Book excerpt: Firefox Hacks

This book provides tips and tools for customizing Firefox's deployment, appearance, features, and functionality. The chapter excerpted here describes how to change the security defaults in Firefox.

O'Reilly –

This book provides tips and tools for customizing Firefox's deployment, appearance, features, and functionality. The chapter excerpted here describes how to change the security defaults in Firefox.

Author: Nigel McFarlane ISBN: 0-596-00928-3

Posted with permission of O'Reilly. Click here for a detailed description and to learn how to purchase this title.

Chapter 2: Security Hacks 11-21

This chapter describes how to change the default security arrangements in Firefox. Security is a big subject, and it has plenty of baggage all of its own. One person's safety is another's prison. One person's privacy is another person's isolation.

Changing security options amounts to changing who you are or aren't willing to deal with. It also amounts to deciding how much you're willing to let third parties know when you're browsing the Web. When you install Firefox, the default security settings give you a safe web browser. It is quite hard to create large holes by accidentally changing options. Firefox has also been closely inspected for internal problems.

As a result, the browser and its underlying Mozilla technology have an excellent security track record. Rarely is a new security problem uncovered. When that happens, it is usually fixed within a day. The Firefox Update Manager informs you of new security patches, if any are made available.

If you don't care about security at all, you can simply remove many of the hurdles that Firefox puts in your way. Security is a complex matter, though. Sometimes, doing away with security means just that: leaving the browser's resources open to any exploitation. Some security regimes, however, don't give you that option. In such cases, the best you can do is reply "I don't care" every time you're engaged over security. There are even rare cases in which there's nothing at all that you can do to escape security limitations. It's a case-by-case environment.

Security concerns and installation processes are two related but different things. This chapter discusses security only. Chapter 3 describes gritty modifications to the Firefox install process. Chapter 7 and Chapter 8 describe a form of programming that's also a blend of installation and security. See those chapters to go further with the chrome.

Drop Miscellaneous Security Blocks

If your computing environment is secure, then Firefox's own security is of limited use.

To systematically address every single security restriction, you'll have to read all the hacks in this chapter; it's just too complex for one hack. This hack describes many common quick fixes. You might also want to read (Hack #7) .

Supply Passwords Automatically

You don't need to constantly reassert your login credentials; you can get Firefox to do it for you. NTLM and dial-up passwords are described in (Hack #14) and [Hack #26] respectively; here, we cover web form passwords and cookies.

The Password Manager is turned on automatically when Firefox starts; all you get is a first-time warning when you use it. Setting a master password serves no purpose if you're trying to defeat security, so the Password Manager saves you that hassle by default. You can stop the remembered passwords from ever expiring by setting this preference:

security.password_lifetime /* set to 0 (days), default is 30 (days) */

Session IDs are like passwords: they're sent by web sites that want to keep track of you as you move between web pages. Usually they're stored as cookies: the correct jargon for web-based session IDs. Cookies are sent between Firefox and the web server as a simple string of plain text in a special HTTP header line. If you have an extension installed that's an HTTP header diagnostic [Hack #51], you can see cookies go to and fro. Firefox has cookie support turned on by default. If you want to configure cookie processing explicitly, use these preferences:

network.cookie.alwaysAcceptSessionCookies /* set to true */
network.cookie.cookieBehavior             /* set to 0 = Accept All */
network.cookie.lifetimePolicy             /* set to 0 = until expiry */

The following preferences are bits of rubbish left over from attempts to migrate from an old Mozilla or Netscape version to Firefox and should be ignored:

network.cookie.lifetime.enabled
network.cookie.lifetime.behavior

Allow Foreign Code to Run

One of the great challenges of the Web is the existence of untrusted downloadable code. With the exception of sandboxed Java applets and properly authenticated code bundles, such things are almost certainly insecure. Firefox won't accept them by default, but you can turn support back on.

Turn on ActiveX

One way to do so is to reignite the native ActiveX support inside the Microsoft Windows port of Mozilla (and therefore Firefox). To turn absolutely everything on and make everything scriptable—even those ActiveX controls flagged as "do not script me"—set these preferences:

security.class.allowByDefault                   /* true (default)     */
security.xpconnect.activex.global.hosting_flags /* 31 = bits 00011111 */

These affect the behavior of a bit of Mozilla that implements the interface called

nsIActiveXSecurityPolicy

. For more on that interface, look for a file named nsIActiveXSecurityPolicy.idl at http://lxr.mozilla.org. If the first of these preferences is set to

false

, ActiveX objects must be allowed or disallowed on a case-by-case basis with preferences like this:

capability.policy.default.ClassID.CID<em>classid</em>" /* set to "AllAccess" */

In this example, classid must be a UUID identifier for the ActiveX object, written in this format:

6BF52A52-394A-11D3-B153-00C04F79FAA6

If objects marked "don't script me" aren't wanted, set the same preference this way:

security.xpconnect.activex.global.hosting_flags /* 15 = bits 00001111 */

Whatever hijinks Windows goes through to decide whether a COM object should be scriptable or not, Mozilla also goes through. That includes observing operating-system-maintained blacklists and so on.

To run such a control, use the HTML

<OBJECT>

or legacy

<EMBED>

tag that specifies the control's URL and class identifier. That's the same as in Internet Explorer.

Turn on more plug-in and helper support

Plug-ins are another form of foreign code. The following two security preferences make plug-in access a bit easier to deal with (the first is set by default):

security.xpconnect.plugin.unrestricted     /* true by default */
plugin.expose_full_path                    /* set to true */

Having Firefox pass control of a URL directly to the operating system is a dangerous arrangement. For example, URLs prefixed with the

shell

: scheme can be passed to Windows (which has a poor track record of handling them securely). To turn on that behavior, set this preference:

network.protocols.useSystemDefaults        /* set to true */

For selective enablement of URL schemes, change the matching preference. All such preferences have this format:

network.protocol-handler.external.<em>scheme</em>

where scheme stands for the particular scheme. So, for the

shell

: scheme, this is the right setting:

network.protocol-handler.external.
<b>shell</b>
/* set to true */

Of course, another way to activate code in a downloaded object is to associate its file type with a suitable application. That's done at the operating-system level, though, not in Firefox. An example is associating Microsoft Excel files containing Visual Basic macros with the Excel program. Firefox will notice such configuration changes the next time it starts up.

Drop Browser Security Hobbles

When a web page displays, Firefox wraps it up inside some security restrictions. These are designed to prevent the page from taking over the user's computer, which is most commonly attempted with pages that contain JavaScript scripts. Preferences allow you to drop some, but not all, of these restrictions. All of the preferences that begin with the following prefix control access to scriptable features of the DOM 0 web page object model:

dom.<em>anything</em>

Type

dom

into the Filter box in the about:config window to see them all. Set most of them to

true

to re-enable the matching feature. These preferences match checkbox features in the Firefox Options dialog box in the Web Features panel.

A few of these preferences rate special mention. This one stops scripts from ever being aborted by Firefox:

dom.max_script_run_time                 /* set to 0 (seconds) or a big number */

Set to

0

(zero), no script will ever be aborted. An infinitely running script can tie up the CPU, which can in turn cause a denial-of-service attack, preventing the user from controlling the browser. Better to choose a very big number, just in case.

This next preference turns off limits on pop-up-window generation:

dom.popup_maximum   /* set to 0 popups or a big number */

Finally, this preference makes all JavaScript events available in modal pop-up windows:

user_pref("dom.popup_allowed_events", "mousedown mouseup click dblclick mouseover 
mouseout mousemove contextmenu keydown keyup keypress focus blur load beforeunload 
unload abort error submit reset change select input paint text popupshowing 
popupshown popuphiding popuphidden close command croadcast commandupdate 
dragenter dragover dragexit dragdrop draggesture resize scroll overflow 
underflow overflowchanged DOMSubtreeModified DOMNodeInserted 
DOMNodeRemoved DOMNodeRemovedFromDocument DOMNodeInsertedIntoDocument 
DOMAttrModified DOMCharacterDataModified popupBlocked DOMActivate DOMFocusIn 
DOMFocusOut");

TIP: The example string shown here is excessive—just pick the events you're interested in—but it serves to illustrate all DOM-like events that Firefox knows about.

Of all the security hobbles that Firefox enforces on web pages, there's one that's nearly impossible to remove: the creation of windows smaller than 100 100 pixels in size. The only way to do so is to use a fully trusted script, either one signed with a digital certificate or one installed in the chrome.

Remove Profile Salting

Firefox user profiles are salted: the names of profile directories include randomly generated directory names, such as f8p09nj2.slt. This is a security measure designed to prevent hostile web sites from guessing the name of your profile and then feeding Firefox data that might have security cracks in it. It also makes administering and moving profiles harder than it might otherwise be. You can remove these salted names by using the

-CreateProfile

command-line option and this dirty hack. Follow these steps, which create a dummy profile located in C:\tmp\test:

<b>mkdir C:\tmp</b><b>mkdir C:\tmp\test</b><b>echo "garbage" > c:\tmp\test\prefs.js</b><b>firefox -CreateProfile "test c:\tmp</b>"

The

echo

command just creates a file that Firefox will sense at startup time. That's enough to fool it into using the C:\tmp\test directory as an existing profile for the new profile named

test

.

Update Firefox Automatically

Set these preferences to ensure that Firefox, extensions, and themes are all updated without the user having to do anything:

extensions.update.autoUpdate            /* set to true */
extensions.update.severity.threshold    /* set to 0 (lowest severity) */
app.update.autoUpdateEnabled            /* set to true */
app.update.enabled                      /* set to true */

It's also possible to automatically download configuration data [Hack #29], proxy information [Hack #15] and certificate revocation lists [Hack #17] . None of those things require user intervention.

Raise Security to Protect Dummies

Set up Firefox for nontechnical people.

First of all, the Firefox product is designed with nontechnical people in mind. Most of its fancy features are hidden behind unusual key presses or buried in menus. From the beginning, it's pretty safe and secure. For the dazed and disoriented, though, safety doesn't just mean safe from web villains and privacy attacks; it also means being safe from confusion. Struggling users can easily harm themselves accidentally when confused, so that's something to avoid. Here are some of the configuration changes that you can apply to make life safer for struggling users:

  • Turn on automated patch updating.

  • Turn off password and form auto-complete features.

  • Leave on standard caching options, so that pages are always fresh.

  • Change the default download directory to the desktop if the operating system is Linux.

  • Download language packs and plug-ins when you install, and turn off subsequent plug-in detection.

  • Configure the Popup Manager to accept pop-ups from web sites the user trusts, such as banks and finance companies, and then turn off the pop-up blocker alert bar so that it never appears.

To turn on automated patch updates, see [Hack #13] . Auto-complete features can be turned off in the Options panel. To change the default download directory on Linux, change the directory preference from something like this:

browser.download.defaultFolder         /* was /home/nrm */

to this:

browser.download.defaultFolder    /* to /home/nrm/Desktop */

which is the location of the desktop under GNOME 2.x.

If your mother is Italian or Chinese, you might need support for non-English web sites. To prepare any required language packs and plug-ins, the hard way to proceed is to rebundle Firefox with the needed packs included in the install bundle. That's not recommended unless you plan on doing hundreds of installs. It's massive extra preparation for a marginally faster install result.

1 2 3 4 5 6 Page 1
Page 1 of 6
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon