Latest image
Recent comments
- Hiiii ;)
4 hours 42 min ago - Hi Uwe,
I try your script in
5 hours 5 min ago - Hiiii ;)
17 hours 25 min ago - I can make a flower just
1 day 14 hours ago - its obvious who ever wrote i
2 days 13 hours ago
My identi.ca posts
- uwehermann: At !FOSDEM ? Consider visiting the !coreboot / !flashrom devroom. Board porting, ACPI, flashing etc. !freesoftware http://ur1.ca/ln1n
- uwehermann: Uploaded a new upstream version of #cycfx2prog (!freesoftware #FX2 #USB !microcontroller flasher) to !debian unstable. http://ur1.ca/lez5
- uwehermann: @thb While #ARM is nice, #x86 also has potential using !coreboot, a free software !BIOS / !firmware. Increasingly more boards are supported.
- uwehermann: So !identica doesn't recognize groups in dents if the exclamation mark follows an opening brace. NOT OK: (!bios). OK: ( !bios). Spaces FTW!
- uwehermann: There's a !coreboot ( !freesoftware !bios) & !flashrom ( !linux bios flasher) devroom at !fosdem. Several talks planned. http://ur1.ca/l409
My del.icio.us bookmarks
My Other Sites
Creative Commons
Subscribe
Blog:
Podcast:
Photoblog:
Statistics
Configure Firefox/Iceweasel 3 to be more secure / usable / bearable
Thu, 2008-06-26 18:32 — Uwe Hermann
Today seems to be Firefox/Iceweasel 3 Bashing Day on Planet Debian, so let me join the fun :)
I agree with most other people that the default Firefox/Iceweasel 3 config is not ideal, so here's what I did to fix it. Some of these items improve performance, some remove annoyances, some remove privacy issues, some remove security issues. Not everything here may be desirable for people other than me.
General
- Disable the bookmarks toolbar via "View / Toolbars / Bookmarks Toolbar", nobody needs that and we save some screen space. Remove all pre-defined bookmarks while we're at it.
- Select "View / Toolbars / Customize".
- Add the "New Tab" button/icon right after the "Home" button. This is probably the most-used button (for me at least) and it's not available per default...
- Click "Use Small Icons", there's no reason to waste screen space.
- Remove the Google search bar (useless).
- Now move all icons and the URL bar into the menu bar (I'm not kidding). After that you can disable the nagivation toolbar via "View / Toolbars / Navigation Toolbar" and save even more screen space.
Preferences
Select "Edit / Preferences".
Main:
- Select "When Iceweasel starts: Show a blank page".
- Set "Home Page" to whatever you see fit.
Tabs:
- Enable "Always show the tab bar".
Content:
- At the right-hand side of "Enable JavaScript" click "Advanced" and uncheck all checkboxes. JavaScript stuff shouldn't need to do any of those operations.
- Uncheck "Enable Java". Nobody needs this crap and it's a huge security risk.
Privacy:
- Disable "Keep my history for xyz days" completely. Huge privacy risks.
- Disable "Remember what I enter in forms and the search bar". Huge security and privacy risks, almost no gain.
- Disable "Remember what I've downloaded". Huge privacy risks.
- Uncheck "Accept third-party cookies".
- Choose "Keep until: I close Iceweasel".
- Click "Show Cookies" and remove all of them.
- Enable "Always clear my private data when I close Iceweasel". Click "Settings" and check all items. You want to purge everything when closing Iceweasel.
Security:
- On the right-hand side of "Warn me when sites try to install add-ons" click "Exceptions" and remove all exceptions.
- Disable "Tell me if the site I'm visiting is a suspected attack site". Useless crap, possibly a privacy issue.
- Disable "Tell me if the site I'm visiting is a suspected forgery". Useless crap, possibly a privacy issue.
- Disable "Remember passwords for sites". This is a huge security risk, never ever enable it!
Advanced:
-
"General" tab:
- Enable "Warn me when web sites try to redirect or reload the page".
- Disable "Check my spelling as I type". Useless, annoying crap, which probably even impacts performance.
-
"Update" tab:
- Disable "Automatically check for updates to: Installed Add-ons".
- Disable "Automatically check for updates to: Search Engines".
- Select "When updates to Iceweasel are found: Ask me what I want to do".
- Set
browser.urlbar.matchOnlyTyped = trueto disable the new, annoying "AwesomeBar" URL bar feature (which is also a huge privacy risk). - Browser tabs are way too huge for my taste (thus only very few fit on the screen). Fix it with
browser.tabs.tabMinWidth = 60andbrowser.tabs.tabMaxWidth = 60(needs a browser restart). You can even use less than60if you don't need any text and an icon per tab is enough for you. - Disable the annoying, flashing auto-search stuff when you select "Tools / Add-ons / Get Add-ons": Set
extentions.getAddons.showPane = false. - Set
bidi.support = 0. You'll probably never need it, so reduce the number of potential bugs and security issues by disabling it. - Self-signed certificate handling is annoying, so fix it with:
browser.ssl_override_behavior = 2andbrowser.xul.error_pages.expert_bad_cert = true(thanks Pierre Habouzit). - Set
browser.tabs.closeButtons = 3in order to prevent accidental closing of tabs (no more Close buttons on each tab, only one global Close button on the right). Yes,CTRL+Shift+Thelps in case it still happens. - Set
network.prefetch-next = falseto prevent random prefetching of webpages which means wasting CPU cycles and bandwidth, as well as subtle privacy and security issues.
about:config
Open a new tab, enter "about:config" as URL and hit ENTER. Click the annoying "I'll be careful, I promise!" button. Uncheck "Show this warning next time" while we're at it.
Plugins
None. Don't even think about installing crap like the closed-source Flash player if stability or security are important to you. If you absolutely must watch YouTube videos, I recommend youtube-dl.
Extensions
Use as few as possible. Every extention may have security problems or bugs, and can negatively affect performance etc.
Pretty much the only one I use is NoScript to selectively enable JavaScript for some trusted websites (and disable it for all other sites).
Comments
Thanks a lot
and yeah, that really ought to be the default config, including the comments further down. Well, actually, I want to have some details slightly differently, but that would be a much saner configuration to start from, indeed.
In particular all that phone-home-and-other-strange-folks functionality ought to be disabled by default. It's really annoying that software as installed from the package does all kinds of undeclared network activity ...
firefox chrome opera safari ie sucks
Thanks for this excellent guide!
But first of all, it's nice to see a webpage like yours that still works without all that javascript crap, and can even be fairly well read with lynx. Less often is more ...
Most of your recommendations are settings that I use to make as well, here some additional ideas:
1. set xpinstall.enabled = false, and only enable it to install really, really needed extenstions (like script blocker :-)
2. set permission.default.image = 3, this prevents firefox from loading embedded third party ad banners and images. Surfing is such a better experience without too much ads and increases security, at the same time.
3. set network.dns.disableIPv6 = true, I'm sure firefox is not aware of the absence of ipv6 routers :-), so this may increase performance (and don't forget to re-enable it some years later :-)
4. Use some textbrowser like lynx instead, as long as only textual information is researched on the web. Pages that cannot be viewed without js or flash and the like, should be avoided, anyway.
5. I don't like the noscript extension too much, there's too much to fiddle around. Why? If there's really a need to activate js, I prefer to do this with a single mouseclick, and deactivate it the same way. Cookie extensions able to granulate more in detail do make more sense in my oppinion, for session cookies in some web applications.
Cheers
usefull tips
Thanks hermann,
These comments are very usefull and it is nice to see what someone else sees as a good interface. Personaly i do use some of these features (google extra search box) but most of your suggestions i followed.
I do have a question. I use a lot of firefox extentions for some webdesign projects (color it, measure it, fire bug..). Would you recommend to use a seperate browser instalation during work and private use to reduce risk ?
FF plugins
Well, I don't know. In general, the fewer lines of code, or plugins, are used/exposed, the smaller the likelihoods of successful attacks. Whether or not the plugins you use have known or unknown security issues I cannot tell, though.
Uwe.
Firefox 3 is still not stable
I use Firefox 3 in the past 2 weeks and I uninstall it after that. I will try again maybe at the end of this year. Firefox 3 have some issues with hotmail, especially the part where you want to attach files, it hangs up the PC everytime. Sometimes unable to show the URLs I had visited before.
I am now using firefox 2 for now. Just my sharing.
Houston
Question..
So why are you even using firefox? Sounds to me like you're taking the worst possible browser for your requirements and then trying to fix it. Surely other browsers exist that meet your 'requirements' better.
About Google Services
I set NoScript allowing Google.com, but they didn't work, the gmail and greader.
Any suggestions?
It should work. Sometimes
It should work. Sometimes you need to allow multiple domains, e.g. if Google services used xyz.com too (e.g. they host some JavaScript there or something) you need to allow that too. NoScript should list all sites which are required.
Two more things you may want
Two more things you may want to change,
1. Disable extensions.blocklist.enabled. This polls a mozilla website for an extension blacklist.
2. browser.contentHandlers.types.[012].uri are default set to URL's for Bloglines, My Yahoo, and Google. If you ever open Edit->Preferences->Applications then it will contact those uri's to get an icon and google sets a cookie. Setting the uri to blank stops the contact.
youtube
better than youtube-dl, check out the youtube plugin in totem (you need a recent version)
You're the security guy!
Man, I thought I was aware about browser security, but you are the browser security itself!
Very good your tips, even though some are a little bit radical, but for those with security in first place they are a must.
tabs
I don't use the mouse to add tabs (^t) but it sounds like you do.
I saw that you preferred to have the tabs bar always visible, I do that my self, this gives you the feature of getting a new tab by double clicking next to the open tabs. If you have filled the tab bar then a right click and you have the new tab there. seems to waste useful space by adding a new tab button.
I use ^t and then the location field is selected, ready to be typed in =)
tabs
Depends, when my hand is moving the mouse pointer around already I click "new tab", when my hands are on the keyboard I use CTRL+T, yes. Whichever works faster.
I recomend the following
I recomend the following setting:
plugin.default_plugin_disabled = false
That way you won't get the annoying yellow bar at the top of the page asking you to install some pluging everytime you end up on a page with some flash or other crap embedded.
Google search box
I configure my browser similarly to you. One difference is that I use the Google search box; however, I do not leave it in the default configuration. I move it to the big empty space in the menu bar and then I configure Firefox to open searches from the search box in a new tab. I also add a bunch of commonly used search engines to the search box. Then when I want to look something up on IMDB or search for info on a Debian package or find a torrent that I'm looking for, all I have to do is select the appropriate search engine, type in what I'm looking for and hit enter. A new tab opens up with the appropriate search results, all without disturbing my current work.