Securing Firefox

From Aktivix
Jump to: navigation, search

The application that has the most remote exploits that most activist use every day is Firefox -- how sensible is to to run it with read permissions for all your data?

Run Firefox as another user

Create a firefox user, set up ssh, install sux then create ~/bin/firefox:

#!/bin/bash

# using X11 and ssh
# ssh -X firefox@localhost firefox

# using sux
sudo sux - firefox firefox

Then when you launch firefox it runs as the firefox user and if there is a remote exploit then firefox can't access your files.

The script above assumes you can sudo without a password.

If you used the commented out ssh method you can make ssh more secure by adding this to the start of your key in ~/.ssh/authorized_keys:

from="localhost"  ssh-dss AAAA

Write the cache to a ram disk

Debian and Ubuntu create a ram at /dev/shm and you can write your Firefox cache there by entering this in the location bar:

about:config

Then enter:

browser.cache.disk.parent_directory

If it doesn't exist then right-click and select new string and create it and set it to:

/dev/shm

And if you are really paranoid then create en encrypted ramdisk, start by creating a directory to mount it in:

mkdir /ramcrypt

The the following can be scripted to run on boot by adding it to /etc/rc.local:

cryptsetup -c blowfish -s 64 -d /dev/urandom create ramcrypt /dev/ram0
mke2fs /dev/mapper/ramcrypt
mount /dev/mapper/ramcrypt /ramcrypt

The change the ramdisk size you need to edit your grub conf file, see: http://www.vanemery.com/Linux/Ramdisk/ramdisk.html or http://mtehrani30.blogspot.com/2008/12/change-ramdisk-size-in-debian.html -- basically you need to add something like this to the kernel line in /boot/grub/menu.lst

ramdisk_size=128000

Firefox user on an encrypted ram disk

Add this to /etc/rc.local

cryptsetup -c blowfish -s 128 -d /dev/urandom create ramdisk /dev/ram0
mke2fs /dev/mapper/ramdisk
mount /dev/mapper/ramdisk /ramdisk
mkdir /ramdisk/firefox
chown firefox.firefox /ramdisk/firefox
chmod 700 /ramdisk/firefox
rsync -qav /home/firefox/ /ramdisk/firefox/

And edit /etc/passwd to set the firefox user's home directory to /ramdisk/firefox/ and remember to rsync the ramdisk to home after you install a firefox plugin so it's there next time you reboot!

ssh socks proxy

The advantage of using a socks proxy is that it doesn't require squid or anything to be running on the server -- any machine you can ssh to can be used as a proxy server, the disadvantage over squid is that it can't be set to cache and filter and anonomise headers etc etc

ssh -N -D 9999 proxy.example.com

in about:config in Firefox:

network.proxy.socks : 127.0.0.1
network.proxy.socks_port : 9999
network.proxy.socks_remote_dns : true
network.proxy.socks_version : 5
network.proxy.type : 1

You can also use a socks proxy with things that don't support socks proxies, eg apt, install tsocks then create ~/.tsocks.conf with this in it:

server = 127.0.0.1
server_port = 9999
server_type = 5

Then run apt like this:

 sudo tsocks apt-get update

And you could add some aliases to ~/.bashrc like this:

alias apt-get='sudo tsocks apt-get'
alias apt-cache='sudo tsocks apt-cache'

Changing the location of bookmarks

If you in effect wipe all your history then the autocomplete in the location bar doesn't work so well, one work around is to move the bookmarks to somewhere where it doesn't get deleted and bookmark the pages you often visit.

 http://ilias.ca/blog/2006/04/customize-the-firefox-bookmarks-location/

Disable Prefetch

On the about:config page set network.prefetch-next to false to disable

Addons