[Cialug] Firefox for paranoid people

Tim Wilson tim_linux at wilson-home.com
Mon Apr 26 18:19:51 CDT 2010


In addition to adding "-ProfileManager" to the run command, you should also
add "--no-remote" so you can run (for example) the research and the webdev
profiles at the same time.

Other than that, I would add the following for web development:
CodeBurner for Firebug
ColorZilla
Firecookie
Html Validator
View Source Chart (I don't use it much anymore, it was handy until I learned
more about Firebug)
XPather

I did have Tamper Data, but it doesn't appear to be updated.

General addons, I like Tab Mix Plus, Hide Tabbar, "Open link in...",
and Image Zoom.  I hate the default behavior of tab handling in Firefox, TMP
gets it closer.  Hide Tabbar is good if you're paranoid about people seeing
what you have open.  You can have a bunch of tabs open, but still hide the
tab bar so they only see the active tab.  "Open link in..." gives you
control over where to open each link.  So if you let Firefox open
tabs/windows however it sees fit, and you're at a site that you know will
open a link in a new window, you can right-click the link and tell it where
to open.  Not sure if Image Zoom works on Linux.

I'd also add CustomizeGoogle for the research profile.  You probably don't
need it for the paranoid profile since you have that locked down pretty
tight.

For search engines, I have Wikipedia, Delicious, Merriam-Webster, and
Bugzilla for work.


On Mon, Apr 26, 2010 at 1:45 PM, Josh More
<MoreJ at alliancetechnologies.net>wrote:

> Hmm.
>
> Perspectives looks very interesting, but hasn't been updated to the current
> Firefox, so I can't play with it.  (Same with Cert Alert.)
>
> Chungwa is Taiwanese.
>
> The CNNIC is an interesting idea.  I'm going to play with that.
>
>
>
> -Josh More, CISSP, GIAC-GSLC, GIAC-GCIH, RHCE, NCLP
> morej at alliancetechnologies.net
> 515-245-7701
>
> ________________________________________
> From: cialug-bounces at cialug.org [cialug-bounces at cialug.org] on behalf of
> Matt Stanton [inflatablesoulmate at brothersofchaos.com]
> Sent: Sunday, April 25, 2010 14:31
> To: Central Iowa Linux Users Group
> Subject: Re: [Cialug] Firefox for paranoid people
>
> I can think of a couple of things you might be interested in, from a
> paranoid browser standpoint...  First, the latest firefox (3.6.x) has a
> new certificate authority that is controlled by the chinese government.
> I disable its ability to identify anything whatsoever.  The CA is for
> CNNIC (I also disable Chunghwa, simply because it looks chinese).
> Deleting the certs does you no good, since FF will just re-add them.
>
> Second, there is a browser add-on called 'perspectives', which adds
> another layer of security for people who actually pay attention to
> browser warnings.  The perspectives network has a list of sites and
> their certificates, and checks the certificates/sites on a regular basis
> from several discreet network locations to make sure that they all come
> back the same to each location, and they come back the same each time it
> checks.  It will pop up a warning if different locations come back with
> different information, or if the information has changed recently.  I am
> no security expert, but I believe this gives you a best-guess that a
> site is not being hijacked by a man-in-the-middle attack, or that a
> large-scale attack has changed the authority of the site internet-wide.
> While both are probably extremely rare, it would identify a rogue CA if
> you paid attention.
>
> On 4/25/2010 2:04 PM, Josh More wrote:
> > Since this has been a popular project in the past, and I just spent the
> weekend building myself a new laptop, I thought I'd share my firefox config
> with everyone.
> >
> > I started with my basic add ons:
> > * Adblock Plus to prevent those annoying ads (and ad-based malware
> infections)
> > * Neo Diggler to give me a quick way to clear the location bar and give
> me the ability to add custom stuff
> > * No Script to prevent scripts from running.  I did a quick whitelisting
> of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
> > * Web of Trust to give me a hint before I click on a link.
> > * Tiny Menu to maximize screen real estate.  (I love me the tiny laptops)
> > * TorButton for quickly accessing The Onion Router (requires installing
> additional software to utilize)
> >
> > Sadly, LongURL is not supported on the new Firefox yet.
> >
> > I restarted Firefox to activate everything and configured the plugins the
> way I like.  I also customized the Nav bar and moved everything up to the
> Menu bar that TinyMenu made nice and small.  Then I used the View menu to
> turn off Navigation and Bookmarks.
> >
> > Then I went into Preferences->Privacy and set Firefox to "Never remember
> history" and suggest "Nothing".  I also cleared my history that was created
> thus far.  In Preferences->Security, I told it to never remember passwords,
> block reported attack sites, web forgeries and add ons.  (By not remembering
> passwords, I render myself less vulnerable to risk from theft of my profile
> directories, but more vulnerable to keyloggers... it's a good tradeoff to
> me.)
> >
> > I then shutdown Firefox and went into ~/.mozilla/firefox.  I did a cp -a
> of my profile directory to other names:
> >
> > cd ~/.mozilla/firefox
> > cp -a blahblah.default research
> > cp -a blahblah.default secure
> > cp -a blahblah.default webdev
> >
> > Then I edited profiles.ini and copied the four top lines of [Profile0] to
> new blocks of Profiles 1 through 3.  I edited the Name and Path to reflect
> each of my new profile directories (research, secure, webdev).  Then I
> edited the FIrefox launcher and appended "-ProfileManager" to the "run
> command".  This way, when I click on the little icon, Firefox will prompt me
> for the profile I want each time I launch it.
> >
> > I then launched it and selected my "research" profile.
> >
> > Here, I went back into Preferences->Privacy and told it to go ahead and
> remember history and make suggestions (as when I'm researching things, I
> often forget where I found things and what I searched on.)  Then I installed
> the following add ons:
> >
> > * Add N Edit Cookies for cookie manipulations
> > * HackBar for SQL injection fun
> > * PassiveRecon for exactly what it sounds like
> > * RefControl for mangling HTTP headers
> >
> > Then I added the following search engines to the dropbox:
> >
> > * Offensive Security Exploit Database
> > * Security Focus Vulns Search
> > * Security Wire Search
> >
> > I'll probably add more as I play with it.  I'm still not used to using
> this feature to search the deep web.  (Wonder if one could be written to
> access our corporate wiki?)
> >
> >
> > Then it was time to restart Firefox and activate, set preferences, yada
> yada yada.
> >
> > After that, I restarted to access the "secure" profile.  Really, I should
> have named this one "paranoid".  I went into Preferences->Security and
> turned on ALL warning messages.  It's annoying to use now, but that's partly
> the point.
> >
> > I set StartPage to my initial home page, using the "Generate Custom URL"
> feature on the site.  Since I'm not storing any cookies at all, this is how
> it has to be done.  I removed all search engines and added IxQuick HTTPS,
> Startpage HTTPS and Scroogle SSL.   On the AddOn side, I added Force-TLS,
> though it really doesn't do all I'd like it to.
> >
> > Lastly, I installed the Orange Fox theme, which is ugly and garish, but
> since I wanted a visual reminder that I was in the paranoid profile, it was
> exactly what I wanted.
> >
> >
> > After another restart I entered the webdev side.  The fun new add ons
> here were:
> >
> > * Firebug for tracing DOM and CSS issues, which I don't do much anymore,
> but it's still nice to have.
> > * FlashGot for massive download fun on archive.org
> > * Greasemonkey for fixing stupid sites (and integrating with FlashGot to
> bypass trivial Javascript-implemented "security" checks)
> > * Live HTTP Headers for watching traffic in real time, when I don't want
> to launch a real proxy
> > * Web Developer for the same reason as Firebug
> >
> >
> > So, can any of you think of anything that I missed?
> >
> >
> >
> > -Josh More, CISSP, GIAC-GSLC, GIAC-GCIH, RHCE, NCLP
> > morej at alliancetechnologies.net
> > 515-245-7701
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



-- 
Tim
Required reading: http://bccplease.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20100426/819fcf76/attachment-0001.htm 


More information about the Cialug mailing list