Browser security

You need a browser that will not leak information over the internet and not leave traces on your machine.

Secondary Storage

On secondary storage, where browser is installed and is running from:

  1. Browser should be run from read-only media. Configure your browser to only read and never write. Remount your file system in read-only mode to ensure nothing can be written, then run the browser.
  2. Failing that, the browser should be ran from volatile RAM disk. Buy 1 or 2 GB of RAM. Setup a segment of main memory to be a file system as it if they are secondary storage. Load the image of the browser onto RAM and run.
  3. Failing the first two possibilities, the browser should be run from an encrypted device with a random one time key. The key needs to be generated from environmental noise and must never be revealed to you. The key should be stored in volatile primary storage and be unrecoverable after killing the power. Cipher through the storage device as a loop device with on-the-fly encryption with the randomized key. Format the loop device with a file system, copy the files of the browser over, and run. Optionally, shred the device afterward if you don’t want any adversary to brute-force your storage device 50 years later.
  4. Unrecommended, but the browser may be run from file-level encrypted directory with random one time key. Like above, key should be generated from environmental noise and you don’t know the key. The problem with file-level encrypted directory is that as the ciphered data grow and shrink within the file system, the ciphered data is spread all over the disk mixed in with your unencrypted data. It can’t be shred easily to protect you from future supercomputer brute-forcing your data.
  • Don’t use full disk encryption without one-time key. Your passphrase may actually have less entropy than you think. Your adversary may even use rubber-hose cryptanalysis to get your passphrase.
  • Don’t use NTFS file-level encryption. Your passphrase is stored on your disk protected by an extremely weak hash. Ophcrack can reveal your passphrase in under an hour.
  • Don’t just shred your browser. If your browser once wrote sensitive information to unencrypted storage device, shred the entire device.

Primary Storage

On primary storage, where the browser is running in:

  • Don’t leave your machine immediately after you power down the machine for at least 10 minutes. RAM takes time to lose its storage.
  • Don’t leave your machine without first powering down the machine. Simply pouring the liquid from any Compressed Gas Duster onto the RAM will lower the temperature of the RAM down enough to preserve it storage, then anyone can just yank the RAM out from your machine and dump everything store in your RAM including all your keys and passwords for all websites (eg: PayPal) your visited.
  • Don’t hibernate your machine. It writes RAM onto harddisk. Shred your hibernation partition if you previous had hibernated your machine. (Your PayPal password could already be written down onto the disk.)

Browser Settings

Here’s one method:

Running in:

  • Get Firefox Portable. It’s available for a variety of OS’s and works well.
  • Go through the preferences and disable anything that logs or leaks information. This includes, but is not limited to:
    • In “Content,” disable java. Disable javascript if you don’t have NoScript.
    • In “Privacy,” remember nothing. Remember no history. Always clear everything before closing. You may want to disable cookies, but this is not essential if they are not written to disk and cleared on every browser shutdown.
    • In “Security,” warn before installing addons. Remove all exceptions. Remember no passwords.
    • In “Advanced” – Network, set the cache size to 0.
    • In “Advanced” – Update, disable auto updating/checking for updates.
  • Install the Torbutton extension – the one that overhauls browser security, not just change proxy settings. The latest version at this time is 1.4.6
  • OPTIONAL – Install the firefox extension NoScript, allows fine-grade control of javascript, fix javascript links with js disabled, etc. Remove stuff in default whitelist. (I think this is unnecessary and may conflict with Torbutton – Moar)
    • Enable every check mark.
    • Make sure no cookies are written to disk.
    • Clear cookies on any browser shutdown.
    • Clear cookies on Tor toggle (“”).
    • Whenever there’s an option to choose between Tor and non-Tor, choose Tor.
    • Block tor disk cache, but you’ll want to allow memory cache to prevent redownloading of images.
    • Make sure the proxy settings point to privoxy.
    • Disable hotkey/quick toggle if you use the browser for just tor.
  • Set network.http.sendRefererHeader to 0 in about:config. Also set false for network.http.sendSecureXSiteReferrer.
  • In the proxy settings make sure the proxy exceptions list is empty. It can be used as a way for sites to access localhost.
  • One annoying thing about Firefox is the way it handles external applications. You want to disable them all because sites may call telnet for example, which can leak your IP address among other things. Look in about:config for network.protocol-handler.external. You’ll want to set the default and all the subsettings to false. Then look for network.protocol-handler.warn-external. You want to set the default and all the subsettings to true. Is there an extension that does this? (Torbutton!)
  • Popups are another annoyance, in “Content” tell it to block pop-up windows with no exceptions.
  • Recently someone has found that Firefox checks for extensions without the user’s consent; a temporary solution is to set extensions.blocklist.enabled to false.
  • There are probably other information leaks that could come about if you accidentally click a button, one person has recommended to search through about:config for URLs and blank them out. The types of links I’ve seen are http, https, and rdp. Don’t remove anything with chrome:// or resource:// though. (Some of these are used to phone home when you open the addons window [discussion on onionforum].)
  • Make sure the plugin directory is empty. Do this again every time you update Flash or Shockwave.
  • Set the home page to about:blank

It is a good idea to have a separate Tor browser to make things easier to manage. This becomes so much simpler when you have separate portable browsers each with their own specific purpose – non portable browsers tend to stick data in god knows where while portable ones keep it all in their folder. You should also make sure you use something equivalent to Firefox’s “Clear Private Data” feature and make sure evidence doesn’t pile up – encrypt what you plan to keep, shred anything you don’t. Take measures to prevent your computer from being remotely compromised; heck, encrypt your entire OS if you can, and don’t talk about Tor club. 😛

Because of the huge amount of lag associated with Tor, pipelining, i.e. sending http requests in batches, makes a lot of sense. Go to about:config and make the following changes:

  • network.http.keep-alive.timeout:600
  • network.http.max-persistent-connections-per-proxy:16
  • network.http.pipelining:true
  • network.http.pipelining.maxrequests:8
  • network.http.proxy.keep-alive:true
  • network.http.proxy.pipelining:true

You should also disable prefetching. This is when the browser tries to predict what the user will click next. It is a waste of Tor bandwidth, and should be disabled by setting:

  • network.prefetch-next:false

There is a test for browser information leaks on TorCheck. Note that it does not test for Flash, go to a non-javascript flash site like MeatSpin and if it loads it means (naturally) flash isn’t blocked. Another good test is Last Measure – If it does anything besides show a background image you have work to do (it starts downloading a file but this is harmless – browsers load images all the time for example).

Geolocation

Firefox 3.5 and above uses nearby WLAN signals and Google to determine your latitude and longitude for websites. To disable this feature set geo.enabled to false in about:config.

If you ever need geolocation enabled you can spoof it with the following method:

  1. Create a text file somewhere on your computer with the following text: {“location”:{“latitude”:0.000000,”longitude”:0.000000, “accuracy”:20.0}}
  2. Change latitude, longitude, and accuracy (in meters) to whatever you need to use
  3. Open about:config and find the option geo.wifi.uri
  4. Replace the URL (by default https://www.google.com/loc/json) with the path to the text file created in step 1 above

Browser Security Tests

Also look at Securing Tor to make sure Tor is self-contained and properly configured.

If you’re running Windows, check out Securing Windows as this information will go hand in hand with this page.

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.