Firefox && Iceweasel Security

internetSurfer · 03-20-2008, 02:04 PM

Mini tutorial on setting parameters to secure Firefox || Iceweasel.
Not 100% but > 0%

Firefox/Iceweasel Security Config

Edit > Preferences > Content > Check Block pop-up windows

Edit > Preferences > Privacy > History > Uncheck:

Remember visited pages for the last 0 days
Remember what I enter in forms and the search bar
Remember what i've downloaded

Edit > Preferences > Privacy > Cookies

Check Accept cookies from sites (Exceptions: Port Spyware Blaster definitons over to Linux)
Keep until: I close Firefox || Iceweasel

Edit > Preferences > Privacy > Private Data

Check Always clear my private data when I close Firefox || Iceweasel
Check Ask me before clearing private data

Settings button: Everything should be checked in this window.

Edit > Preferences > Security > Check

Warn me when site try to install add-ons
Tell me if the site I am visiting is a suspected forgery

Edit > Preferences > Security > Passwords > Uncheck

Remember passwords for sites
Use a master password

Edit > Preferences > Advanced > Network > Cache

Press Clear Now Button
Set to Use up to 0 MB of space for the cache

Edit > Preferences > Advanced > Update > Uncheck

Firefox || Iceweasel
Installed Add-ons
Search Engines

about:config

Type about:config in the url bar.

browser.cache.disk.capacity 0
browser.cache.disk.enable false
browser.cache.disk_cache_ssl false
browser.cache.memory.enable false
browser.chrome.favicons false (*)(up to user)

network.cookie.enableForCurrentSessionOnly true
network.cookie.lifetime.days 0
network.cookie.lifetimePolicy 0

Manage Search Engines

Access this window from the search engine window.
Uncheck Show search suggestions.

Add-ons

Cert Viewer Plus
https://addons.mozilla.org/en-US/firefox/addon/1964

ShowIP
https://addons.mozilla.org/en-US/firefox/addon/590

NoScript
http://noscript.net/

Firekeeper
http://firekeeper.mozdev.org/

Perspectives
http://www.cs.cmu.edu/~perspectives/firefox.html

CookieCuller
https://addons.mozilla.org/en-US/firefox/addon/82

Cookie Monster
https://addons.mozilla.org/en-US/firefox/addon/4703

Remove Cookie(s) for Site
https://addons.mozilla.org/en-US/firefox/addon/1595

Netcraft Toolbar
https://addons.mozilla.org/en-US/firefox/addon/1326

Security Variables

Browser Rootkits
http://www.gnucitizen.org/blog/browser-rootkits/

Italian Bank's XSS Opportunity Seized by Fraudsters
http://news.netcraft.com/archives/20...raudsters.html

_

unSpawn · 03-20-2008, 06:48 PM

Thanks for giving ten-easy-steps, but could you please ameliorate your post with reasons *why* people should do that?

internetSurfer · 03-20-2008, 07:41 PM

@unSpawn You are right. Here is a brief summary.

The Firefox/Iceweasel Security Config section configures the browser to retain zero information.

Porting over the spyware blaster definitions reduces tracking user variable.

Having the window appear to clear the Private Data is better than
assuming that the automatic version hasn't been compromised in
clearing data. Not to say that the window version can't either.

I don't recommend storing passwords, cache or other info in the browser. exploit

In Linux manually checking for updates and pkgs are the norm.

Better to check manually for Add-ons to mitigate against a
dns rebinding attack which installs a modified add-on (Browser Rootkit).

No need to directly attack Linux there are enough M$ OS's doing this task. (Storm Botnet)

Supporting search suggestions in search plugins.

JSON is Javascript and apart of Web 2.0 and AJAX security issues. Jikto

about:config tweaks are to mitigate against a variable of this exploit.

Firefox Favicon JavaScript Execution
Stealth MBR Rootkit based on older project.

The add-ons address security issuses like phishing, iframe attacks and spoofing.

The netcraft toolbar can be used also.

_