Configure Firefox/Iceweasel 3 to be more secure / usable / bearable

Today seems to be Firefox/Iceweasel 3 Bashing Day on Planet Debian, so let me join the fun :)

I agree with most other people that the default Firefox/Iceweasel 3 config is not ideal, so here's what I did to fix it. Some of these items improve performance, some remove annoyances, some remove privacy issues, some remove security issues. Not everything here may be desirable for people other than me.

General

  • Disable the bookmarks toolbar via "View / Toolbars / Bookmarks Toolbar", nobody needs that and we save some screen space. Remove all pre-defined bookmarks while we're at it.
  • Select "View / Toolbars / Customize".
    • Add the "New Tab" button/icon right after the "Home" button. This is probably the most-used button (for me at least) and it's not available per default...
    • Click "Use Small Icons", there's no reason to waste screen space.
    • Remove the Google search bar (useless).
    • Now move all icons and the URL bar into the menu bar (I'm not kidding). After that you can disable the nagivation toolbar via "View / Toolbars / Navigation Toolbar" and save even more screen space.

Preferences

Select "Edit / Preferences".

Main:

  • Select "When Iceweasel starts: Show a blank page".
  • Set "Home Page" to whatever you see fit.

Tabs:

  • Enable "Always show the tab bar".

Content:

  • At the right-hand side of "Enable JavaScript" click "Advanced" and uncheck all checkboxes. JavaScript stuff shouldn't need to do any of those operations.
  • Uncheck "Enable Java". Nobody needs this crap and it's a huge security risk.

Privacy:

  • Disable "Keep my history for xyz days" completely. Huge privacy risks.
  • Disable "Remember what I enter in forms and the search bar". Huge security and privacy risks, almost no gain.
  • Disable "Remember what I've downloaded". Huge privacy risks.
  • Uncheck "Accept third-party cookies".
  • Choose "Keep until: I close Iceweasel".
  • Click "Show Cookies" and remove all of them.
  • Enable "Always clear my private data when I close Iceweasel". Click "Settings" and check all items. You want to purge everything when closing Iceweasel.

Security:

  • On the right-hand side of "Warn me when sites try to install add-ons" click "Exceptions" and remove all exceptions.
  • Disable "Tell me if the site I'm visiting is a suspected attack site". Useless crap, possibly a privacy issue.
  • Disable "Tell me if the site I'm visiting is a suspected forgery". Useless crap, possibly a privacy issue.
  • Disable "Remember passwords for sites". This is a huge security risk, never ever enable it!

Advanced:

  • "General" tab:

    • Enable "Warn me when web sites try to redirect or reload the page".
    • Disable "Check my spelling as I type". Useless, annoying crap, which probably even impacts performance.
  • "Update" tab:

    • Disable "Automatically check for updates to: Installed Add-ons".
    • Disable "Automatically check for updates to: Search Engines".
    • Select "When updates to Iceweasel are found: Ask me what I want to do".
    • about:config

      Firefox/Iceweasel 3 screenshot

      Open a new tab, enter "about:config" as URL and hit ENTER. Click the annoying "I'll be careful, I promise!" button. Uncheck "Show this warning next time" while we're at it.

      • Set browser.urlbar.matchOnlyTyped = true to disable the new, annoying "AwesomeBar" URL bar feature (which is also a huge privacy risk).
      • Browser tabs are way too huge for my taste (thus only very few fit on the screen). Fix it with browser.tabs.tabMinWidth = 60 and browser.tabs.tabMaxWidth = 60 (needs a browser restart). You can even use less than 60 if you don't need any text and an icon per tab is enough for you.
      • Disable the annoying, flashing auto-search stuff when you select "Tools / Add-ons / Get Add-ons": Set extentions.getAddons.showPane = false.
      • Set bidi.support = 0. You'll probably never need it, so reduce the number of potential bugs and security issues by disabling it.
      • Self-signed certificate handling is annoying, so fix it with: browser.ssl_override_behavior = 2 and browser.xul.error_pages.expert_bad_cert = true (thanks Pierre Habouzit).
      • Set browser.tabs.closeButtons = 3 in order to prevent accidental closing of tabs (no more Close buttons on each tab, only one global Close button on the right). Yes, CTRL+Shift+T helps in case it still happens.
      • Set network.prefetch-next = false to prevent random prefetching of webpages which means wasting CPU cycles and bandwidth, as well as subtle privacy and security issues.

      Plugins

      None. Don't even think about installing crap like the closed-source Flash player if stability or security are important to you. If you absolutely must watch YouTube videos, I recommend youtube-dl.

      Extensions

      Use as few as possible. Every extention may have security problems or bugs, and can negatively affect performance etc.

      Pretty much the only one I use is NoScript to selectively enable JavaScript for some trusted websites (and disable it for all other sites).

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Strong security

Hey,

Some more tips from my security design.

General :
- downloading video (totem-youtube or youtube-dl) reduce a lot the windows to exploit browser -- it opens the way to videos player exploitability. Subject is about browser's security, right ?
- You may want to add some RBAC system on the browser (browser can read/write in one single difficult to guess directory on the system)
- HTTP (not https) exception is only good if it is exclusive with DNS MITM forgery.

Tuning :

- BE CAUTIOUS : in about:config you may seek for "http:" the tons of URLs embeded. I removed them, THIS IMPLY NOT BEING ABLE TO UPDATE / SEEK / INSTALL ANY NEW PLUGINS. You may want to do that once you get a fine-tuned configuration or when you are sure you don't want a new extension.
I don't use noscript but QuickJava do it find to disallow image/css & more.
- You may want to totally disable the flash/silverlight/vnc/etc extensions
- Check for "URL" or even "http://", i blank every field. So i guess i no longer report : crash / malware / phishing. I am ok with that.
- Search for "handlers.application", you find some application that may end up being call. I avoid that risk by setting it to /bin/false. Searching "xterm" scaried me a bit too.

Despite a previous post, i experienced switching my user-agent and suffered of very bad inconsistent on website.
You may put one that does match very close to your true version, but differ in endianess or OS.

Thanks you all for the others posts who hinted me. prefetch scared me. So did google by their important place in the browser code and the amount of information we can send.

Enough talking security, let's try to keep ourself in the liberty of modifying our browser, not sending information, not allowing to fall into etatic's rules of strict checking anytime we surf one page, and at the end, i think, our right to be ourself without justification of any sort or acknoledgement that we are -- indeed.

Peace

Thanks a lot

and yeah, that really ought to be the default config, including the comments further down. Well, actually, I want to have some details slightly differently, but that would be a much saner configuration to start from, indeed.

In particular all that phone-home-and-other-strange-folks functionality ought to be disabled by default. It's really annoying that software as installed from the package does all kinds of undeclared network activity ...

firefox chrome opera safari ie sucks

Thanks for this excellent guide!

But first of all, it's nice to see a webpage like yours that still works without all that javascript crap, and can even be fairly well read with lynx. Less often is more ...

Most of your recommendations are settings that I use to make as well, here some additional ideas:

1. set xpinstall.enabled = false, and only enable it to install really, really needed extenstions (like script blocker :-)

2. set permission.default.image = 3, this prevents firefox from loading embedded third party ad banners and images. Surfing is such a better experience without too much ads and increases security, at the same time.

3. set network.dns.disableIPv6 = true, I'm sure firefox is not aware of the absence of ipv6 routers :-), so this may increase performance (and don't forget to re-enable it some years later :-)

4. Use some textbrowser like lynx instead, as long as only textual information is researched on the web. Pages that cannot be viewed without js or flash and the like, should be avoided, anyway.

5. I don't like the noscript extension too much, there's too much to fiddle around. Why? If there's really a need to activate js, I prefer to do this with a single mouseclick, and deactivate it the same way. Cookie extensions able to granulate more in detail do make more sense in my oppinion, for session cookies in some web applications.

Cheers

usefull tips

Thanks hermann,

These comments are very usefull and it is nice to see what someone else sees as a good interface. Personaly i do use some of these features (google extra search box) but most of your suggestions i followed.

I do have a question. I use a lot of firefox extentions for some webdesign projects (color it, measure it, fire bug..). Would you recommend to use a seperate browser instalation during work and private use to reduce risk ?

FF plugins

Well, I don't know. In general, the fewer lines of code, or plugins, are used/exposed, the smaller the likelihoods of successful attacks. Whether or not the plugins you use have known or unknown security issues I cannot tell, though.

Uwe.

Firefox 3 is still not stable

I use Firefox 3 in the past 2 weeks and I uninstall it after that. I will try again maybe at the end of this year. Firefox 3 have some issues with hotmail, especially the part where you want to attach files, it hangs up the PC everytime. Sometimes unable to show the URLs I had visited before.

I am now using firefox 2 for now. Just my sharing.

Houston

Question..

So why are you even using firefox? Sounds to me like you're taking the worst possible browser for your requirements and then trying to fix it. Surely other browsers exist that meet your 'requirements' better.

About Google Services

I set NoScript allowing Google.com, but they didn't work, the gmail and greader.
Any suggestions?

It should work. Sometimes

It should work. Sometimes you need to allow multiple domains, e.g. if Google services used xyz.com too (e.g. they host some JavaScript there or something) you need to allow that too. NoScript should list all sites which are required.

Two more things you may want

Two more things you may want to change,

1. Disable extensions.blocklist.enabled. This polls a mozilla website for an extension blacklist.

2. browser.contentHandlers.types.[012].uri are default set to URL's for Bloglines, My Yahoo, and Google. If you ever open Edit->Preferences->Applications then it will contact those uri's to get an icon and google sets a cookie. Setting the uri to blank stops the contact.

youtube

better than youtube-dl, check out the youtube plugin in totem (you need a recent version)

You're the security guy!

Man, I thought I was aware about browser security, but you are the browser security itself!
Very good your tips, even though some are a little bit radical, but for those with security in first place they are a must.

tabs

I don't use the mouse to add tabs (^t) but it sounds like you do.

I saw that you preferred to have the tabs bar always visible, I do that my self, this gives you the feature of getting a new tab by double clicking next to the open tabs. If you have filled the tab bar then a right click and you have the new tab there. seems to waste useful space by adding a new tab button.

I use ^t and then the location field is selected, ready to be typed in =)

tabs

Depends, when my hand is moving the mouse pointer around already I click "new tab", when my hands are on the keyboard I use CTRL+T, yes. Whichever works faster.

I recomend the following

I recomend the following setting:

plugin.default_plugin_disabled = false

That way you won't get the annoying yellow bar at the top of the page asking you to install some pluging everytime you end up on a page with some flash or other crap embedded.

Google search box

I configure my browser similarly to you. One difference is that I use the Google search box; however, I do not leave it in the default configuration. I move it to the big empty space in the menu bar and then I configure Firefox to open searches from the search box in a new tab. I also add a bunch of commonly used search engines to the search box. Then when I want to look something up on IMDB or search for info on a Debian package or find a torrent that I'm looking for, all I have to do is select the appropriate search engine, type in what I'm looking for and hit enter. A new tab opens up with the appropriate search results, all without disturbing my current work.

only left modify

only left modify general.useragent.override and set it to some windows version of ff what will give you better content handling on some pages delete iceweasel debian etc stuff from user.agent for beter anonimity there was some stuff about last visited page but cant recall now ,, and finaly forget the google they are biggest privacy violator on the net!!!

no referers (previous page visited...)

network.http.sendRefererHeader = 0
network.http.sendSecureXSiteReferrer = false