It is part of my basic philosophy not to have persistent data for any
website on my system unless I specifically allow it. Taking doubleclick
as an example. If you go to site A and they link though doubleclick,
and you go to site B and they link though doubleclick, then, very
shortly, doubleclick will have a record of hundreds of sites you visit,
and that data is shared with marketing types without your permission. I
simply don't allow persistent data without my express approval. For
those who choose to implement the steps I describe, I'll share later how
to allow persistence for those sites which you desire to have it.
Pop up windows are annoying, plain and simple. Also, if you
accidentally hit some malicious site by clicking an erroneous link or
typing a web address wrong, you can end up with dozens of popups on the
screen or porn or ads or "you have a virus" messages. They can be used
both to annoy and attack. Sometimes, if they're malicious, just the act
of trying to close them invites in a virus. I cannot imagine why anyone
would universally want popups on. However, it's partly personal preference.
>> You can now close this tab, or go to another web page.
>>
>> That's it for the basic Firefox configuration, but we're just
>> beginning. In the next post, I'll talk about how to set up the NoScript
>> and Ghostery plugins. I hope to complete the other posts tonight and
>> tomorrow.
>>
> NoScript, and plugins like it, are nice in theory. In practice most
> users view them as a burden and something else that they have to manage.
>
Not talking to all users.
> It is far easier to get people to understand that they shouldn't just
> click every single stupid link in their email, on the Web, or in a program.
>
My family member cited above knows this. It was unforseeable and
unpredictable that the link she clicked was malicious. It looked
perfectly legitimate from the appearance.
> That said, there is very little *true* problem with running JavaScript.
> Today's Web developers require JavaScript be enabled. After all, we
> can even have that on phones these days.
>
>
Keep in mind, when I run NoScript, I'm not just disabling JavaScript,
but also Java, Flash, and pretty much any other automation on the page.
There are many potential sources of problems that turning off automation
eliminates. I basically don't want anyone I don't trust and know
running mysterious and unknown programs on my computer. Any time a
website runs a program from a stranger you don't know, or any time it
invokes a "reader" to read a PDF or flash or an image or an animation,
etc., it's just one more opportunity for crackers to discover a bug
somewhere in your software and exploit it.
> If we were running Python in the browser, that'd be a little bit
> different since there is (at least to my knowledge) no truly sandboxed
> version of Python available. But JavaScript is virtually always
> sandboxed, and cannot do any real harm to your system.
>
> Keeping a computer secure is all about what the person sitting at the
> keyboard knows, not about what software is running on the computer. It
> has always been this way and it will always continue to be this way.
> Educate users; tell them why they shouldn't go browsing every possible
> link they find, give them an idea of what types of sites can be trusted
> versus not trusted, tell them why they should have some idea of what is
> on the other end and whether or not they should trust it.
>
>
I agree with what you said about the users and education. I just don't
agree that we should exclude technological measures. Using the metaphor
of my house, I lock the doors AND avoid the shady areas of town.
> And tell them why they shouldn't have ad blocking software installed,
> too. People keep that shit up, we'll have to pay for everything on the
> Internet out of our wallets, instead of just the things that aren't
> ad-supported. I suspect that you disagree with me on that, too.
> Wouldn't surprise me, when I had heavy traffic to my blog and I had
> Google AdWords on it (hey, they're quite non-intrusive), I had something
> like 99% of people blocking the ads. Everybody expects something for
> nothing these days.
>
> --- Mike
>
I do disagree, but the reason is that the purveyors of ads have made
them so obnoxious and intrusive, that they're intolerable. Way back in
the day when I used to watch old episodes of Star Trek in the '70's, the
actual show was about 52 minutes and the ad slots were 8 minutes. That
was tolerable and reasonable. Now, when I turn on any major network, I
get 4 minutes of content and about 6 minutes of commercials at times.
Overall, I think they're using about 24 minutes of the hour for
commercials and the rest for content. This is unreasonable and
abusive. Therefore, I DVR the program and skip ALL the ads, rather than
watching 8 minutes of them as I did years ago. In terms of web sites,
ads are almost universally intrusive and obnoxious. I feel the same way
about them as I do about the TV. I don't mind paying for things if the
price is right. I pay for Pandora's premium offering. I like the way
Evernote does things. Give basic service away, charge for enhanced
service. Modest ads I can deal with, but I think most users of ads have
gone way over the line. Leo Laporte's podcast network is now ad
supported. I'm OK with that as long as they don't get too long and
obnoxious and frequent. Remember when they started putting ads on soda
cups in the restaurants and on the tiles on the floor. Give me a
break. I'm there to get a sandwich and a drink, not to be commercialed
to death. The key is balance, but most marketers don't understand that.
Sincerely,
Ron
--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
More information about the Ale
mailing list