Firefox About Config Privacy and Security Settings
-
Upload
edijhon5815 -
Category
Documents
-
view
83 -
download
2
description
Transcript of Firefox About Config Privacy and Security Settings
Firefox about:config privacy and security settings
November 4, 2014
Below are some configuration settings you may consider enabling in Mozilla Firefox in
about:config for privacy and security reasons. This list is not meant to be exhaustive and
generally does not list entries that can easily be set via the options or preferences menu. Some
of these settings have a negative performance impact or remove functionality. Also keep in
mind that the further you take your Firefox configuration away from the norm, the rarer your
Firefox setup might become and therefore ironically enough, the more identifiable your
system may be (see https://panopticlick.eff.org/ for details) and so we recommend reviewing
the list below and setting those that make sense for your scenario. This list was created using
Firefox v33.
Begin by typing about:config in the Firefox location bar, then search for the following:
network.prefetch-next
Set it to false to disable. Link prefetching can be used by web sites to give web browsers hints
about which pages are likely to be visited so that the browser can download them ahead of
time, with the goal of improving performance. There is no same-origin restriction for link
prefetching. According to this FAQ, "prefetching will generally cause the cookies of the
prefetched site to be accessed".
network.dns.disablePrefetch
Set it to true to disable. Similar to above, this feature allows Firefox to perform DNS
resolution proactively.
network.http.sendRefererHeader
Set it to 0 to prevent Firefox from ever sending the HTTP referer, however this is known to
break certain web sites that check for the referer. Therefore an alternative to specifying this
setting would be to install the Refcontrol add-on which allows you control the referer and
specify per-site exceptions. You may also wish to review the setting
network.http.sendSecureXSiteReferrer.
browser.send_pings
Set it to false to disable. According to MozillaZine: "If you are concerned about privacy and
have already turned off referrer sending and JavaScript, you may want to set this preference
to false". If you decide to keep browser.send_pings enabled, then you may wish to review
browser.send_pings.require_same_host as well.
beacon.enabled
Set it to false to disable. As per the W3C Editor's Draft, part of the reason for the Beacon
specification is for "analytics".
geo.enabled
Set it to false to disable. This feature enables location-aware browsing. Although when this
feature is enabled Firefox prompts you on whether you wish to share your location, setting
geo.enabled to false permanently turns off this prompt.
general.useragent.override
Set it to any string you wish in order to override the default Firefox HTTP user agent string.
You may need to create this entry first by right-clicking in the list of preferences and selecting
New | String. Note that depending on which user agent string you specify, this will greatly
change your browsing experience for certain web sites, and also keep in mind that certain
fields in the HTTP headers can betray the actual underlying user agent that is being used.
webgl.disabled
Set it to true to disable. If you do not need this functionality, you should disable it in order to
reduce your attack surface. See this SANS ISC entry for details.
pdfjs.disabled
Set it to true to disable. This will disable the built-in PDF reader thus reducing your attack
surface, assuming of course you are not going to load the PDFs in a more vulnerable PDF
reader.
plugins.notifyMissingFlash
Set it to false if you did not install the Adobe Flash plugin for Firefox, which is becoming
more feasible with the shift towards HTML5. This will stop causing Firefox to prompting you
to install Adobe Flash when detecting Flash content.
security.cert_pinning.enforcement_level
Can be set any value from 0 to 3 to control certificate pinning behavior (0 disables it, which
we do not necessarily recommend). Review this page to confirm the best setting for you. Note
that setting it to 2 may interfere with certain security solutions.
security.tls.version.min
Set it to 1 to disable SSLv3 entirely, and higher to make TLSv1.1 or 1.2 the minimum version
to use. But this will no longer be necessary with Mozilla planning on disabling SSLv3 in the
upcoming Firefox 34 in order to mitigate against the POODLE attack.
network.IDN_show_punycode
Set to true to have Firefox display internationalized domain names in Punycode instead of in a
language-specific script. Only set this if properly rendering IDNs is a feature you do not
desire.