This guide shows how to set up the open-source web browser Firefox 1.5 and how to optimize the security related settings. Firefox (formerly Firebird/Phoenix) is based on the source code of the popular Mozilla web browser. Due to its lean and secure design, Firefox is a very good choice as default web browser to improve the surfer's security.
Installation:
Download Firefox 1.5 and start the installer.
Select Custom as Setup Type and press Next.
Choose the installation folder on your hard disk.
Uncheck Quality Feedback Agent which sends information to the home server in case of a program crash.
Finish the installation.
Configuration:
This section explains how to adjust the settings so that Firefox works in the most secure way. Be aware that some web pages may not work properly, especially when active contents like Java, JavaScript or Cookies are used. These active contents pose a potential security risk which may compromise the surfer's privacy and anonymity. On trustworthy web pages active contents could be enabled temporarily, see the respective hints in the following text.
Disconnect from the Internet before the initial startup. Then launch Firefox from the Start menu.
Firefox can act as the default browser on the system (recommended). Press Yes. This setting can be changed later in the options.
Right-click Latest Headlines and choose Delete.
Enter the Options.
General
Enter about:blank as Home Page which results in a blank browser window at each startup
Click Connection Settings to configure proxy servers. Select Manual proxy configuration and enter the IP and Port of the proxy server(s) to use. Enter localhost, 127.0.0.1 in No Proxy for: which enables a direct connection to local services or proxies (e.g. Freenet proxy).
Using HTTP/SSL/FTP/GOPHER proxies
Firefox supports proxies for HTTP, SSL (HTTPS), FTP (passive mode, download only) and Gopher. Fill in the respective fields with a suitable proxy IP and port and leave the SOCKS HOST field empty as shown in the left .
Using a SOCKS proxy
To run all connections of Firefox through a SOCKS proxy, enter the IP and port of a SOCKS proxy in the the SOCKS Host field. Choose the type of the SOCKS proxy (SOCKS v4 or SOCKS v5). Leave all other fields blank as shown in the right .
Warning: When using a SOCKS proxy, Firefox in the default settings leaks information to the DNS server assigned to your system, usually your ISP. Read the section Resolving host names remotely (SOCKSv5 proxy) in the chapter Extended Configuration on how to circumvent this behavior.
Privacy
Enter 0 days to disable the storage of previously visited web pages.
Firefox is able to store all data which you ever entered into a web form, e.g. when signing up for a free email account. To disable the storage of (possibly sensitive) personal data, deactivate Save information I enter in forms and the Search Bar.
Disable the storage of login information by deactivating Remember Passwords.
A list of all downloaded files is kept by Firefox. Select When Firefox exits from the drop-down menu to delete the history on shutdown automatically.
Cookies can be used to trace the user's habits and therefore should be disabled by deactivating Allow sites to set Cookies. Note: Some web sites require cookies to work properly. In that case remove all stored cookies by pressing Clear Cookies Now. Then enable cookies by activating Allow sites to set Cookies and visit the web site. After you've left the web site remove the stored cookies by using Clear Cookies Now. Then deactivate Allow sites to set Cookies again.
Press Exceptions. This list contains allowed and disallowed sites to store cookies. Better leave the list empty.
To minimize the storage of evidence of your web activities set the Cache to 0 MB
Press Settings to open the Clear Private Data preferences. For maximum privacy, enable all items on the list.
Web Features
Popup Windows - To block popup windows activate Block Popup Windows and leave the list of allowed sites empty.
Installation of extensions and themes - The warning function must be enabled. Otherwise a web site could install malicious software to your computer.
Loading - Each in a web page is loaded by the browser separately. The web page contains links to the s only, not the actual file which can be stored anywhere. By inserting an file link which actually contains a link to an external script, an external server can watch the users who visit the web page. The user perceives nothing of the external logging process because the is invisible to him. This technique is called Web Bug. It is used by advertisement networks to collect user's data. Firefox provides a function to deny access to web bugs. Activate Load s and for the originating Web site only.
Java - Firefox provides support for Java when a Java Virtual Machine (e.g. Sun's JRE) is installed on the system. Java applets are small programs which the browser can download and execute from a web page, transparent to the user. This may compromise the user's anonymity by revealing certain information like real IP and system configuration. Therefore Java must be disabled by unchecking Enable Java.
JavaScript - Disable JavaScript to avoid running script code on your machine which may compromise your security or anonymity. Some web pages require JavaScript. On very trustworthy sites JavaScript can be enabled temporarily under certain circumstances. Usually it's strongly recommended to disable JavaScript permanently.
Downloads
Select Ask me where to save every file to get full control over the storage location of files to download
Advanced
Press Edit Languages.
The browser's default languages are listed here. Since this information is sent to each visited web site, it should be faked in order to preserve the user's anonymity. Remove the default entries in Languages. An alternative way to adjust these values is described in the chapter Extended Configuration below.
Disable all of the the automatic update functions. A process of automatic updates connects to an external server without the user's control and may install undesired files to the system. Extensions are enhancements to Firefox which serve the usability mostly. But each extension poses a potential security risk to the integrity and security of Firefox. To achieve the best level of security in Firefox don't install extensions.
If you want to connect to a secure server (https:) via the encrypted SSL/TLS protocol, the respective Protocols must be enabled. Keep in mind that a proxy server with SSL support has to be entered into the SSL Proxy field in the Connection Settings. Always double-check the anonymity of an SSL proxy before use. To avoid potentially non-anonymous connections in the first place, disable all Protocols as shown below.
Press OK to save the settings.
In spite of the secure settings, Firefox stores some temporary data of a surfing session nevertheless. Therefore the Clear Private Data function can, and should, be used to delete all stored information at once, either manually from the Tools menu or automatically on shutdown of Firefox.
Extended Configuration:
Firefox provides a lot more settings than those shown in the Preferences menus. Usually those settings shouldn't be touched without the appropriate knowledge. Careless changes may have unexpected results. We describe the most important special settings here in this section: A way to optimize the performance of the connection speed, a way to improve the anonymity by modifying the CGI variable HTTP_USER_AGENT which is sent to a web page at each visit , the modification of HTTP_ACCEPT_LANGUAGE which may reveal the user's home country, how to avoid tracing of previously visited web sites by disabling HTTP referrer logging, how to disable the browser cache and some other useful settings.
Optimizing the connection speed:
A normal web page contains usually a lot of elements (s, frames, sounds,...) Most elements are stored in separate files. When a browser opens a web page it has to load all elements (files) first. To speed up the loading of the page the browser tries to load several files parallel, i.e. it establishes a certain number of simultaneous connections to the web page (remote server). The default settings in Firefox are quite conservative, so adjusting the values may result in a considerable better performance, especially when the remote server is very slow.
Enter about:config in the location bar to reach the preferences. The relevant entries for the simultaneous connections are:
network.http.max-connections
network.http.max-connections-per-server
network.http.max-persistent-connections-per-proxy
network.http.max-persistent-connections-per-server
To change a value right-click the preference and select Modify.
Enter the new value.
The status changes from default to user set.
The values to use depend on the particular system and connection speed. Some experience is required to find the 'right' settings. The values which are shown in the above are recommended by the developers of the decentralized encrypted network Freenet. Since Freenet connections are very slow mostly, it benefits from a high number of allowed simultaneous connections.
Modification of HTTP_USER_AGENT:
When a browser connects to a web site, a number of information is transmitted along with the request. The CGI variable HTTP_USER_AGENT, for example, contains usually information about the used browser and operating system.
Example: HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.Cool Gecko/20051111 Firefox/1.5
As you can see a lot of system related data is revealed to the web site. In the example above the user connected with Mozilla version 1.8/Firefox 1.5 on a Windows 2000 operating system and his language is US-English. Most anonymous HTTP proxies forward this data unmodified! Firefox provides a way to modify the content of HTTP_USER_AGENT, i.e. to send completely faked data to a web site. A useful method to improve the user's anonymity.
Enter about:config in the location bar to reach the preferences. Some items of the content of HTTP_USER_AGENT can be modified there.
To completely fake HTTP_USER_AGENT a new preference must be added. The value of general.useragent.override is used as the current string which is transmitted in HTTP_USER_AGENT. It is fully customizable by the user and overrides all other settings related to general.useragent.x. To create the new preference right-click anywhere in the window and choose New/String.
Enter general.useragent.override as preference name.
Type in the string to use for HTTP_USER_AGENT. We recommend to use an empty string, i.e. leave the input field blank.
The new preference is added to Firefox now.
To double-check the result visit a web based proxy checker site. The proxy checker should display something like HTTP_USER_AGENT (none)¡¡ (e.g. Stilllistener's Proxy Checker) or HTTP_USER_AGENT isn't shown at all (e.g. ProxyJudge).
Modification of HTTP_ACCEPT_LANGUAGE:
The CGI variable HTTP_ACCEPT_LANGUAGE is sent to a web site at each request. Usually it contains information about the languages the user is able to understand. To improve the anonymity the content of HTTP_ACCEPT_LANGUAGE should be faked or removed.
Enter about:config in the location bar to reach the preferences. Right-click intl.accept_languages and choose Modify.
Type in the string to use for HTTP_ACCEPT_LANGUAGE. We recommend to use an empty string, i.e. leave the input field blank.
The value for HTTP_ACCEPT_LANGUAGE is empty now. Double-check the results with a web based proxy checker.
The value of HTTP_ACCEPT_CHARSET can be changed too. Just modify the preferences intl.accept_charsets and intl.charset.default. But be careful, your browser may display the wrong characters on some web sites. Look up the Character Coding which matches your installed operating system here.
Disabling of HTTP referrer logging:
The CGI variable HTTP_REFERER tells the visited web site which hyperlink the user has clicked to reach the site. By reading this variable the web site can trace the user's way through its site. It could also block access to certain contents when external linking is attempted. Sometimes the hyperlink to a certain site carries additional information to reveal its origin. For better anonymity the HTTP referrer logging should be disabled.
Enter about:config in the location bar to reach the preferences. Right-click on network.http.sendRefererHeader and choose Modify.
Enter 0 to disable the referrer logging. Press OK.
Disabling of the browser cache:
Firefox stores some temporary files during an Internet session. The files are stored to a dedicated folder on the hard disk and to the main memory, the so called cache. To minimize the storage of evidence some settings must be adjusted.
Enter about:config in the location bar to reach the preferences. Change the values as shown below. Use Toggle from the context menu to switch between true and false values.
Resolving host names remotely (SOCKSv5 proxy):
Before Firefox can connect to a remote server, it has to know the IP address. The host name (e.g.
Only registered users can see links on this forum!
Register or Login on forum! |
must be resolved to the assigned IP address. This procedure is called DNS lookup or name resolution. When using a HTTP/SSL/FTP proxy, Firefox does the name resolution through the proxy. When using a SOCKSv5 proxy, Firefox in the standard settings tries to use the default DNS client of your system which usually connects to a DNS server of your ISP. That is, Firefox leaks information to the DNS server at each request. Your real IP is sent along with the request, a serious breach in your anonymity. To force the name resolution through the SOCKSv5 proxy, the preference network.proxy.socks_remote_dns must be set to true as shown in the below.
Other settings:
It's recommendable to disable network.http.accept.default and network.http.accept-encoding.
