Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

[ASTUCE] Sécuriser et accélérer Firefox

iro

Bonjour,

je partage avec vous les astuces que j'ai trouvé ici et là concernant les différantes configurations de firefox (about:config)

----------------------------------------------------------------

Firefox (and Tor) About:Config settings

----------------------------------------------------------------

- About:Config -  

Your browser/computer might be leaking DNS queries, you can save some kilobytes of transfer by disabling DNS-Prefetching and Link-Prefetching:

network.dns.disablePrefetch (True)


One very important option is to disable Canvas support > https://addons.mozilla.org/en-US/firefox/addon/canvasblocker

CanvasBlocker | About:Addons > CanvasBlocker Options > Block Mode: Block Everything

----------------------------------------------------------------

Recommended User Agent, change with Modify Header Value:

* > User-Agent > Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0

----------------------------------------------------------------

WebRTC can be used to check your local IP address, so for privacy and security reasons you might want to disable it: 

media.peerconnection.enabled (False)
media.peerconnection.turn.disable (true)
media.peerconnection.use_document_iceservers (false)
media.peerconnection.video.enabled (false)
media.peerconnection.identity.timeout (1)

----------------------------------------------------------------

There is a built-in module in Firefox that improves your security, but steals your privacy and anonymity. The module reports what you download to Google servers to check if the file is infected with any kind of malware: 

browser.safebrowsing.appRepURL (Blank)
browser.safebrowsing.downloads.enabled (False)
browser.safebrowsing.enabled (False)
browser.safebrowsing.gethashURL (Blank)
browser.safebrowsing.malware.enabled (False)
browser.safebrowsing.phishing.enabled (false)
browser.safebrowsing.malware.reportURL (Blank)
browser.safebrowsing.reportErrorURL (Blank)
browser.safebrowsing.reportGenericURL (Blank)
browser.safebrowsing.reportMalwareErrorURL (Blank)
browser.safebrowsing.reportMalwareURL (Blank)
browser.safebrowsing.reportPhishURL (Blank)
browser.safebrowsing.reportURL (Blank)
browser.safebrowsing.updateURL (Blank)
services.sync.prefs.sync.browser.safebrowsing.enabled (False)
services.sync.prefs.sync.browser.safebrowsing.malware.enabled (False)


As for Google’s services in Firefox > Set the value of:
geo.wifi.uri to http://127.0.0.1 (or blank)

Firefox uses Google Location Service to determine your physical location, disable geolocation:
geo.enabled (false)
browser.search.geoip.url (Blank)
browser.search.geoip.timeout (1)

Disable using OS locale, force APP locale:
intl.locale.matchOS (False)

Disable geographically specific resultats/searchengines:
browser.search.geoSpecificDefaults (False)
browser.search.geoSpecificDefaults.url (Blank)

----------------------------------------------------------------

You shouldn't save any data for caching on your drive, it can be easily recovered even after a long time.

Disable the disk cache:
browser.cache.disk.enable (False)
browser.cache.offline.enable (False)
browser.cache.disk.capacity (0)
browser.cache.offline.capacity (0)
browser.cache.disk_cache_ssl (False)


Cache in RAM:
browser.cache.memory.enable (True)

Possibly choose a cache size for RAM (recommended):
browser.cache.memory.capacity (960000)  (960000Kb = 120Mo). (/!\ incompatible with browser.sessionhistory.max_total_viewers (0) #203 /!\)

----------------------------------------------------------------

- Hiding your referers -

Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes.

network.http.sendRefererHeader | Determines when to send the Referer HTTP header:

0: Never send the referring URL
1: Send only on clicked links
2 (default): Send for links and images

^ Set it to 1, or to 0 ^ (/!\ 0 is the better option but may break a few websites /!\) 

----------------------------------------------------------------

network.http.referer.XOriginPolicy:

0 (default): Always send
1: Send if base domains match
2: Send if hosts match

^ Set it to 2 ^

----------------------------------------------------------------

network.http.referer.spoofSource:

false (default): real referer
true: spoof referer (use target URI as referer)

^ Set it to true ^

----------------------------------------------------------------

network.http.referer.trimmingPolicy:

0 (default): send full URI
1: scheme+host+port+path
2: scheme+host+port

^ Set it to 2 ^

----------------------------------------------------------------

################ Updated Here ################

Add-ons I use:

Smart HTTPS - Automatically changes HTTP addresses to the secure HTTPS, and if loading encounters error, reverts it back to HTTP. Download: https://addons.mozilla.org/fr/firefox/addon/smart-https-revived/

uMatrix - Point & click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc. Download: https://addons.mozilla.org/en-US/firefox/addon/umatrix/

Bloody Vikings! - Simplifies the use of temporary e-mail addresses in order to protect your real address from spam. Supports inter alia 10minutemail.com and anonbox.net.
Download: https://addons.mozilla.org/en-US/firefox/addon/bloody-vikings/

CanvasBlocker - Blocks the JS-API for modifying <canvas> to prevent Canvas-Fingerprinting.</canvas>. Download: https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/

Modify Header Value (HTTP Headers) - Add, modify or remove a header for any request on desired domains. Download: https://addons.mozilla.org/en-US/firefox/addon/modify-header-value/

################ Updated Here ################

----------------------------------------------------------------

DOM storage has become a much bigger threat to our privacy than the dreaded cookies were. Unfortunately this technology is certainly set to leave cookies in the dust, so changing the default value of this configuration to false is strongly recommended for security reasons. However, please note that it may cause a few web sites not to work properly at the same time:

dom.storage.enabled (False)


Link prefetching, is when a web page hints to the browser that certain pages are likely to be visited, so the browser downloads them immediately so they can be displayed immediately when the user request.
By setting network.prefetch-next to false, we are controlling the following:

network.prefetch-next (False)

----------------------------------------------------------------

Firefox performances:

network.http.pipelining (True)
network.http.pipelining.ssl (True)
network.http.proxy.pipelining (True)
network.http.pipelining.maxrequests (10)
network.http.max-connections (48)
network.http.max-persistent-connections-per-server (8)
network.http.max-persistent-connections-per-proxy (16)
network.http.redirection-limit (8)
network.predictor.enabled (False)


Disable IPV6:

network.dns.disableIPv6 (True)


WebGL (Web-based Graphics Library) is a collection of code for JavaScript that makes it possible for a website to access your video card in order to display interactive 3D-graphics using the HTML5 Canvas element—without using any third-party plug-ins.
WebGL can be a threat to your device security and online anonymity:

webgl.disabled (True)
webgl.enable-webgl2 (false)

----------------------------------------------------------------

Since Firefox 2.0 introduces a built-in Session Restore feature, allowing the user to continue browsing from where they left off if browser restarts. This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. 
Browser.sessionstore.privacy_level:

0 = Store extra session data for any site
1 = Store extra session data for unencrypted
2 = Never store extra session data

^ Set it to 2 ^

----------------------------------------------------------------

Reduce the amount of RAM Firefox uses for its cache feature, do not store any pages in memory:
browser.sessionhistory.max_total_viewers (0)  (/!\ incompatible with browser.cache.memory.capacity #87 /!\)

Don't cache HTTP or HTTPS files:
network.http.use-cache (False)

Disable crash reporting to Mozilla:
breakpad.reportURL (Blank)

Number of processus (min1/max7).Depends on the size of your RAM:
dom.ipc.processCount (4)

New Cache Firefox:
browser.cache.use_new_backend (1) 

Disable navigator.sendBeacon. This method meets the needs of certain analytical or diagnostic codes that attempt to send data to a web server before unloading the document. Sending the data earlier could result in a missed opportunity to collect data:
beacon.enable (False)

Disable letting websites know if you have info from them in your clipboard:
dom.event.clipboardevents.enabled (False)

----------------------------------------------------------------

Telemetry is an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.
Disable Telmetry:

toolkit.telemetry.archive.enabled (False)
toolkit.telemetry.bhrPing.enabled (False)
toolkit.telemetry.firstShutdownPing.enabled (False)
toolkit.telemetry.infoURL (Blank)
toolkit.telemetry.newProfilePing.enabled (False)
toolkit.telemetry.reportingpolicy.firstRun (False)
toolkit.telemetry.server (Blank)
toolkit.telemetry.shutdownPingSender.enabled (False)
toolkit.telemetry.unified (False)
toolkit.telemetry.updatePing.enabled (False)


Disable new tab tile ads & preload & marketing junk:

browser.newtabpage.enabled (False)
browser.newtabpage.introShown (True)
browser.newtabpage.enhanced (False)
browser.newtab.preload (False)

----------------------------------------------------------------

A result of the Tor Uplift effort, this preference isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains:

privacy.firstparty.isolate (true)


A result of the Tor Uplift effort, this preference makes Firefox more resistant to browser fingerprinting:

privacy.resistFingerprinting (true) (/!\ starts window minimized /!\)

----------------------------------------------------------------

This is Mozilla’s new built in tracking protection. It uses Disconnect.me filter list, which is redundant if you are already using uBlock Origin 3rd party filters, therefore you should set it to false if you are using the add-on functionalitie:
privacy.trackingprotection.enabled (True)

The attribute would be useful for letting websites track visitors’ clicks:
browser.send_pings (false)
browser.send_pings.require_same_host (true)

Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs:
browser.sessionstore.max_tabs_undo (0)

Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to:
browser.urlbar.speculativeConnect.enabled (false)

Website owners can track the battery status of your device:
dom.battery.enabled (false)

Websites can track the microphone and camera status of your device:
media.navigator.enabled (false)


Disable cookies:
    0 = Accept all cookies by default
    1 = Only accept from the originating site (block third party cookies)
    2 = Block all cookies by default
    
network.cookie.cookieBehavior (1)

cookies are deleted at the end of the session:
    0 = Accept cookies normally
    1 = Prompt for each cookie
    2 = Accept for current session only
    3 = Accept for N days
    
network.cookie.lifetimePolicy (2)

----------------------------------------------------------------

POPUP windows - prevent or allow javascript UI meddling:
dom.disable_window_move_resize (True)
dom.disable_window_open_feature.close (True)
dom.disable_window_open_feature.personalbar (True)
dom.disable_window_open_feature.titlebar (True)
dom.disable_window_open_feature.toolbar (True)

Disable keyboard fingerprinting:
dom.keyboardevent.code.enabled (False)

Disable resource/navigation timing:
dom.enable_resource_timing (False)
dom.enable_user_timing (False)

Disable timing attacks - javascript performance fingerprinting:
dom.enable_performance (False)

Display all parts of the url. Why rely on just a visual clue - helps SECURITY:
browser.urlbar.trimURLs (False)

Disable css querying page history - css history leak - PRIVACY:
layout.css.visited_links_enabled (False)

Disable auto-play of media - what are the implications, we already have click to play:
media.autoplay.enabled (False)

Disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers:
datareporting.policy.dataSubmissionEnabled (False)

Disable "Reader View":
reader.parse-on-load.enabled (False)

Always ask the user where to download - enforce user interaction for security:
browser.download.useDownloadDir (False)

Disable WebIDE to prevent remote debugging and add-on downloads:
devtools.webide.enabled (False)
devtools.webide.autoinstallADBHelper (False)
devtools.webide.autoinstallFxdtAdapters (False)
devtools.debugger.remote-enabled (False)
devtools.cache.disabled (True)

Disable add-on metadata updating:
extensions.getAddons.cache.enabled (False)

----------------------------------------------------------------

Thanks to SirUnnice and to all other :)

----------------------------------------------------------------

Perso, j'ai tout activé, mais je conseille un deuxième navigateur pour par exemple les achats en ligne.
J'ai remplacé aussi tous les liens google, ex: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY% par https://TOTOsb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_API_KEY%

Avec cette méthode le lien ne fonctionne pas et en cas de retour en arrière, on a juste a tapper TOTO dans la barre de recherche d' about:config puis supprimer TOTO pour tous remettre comme à l'origine :cool:

Si vous avez d'autres astuces pour about:config, n'hésitez pas à compléter avec un descriptif si possible.
Merci.

PS: faire une sauvegarde du dossier ~/.mozilla/firefox/xxxxxxxxxxxx.default avant d'effectuer ces modifications (Ctrl + H pour afficher les fichiers cachés)

Edit: rajout de commentaires

J5012

extensions :
- ublock origin
- decentraleyes
- webmail ad blocker

un ctrl+maj+suppr de temps en temps, et aleatoire ...
accepte tous cookie mais seulemnt depuis les sites origines, ...
pas d'installation sur requete
pas d'enregistrement de pages chiffrees

moko138

J5012 a écritaccepte tous cookie mais seulemnt depuis les sites origines, ...

Après la version 43 de firefox, ce n'est plus possible. (*)
Pour recouvrer cette possibilité, on peut :
- remplacer la dernière version de ffox par la 43 ;
- remplacer ffox par iceweasel ;
- remplacer ffox par icecat ;

(*) Cela concrétise gravement les derniers errements de Mozilla
qui a clairement changé de philosophie,
qui nuit actuellement à la discrétion de l'usager sur la toile,
qui favorise de fait la marchandisation du profil de l'usager.

J5012

le reglage est toujours la : about:preferences#privacy
v50.1.0

moko138

J5012 a écritle reglage est toujours la : about:preferences#privacy
v50.1.0

Merci de l'information, J5012 ! 🙂

Je suppose que cette possibilité de réglage a été rétablie par Mozilla.
Parce qu'à l'époque de firefox 44, j'avais ouvert un fil ici et cherché sur la toile (où mon souci était partagé) sans trouver de solution adaptée à firefox à jour.

iro

J5012 a écritextensions :
- ublock origin
- decentraleyes
- webmail ad blocker

Je préfère uMatrix à uBlock origin (Beaucoup plus puissant mais uBlock peut etre satisfaisant en mode expert et en autorisant que le images de base.)
Tuto uMatrix
Tuto uBlock

Ça fait pas mal de lecture, mais ça vaut le coup 🙂

Webmail ad blocker est donc inutile si une des deux extentions est bien configurée 😉

grandtoubab

Salut
j'utilise

Desactivation de Google analytics
HTTPS everywhere https://www.eff.org/https-everywhere
NoScript https://noscript.net/

nam1962

- ublock origin (clairement le plus léger)
- betterprivacy (virer les cookies LSO qui sinon jouent aux bigornaux)
- selfdestructing cookies (virer les cookies des onglets inactifs ou fermés)

Et deux trois trucs d'optimisation de Firefox, dont les dernières fonctionnalités, en gardant le principe de simplicité/sécurité.

moko138

J5012 a écritle reglage est toujours la : about:preferences#privacy
v50.1.0

Cette combinaison, primordiale pour entraver le profilage :

Accepter les cookies
Accepter les cookies tiers : jamais
Les conserver jusqu'à : me demander à chaque fois

est-elle de nouveau possible ?
Merci !

nam1962

Oui, dans [Edition] - [Préférences] - [Vie privée] - [Historique] en passant de "conserver l'historique" à "utiliser les paramètres personnalisés pour l'historique".

Maintenant, ca peut rendre la navigation pénible, ce réglage.
Betterprivacy et selfdestructing cookies vont faire un truc quasi similaire en détruisant les cookies.

Ce n'est pas tant l'ouverture du cookie qui crée l’indiscrétion (même si tu divulgues un peu d'infos), c'est plutôt le fait que tant que le cookie est ouvert, ta présence sur le net et une partie de ton comportement peuvent être pistés.

lynn

Je rajouterais

- Disable WebRTC
- Canvas Blocker

grandtoubab

Salut,
j'évite au maximum les extensions dont on se sait pas totalement ce qu'elle font.
Je fais le plus possible artisanalement dans about:config et en m'aidant des descriptions du site Mozillazine

http://kb.mozillazine.org/Network.cookie.lifetimePolicy
Network.cookie.lifetimePolicy
2
The cookie expires at the end of the session (when the browser closes).

http://kb.mozillazine.org/Network.cookie.cookieBehavior
Network.cookie.cookieBehavior
1
Only cookies from the originating server are allowed.

Et ainsi de suite...

Actuellement
Firefox Extended Support Release (ESR) 52.2.0
https://www.mozilla.org/en-US/firefox/52.2.0/releasenotes/

moko138

Merci à tous ! 🙂

grandtoubab

Pour ce qui concerne les plugins
Dans about:config rechercher plugin.state

les valeurs possibles sont
0 ne jamais activer
1 demander pour activer
3 toujours activer

je me suis apercu qu'il restait des traces d'une ancienne installation de pipelight que j'ai desactivé ainsi.
j'ai mis java à 1

biloute_c

salut

dans about config

toolkit.telemetry.archive.enabled mettre à false 
toolkit.telemetry.enabled mettre à false

Désactiver Webrtc chercher 
media.peerconnection.enabled  mettre à false
media.navigator.enabled mettre à false  

privacy.trackingprotection.enabled mettre à true

reader.parse-on-load.enabled mettre false (désactive le mode lecture)
extensions.pocket.enabled mettre false (désactive pocket)

webgl.enable-webgl2  mettre à false
webgl.disabled mettre à true

entre autres

nam1962

A force on ne dit plus rien à personne, mais ça doit limiter les capacités d'actions sur pas mal de sites !