Consider fixing the Mitigation guide for Firefox #58

Open
opened 2 years ago by Rupert · 18 comments
Rupert commented 2 years ago

First of all, sorry if this topic sounds harsh.

Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on.
You old guide was by far better than this.

Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it.

After trying dozens of user.js this is the best I found (from a forked arkenfox one)
https://git.nixnet.services/Narsil/desktop_user.js
However, we still have to add firefox.settings.services.mozilla.com to our host file.

This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox?

To sum up I think you would consider even deleting that guide.

Thanks for your time.

First of all, sorry if this topic sounds harsh. Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on. You old guide was by far better than this. Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it. After trying dozens of user.js this is the best I found (from a forked arkenfox one) https://git.nixnet.services/Narsil/desktop_user.js However, we still have to add firefox.settings.services.mozilla.com to our host file. This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox? To sum up I think you would consider even deleting that guide. Thanks for your time.
Owner

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with.

Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be.

I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks.

I'll leave this up to @anonymous for the final decision.

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with. Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be. I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks. I'll leave this up to @anonymous for the final decision.
baobab added the
wontfix
label 2 years ago
baobab removed the
wontfix
label 2 years ago
anonymous was assigned by baobab 2 years ago
Poster

Sorry for the pesimistic message.

Anyway, if would be nice if you add those specific options.

People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way.

On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour.

BTW, on mobile it appears the same connection.

Greetings.

Sorry for the pesimistic message. Anyway, if would be nice if you add those specific options. People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way. On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour. BTW, on mobile it appears the same connection. Greetings.
Owner

The guide needs to be updated.

https://git.nixnet.services/Narsil/desktop_user.js

Page doesn't seem to load, even with JS turned on?

And thank you for bringing the issue to our attention.

The guide needs to be updated. > https://git.nixnet.services/Narsil/desktop_user.js Page doesn't seem to load, even with JS turned on? And thank you for bringing the issue to our attention.
Poster

That Git instance seems to be quite erratic.

Reload the page once or even several times.

That Git instance seems to be quite erratic. Reload the page once or even several times.
Owner

Possibly worth investigation or adding into "further reading":
https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/

Possibly worth investigation or adding into "further reading": https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/
Owner

Also, you are correct in about

Will we have to continue adding more and more in the future in order to control Firefox?

Firefox continues to add more bloat and botnet, and switching to a different browser should be done by any user (im currently working on a page for this).

But at least for now we will provide the guide so long as it is doable.
Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

Also, you are correct in about > Will we have to continue adding more and more in the future in order to control Firefox? Firefox continues to add more bloat and botnet, and switching to a different browser should be done by any user (im currently working on a page for this). But at least for now we will provide the guide so long as it is doable. Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

@anonymous "switching to a different browser should be done by any user" I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. @Rupert You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.
Poster

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

*Login breach information

Firefox Monitor warns you if your online accounts were involved in a known data breach.
For more information, see Firefox Lockwise - Alerts for breached websites.

To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com **
*

> @Rupert > You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address. According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections *Login breach information Firefox Monitor warns you if your online accounts were involved in a known data breach. For more information, see Firefox Lockwise - Alerts for breached websites. To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com ** *
Poster

This is a madness...
And now, we have to add aus5.mozilla.org to the host file.

This is a madness... And now, we have to add aus5.mozilla.org to the host file.
Owner

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js.

I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js. I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.
baobab changed title from Consider deleting Mitigation guide for Firefox to Consider fixing the Mitigation guide for Firefox 2 years ago
baobab added the
bug
label 2 years ago
baobab self-assigned this 2 years ago

@baobab

I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.

@baobab I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.
baobab referenced this issue from a commit 2 years ago
Owner

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows).

Also I wrote a thing about browsers:
http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml

Since I have found out about a few other browsers too, so it could always use updates but whatever.

> @anonymous > "switching to a different browser should be done by any user" > I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. Artix has repos that have most of everything. Also makes a case for setting up a distro yourself (be it for you or your normie friend who is done with macOS or Windows). Also I wrote a thing about browsers: http://abrx6wcpzkfpwxb5eb2wsra2wnkrv2macdtkpnrepswodz5jxd4schyd.onion/browsers.xhtml Since I have found out about a few other browsers too, so it could always use updates but whatever.

We should consider changing the recommended user.js to Narsil's away from Ghack's.

We should consider changing the recommended user.js to Narsil's away from Ghack's.

Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on.

the user is asked before any geolocation data is sent so there is no immediate need to disable functionality which is useful to some/many people if/when they choose to use it

safebrowsing is for user benefit - if you don't want to use it, fine, disable it (i disable it), but disabling it for all users out of the gate is a potential mistake

this is important: the arkenfox js is a template - it's up to the user to adjust prefs according to their particular needs

the Nasil js is...

... a fork from the arkenfox project with a substantial divergence. It tries to avoid all the automatic connections even though security could be reduced slightly. For instance, OSCP is a privacy breach. Nevertheless, it is also a security feature.

avoiding all automatic connections just for the sake of avoiding them is a mistake IMO, one which, as he/she admits, comprimises security

I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js.

what you might do instead is read through the user.js and the wiki and learn why some connections are allowed ... and then disable the ones you don't need/want

look, i think we'd all agree that Mozilla is, in part, an evil company - a very evil company in some ways (they are anti-free speech and they partner with a pile of highly unethical foundations and corporations, some of which fund domestic terrorism (Ford Foundation, Soros, etc.) for example) - if there were a better browser out there, i'd be using it

similarly, if there were a better user.js out there, i'd be using it, but the arkenfox crew is very dedicated to what they are doing, very knowledgable, and very active

again, their js is a template and it is the most intelligent, comprehensive and up to date one that i personally know of

> Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on. the user is asked before any geolocation data is sent so there is no immediate need to disable functionality which is useful to some/many people if/when they choose to use it safebrowsing is for user benefit - if you don't want to use it, fine, disable it (i disable it), but disabling it for all users out of the gate is a potential mistake this is important: the arkenfox js is a *template* - it's up to the *user* to adjust prefs according to *their* particular needs the Nasil js is... > ... a fork from the arkenfox project with a substantial divergence. It tries to avoid all the automatic connections even though security could be reduced slightly. For instance, OSCP is a privacy breach. Nevertheless, it is also a security feature. avoiding all automatic connections just for the sake of avoiding them is a mistake IMO, one which, as he/she admits, comprimises security > I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js. what you might do instead is read through the user.js and the wiki and learn *why* some connections are allowed ... and then disable the ones you don't need/want look, i think we'd all agree that Mozilla is, in part, an evil company - a very evil company in some ways (they are anti-free speech and they partner with a pile of highly unethical foundations and corporations, some of which fund domestic terrorism (Ford Foundation, Soros, etc.) for example) - if there were a better browser out there, i'd be using it similarly, if there were a better user.js out there, i'd be using it, but the arkenfox crew is very dedicated to what they are doing, very knowledgable, and very active again, their js is a template and it is the most intelligent, comprehensive and up to date one that i personally know of

the user is asked before any geolocation data is sent so there is no immediate need to disable functionality which is useful to some/many people if/when they choose to use it

safebrowsing is for user benefit - if you don't want to use it, fine, disable it (i disable it), but disabling it for all users out of the gate is a potential mistake

this is important: the arkenfox js is a template - it's up to the user to adjust prefs according to their particular needs

Hi

First of all, thanks for your constructive criticism.

As for the user, everybody is also free to modify it according to their interests.

On the other hand, geolocation and safebrowsing could be useful but are privacy concerns. First one points to Mozilla and second one to Google.

In fact, Librewolf project disables safebrowsing.

the Nasil js is...

... a fork from the arkenfox project with a substantial divergence. It tries to avoid all the automatic connections even though security could be reduced slightly. For instance, OSCP is a privacy breach. Nevertheless, it is also a security feature.

avoiding all automatic connections just for the sake of avoiding them is a mistake IMO, one which, as he/she admits, comprimises security

Disabling OCSP is a controversial choice. Due to this, I warn about it.
You are, again, free to revert those changes.

look, i think we'd all agree that Mozilla is, in part, an evil company - a very evil company in some ways (they are anti-free speech and they partner with a pile of highly unethical foundations and corporations, some of which fund domestic terrorism (Ford Foundation, Soros, etc.) for example) - if there were a better browser out there, i'd be using it

I completely agree with you on this.

similarly, if there were a better user.js out there, i'd be using it, but the arkenfox crew is very dedicated to what they are doing, very knowledgable, and very active

again, their js is a template and it is the most intelligent, comprehensive and up to date one that i personally know of

Again, I agree with you about arkenfox user.js but it has many flaws for few people that think zero unsolicited requests would be optimal.

On the other hand, and due to a user.js is so inherently strict I'm working in a mozilla.cfg because it's easier to change strings (defaultPref vs lockPref)

Greetings.

> the user is asked before any geolocation data is sent so there is no immediate need to disable functionality which is useful to some/many people if/when they choose to use it > safebrowsing is for user benefit - if you don't want to use it, fine, disable it (i disable it), but disabling it for all users out of the gate is a potential mistake > > this is important: the arkenfox js is a *template* - it's up to the *user* to adjust prefs according to *their* particular needs Hi First of all, thanks for your constructive criticism. As for the user, everybody is also free to modify it according to their interests. On the other hand, geolocation and safebrowsing could be useful but are privacy concerns. First one points to Mozilla and second one to Google. In fact, Librewolf project disables safebrowsing. > the Nasil js is... > > > ... a fork from the arkenfox project with a substantial divergence. It tries to avoid all the automatic connections even though security could be reduced slightly. For instance, OSCP is a privacy breach. Nevertheless, it is also a security feature. > > avoiding all automatic connections just for the sake of avoiding them is a mistake IMO, one which, as he/she admits, comprimises security Disabling OCSP is a controversial choice. Due to this, I warn about it. You are, again, free to revert those changes. > look, i think we'd all agree that Mozilla is, in part, an evil company - a very evil company in some ways (they are anti-free speech and they partner with a pile of highly unethical foundations and corporations, some of which fund domestic terrorism (Ford Foundation, Soros, etc.) for example) - if there were a better browser out there, i'd be using it I completely agree with you on this. > similarly, if there were a better user.js out there, i'd be using it, but the arkenfox crew is very dedicated to what they are doing, very knowledgable, and very active > > again, their js is a template and it is the most intelligent, comprehensive and up to date one that i personally know of Again, I agree with you about arkenfox user.js but it has many flaws for few people that think zero unsolicited requests would be optimal. On the other hand, and due to a user.js is so inherently strict I'm working in a mozilla.cfg because it's easier to change strings (defaultPref vs lockPref) Greetings.

I know this comment is going to be very useless, but what is the current solution? or alternatively, is there anything new about this?

I am simply looking to just harden my firefox without the complications with these many userjs'.

I know this comment is going to be very useless, but what is the current solution? or alternatively, is there anything new about this? I am simply looking to just harden my firefox without the complications with these many userjs'.

I know this comment is going to be very useless, but what is the current solution? or alternatively, is there anything new about this?

I am simply looking to just harden my firefox without the complications with these many userjs'.

As far as automatic connections are concern, there is no a simple solution about this.

The most comfortable alternative would be using Librewolf on Pc and/or Mull on Android.

The uneasy solution means using arkenfox.js as a base with the following changes in about:config:

-Disabling safebrowing
-Disabling push notifications
-Disabling privacytracking lists
-Disabling OCSP and CRLite checks
-Disabling geolocation features
-Disabling updating addons
-Disabling Widevine
-Disabling blocklists
And probably more of them I can’t remember.

On the other hand, if you are also interested in enhancing security you could also enable fission and disable JIT.

Afterwards, you’ll have to avoid automatic updates disabling this behavior with a policies.json.

Finally, editing omni.ja files in order to delete some connections like firefox.settings.services.mozilla.com.
What is worse, this must be done every time the browser updates.

As you can see, it’s quite complicated. Some features may be useful for some people. Thus, they are free to disable or enable them according to their needs.

Greetings.

> I know this comment is going to be very useless, but what is the current solution? or alternatively, is there anything new about this? > > I am simply looking to just harden my firefox without the complications with these many userjs'. As far as automatic connections are concern, there is no a simple solution about this. The most comfortable alternative would be using Librewolf on Pc and/or Mull on Android. The uneasy solution means using arkenfox.js as a base with the following changes in about:config: -Disabling safebrowing -Disabling push notifications -Disabling privacytracking lists -Disabling OCSP and CRLite checks -Disabling geolocation features -Disabling updating addons -Disabling Widevine -Disabling blocklists And probably more of them I can’t remember. On the other hand, if you are also interested in enhancing security you could also enable fission and disable JIT. Afterwards, you’ll have to avoid automatic updates disabling this behavior with a policies.json. Finally, editing omni.ja files in order to delete some connections like firefox.settings.services.mozilla.com. What is worse, this must be done every time the browser updates. As you can see, it’s quite complicated. Some features may be useful for some people. Thus, they are free to disable or enable them according to their needs. Greetings.

Seeing that this issue haven't been fixed in 2 years, I'll do it myself (I'd like to send this guide when people ask me about Firefox mitigation). But before writing it and sending a pull request I need to know if you like my solution:

I'll be using @Narsil 's user.js which is a vastly improved fork of arkenfox's:
https://git.nixnet.services/Narsil/desktop_user.js

As Narsil points out, there are still two connections which can not be removed with the the user.js:

firefox.settings.services.mozilla.com
content-signature-2.cdn.mozilla.net

You need to either add them to your hosts file or remove them by unpacking and modifying two omni.ja files. Since the hosts file is way faster and doesn't need to be redone after every update, I'll go the hosts file route. Although I could explain both methods.

We could use the hosts file from #86 even if after using Narsil's user.js there are only two connections left, just in case Firefox updates and it starts making another connection.
https://github.com/MrRawes/firefox-hosts

About OCSP, I am a supporter of disabling it. But I would mention the security concern.

Additionally I'd like to add a section about the mozilla.cfg tweaks: https://git.nixnet.services/Narsil/mozilla.cfg which includes some nice security features like enabling fission. I'm not completely sure if this fits Spyware Watchdog's style, so I'd like to receive some confirmation before including this.

Please let me know if you like my solution and I'll start writing it.

Seeing that this issue haven't been fixed in 2 years, I'll do it myself (I'd like to send this guide when people ask me about Firefox mitigation). But before writing it and sending a pull request I need to know if you like my solution: I'll be using @Narsil 's user.js which is a vastly improved fork of arkenfox's: https://git.nixnet.services/Narsil/desktop_user.js As Narsil points out, there are still two connections which can not be removed with the the user.js: ``` firefox.settings.services.mozilla.com content-signature-2.cdn.mozilla.net ``` You need to either add them to your hosts file or remove them by unpacking and modifying two omni.ja files. Since the hosts file is way faster and doesn't need to be redone after every update, I'll go the hosts file route. Although I could explain both methods. We could use the hosts file from #86 even if after using Narsil's user.js there are only two connections left, just in case Firefox updates and it starts making another connection. https://github.com/MrRawes/firefox-hosts About OCSP, I am a supporter of disabling it. But I would mention the security concern. Additionally I'd like to add a section about the mozilla.cfg tweaks: https://git.nixnet.services/Narsil/mozilla.cfg which includes some nice security features like enabling fission. I'm not completely sure if this fits Spyware Watchdog's style, so I'd like to receive some confirmation before including this. Please let me know if you like my solution and I'll start writing it.
Sign in to join this conversation.
No Milestone
8 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shadow/SpywareWatchdog#58
Loading…
There is no content yet.