3
Firefox about:config privacy and security settings November 4, 2014 Below are some configuration settings you may consider enabling in Mozilla Firefox in about:config for privacy and security reasons. This list is not meant to be exhaustive and generally does not list entries that can easily be set via the options or preferences menu. Some of these settings have a negative performance impact or remove functionality. Also keep in mind that the further you take your Firefox configuration away from the norm, the rarer your Firefox setup might become and therefore ironically enough, the more identifiable your system may be (see https://panopticlick.eff.org/ for details) and so we recommend reviewing the list below and setting those that make sense for your scenario. This list was created using Firefox v33. Begin by typing about:config in the Firefox location bar, then search for the following: network.prefetch-next Set it to false to disable. Link prefetching can be used by web sites to give web browsers hints about which pages are likely to be visited so that the browser can download them ahead of time, with the goal of improving performance. There is no same-origin restriction for link prefetching. According to this FAQ, "prefetching will generally cause the cookies of the prefetched site to be accessed". network.dns.disablePrefetch Set it to true to disable. Similar to above, this feature allows Firefox to perform DNS resolution proactively. network.http.sendRefererHeader Set it to 0 to prevent Firefox from ever sending the HTTP referer, however this is known to break certain web sites that check for the referer. Therefore an alternative to specifying this setting would be to install the Refcontrol add-on which allows you control the referer and specify per-site exceptions. You may also wish to review the setting network.http.sendSecureXSiteReferrer. browser.send_pings Set it to false to disable. According to MozillaZine: "If you are concerned about privacy and have already turned off referrer sending and JavaScript, you may want to set this preference to false". If you decide to keep browser.send_pings enabled, then you may wish to review browser.send_pings.require_same_host as well. beacon.enabled

Firefox About Config Privacy and Security Settings

Embed Size (px)

DESCRIPTION

Firefox About Config Privacy and Security Settings

Citation preview

Page 1: Firefox About Config Privacy and Security Settings

Firefox about:config privacy and security settings

November 4, 2014

Below are some configuration settings you may consider enabling in Mozilla Firefox in

about:config for privacy and security reasons. This list is not meant to be exhaustive and

generally does not list entries that can easily be set via the options or preferences menu. Some

of these settings have a negative performance impact or remove functionality. Also keep in

mind that the further you take your Firefox configuration away from the norm, the rarer your

Firefox setup might become and therefore ironically enough, the more identifiable your

system may be (see https://panopticlick.eff.org/ for details) and so we recommend reviewing

the list below and setting those that make sense for your scenario. This list was created using

Firefox v33.

Begin by typing about:config in the Firefox location bar, then search for the following:

network.prefetch-next

Set it to false to disable. Link prefetching can be used by web sites to give web browsers hints

about which pages are likely to be visited so that the browser can download them ahead of

time, with the goal of improving performance. There is no same-origin restriction for link

prefetching. According to this FAQ, "prefetching will generally cause the cookies of the

prefetched site to be accessed".

network.dns.disablePrefetch

Set it to true to disable. Similar to above, this feature allows Firefox to perform DNS

resolution proactively.

network.http.sendRefererHeader

Set it to 0 to prevent Firefox from ever sending the HTTP referer, however this is known to

break certain web sites that check for the referer. Therefore an alternative to specifying this

setting would be to install the Refcontrol add-on which allows you control the referer and

specify per-site exceptions. You may also wish to review the setting

network.http.sendSecureXSiteReferrer.

browser.send_pings

Set it to false to disable. According to MozillaZine: "If you are concerned about privacy and

have already turned off referrer sending and JavaScript, you may want to set this preference

to false". If you decide to keep browser.send_pings enabled, then you may wish to review

browser.send_pings.require_same_host as well.

beacon.enabled

Page 2: Firefox About Config Privacy and Security Settings

Set it to false to disable. As per the W3C Editor's Draft, part of the reason for the Beacon

specification is for "analytics".

geo.enabled

Set it to false to disable. This feature enables location-aware browsing. Although when this

feature is enabled Firefox prompts you on whether you wish to share your location, setting

geo.enabled to false permanently turns off this prompt.

general.useragent.override

Set it to any string you wish in order to override the default Firefox HTTP user agent string.

You may need to create this entry first by right-clicking in the list of preferences and selecting

New | String. Note that depending on which user agent string you specify, this will greatly

change your browsing experience for certain web sites, and also keep in mind that certain

fields in the HTTP headers can betray the actual underlying user agent that is being used.

webgl.disabled

Set it to true to disable. If you do not need this functionality, you should disable it in order to

reduce your attack surface. See this SANS ISC entry for details.

pdfjs.disabled

Set it to true to disable. This will disable the built-in PDF reader thus reducing your attack

surface, assuming of course you are not going to load the PDFs in a more vulnerable PDF

reader.

plugins.notifyMissingFlash

Set it to false if you did not install the Adobe Flash plugin for Firefox, which is becoming

more feasible with the shift towards HTML5. This will stop causing Firefox to prompting you

to install Adobe Flash when detecting Flash content.

security.cert_pinning.enforcement_level

Can be set any value from 0 to 3 to control certificate pinning behavior (0 disables it, which

we do not necessarily recommend). Review this page to confirm the best setting for you. Note

that setting it to 2 may interfere with certain security solutions.

security.tls.version.min

Page 3: Firefox About Config Privacy and Security Settings

Set it to 1 to disable SSLv3 entirely, and higher to make TLSv1.1 or 1.2 the minimum version

to use. But this will no longer be necessary with Mozilla planning on disabling SSLv3 in the

upcoming Firefox 34 in order to mitigate against the POODLE attack.

network.IDN_show_punycode

Set to true to have Firefox display internationalized domain names in Punycode instead of in a

language-specific script. Only set this if properly rendering IDNs is a feature you do not

desire.