-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 t 19, 2019, 00:05 by qubes-users@googlegroups.com:
Problem =========================== Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs. See e.g. [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1372288) and possibly many other bugs. (Partial) solution =========================== On every DispVM startup, we start without a Firefox profile, so a fresh one with random ID is created. However, the default settings are not very privacy friendly (and annoying), so we need to change some and we also need to auto install some extensions. (e.g. ad blocker) We do this by deploying a Firefox `policies.json` file into `/usr/lib/firefox-esr/distribution/policies.json` _before_ FF starts, so it pulls these settings onto itself at startup. We use the Qubes `/rw/config/rc.local` script to deploy the FF policy, as it runs immediately after VM startup. Limitations =========================== There are still plenty opportunities to fingerprint the firefox+OS+HW combo, e.g. the classic [EFF panopticlick](https://panopticlick.eff.org/) (see fingerprint section after test) or the more advanced leak tests at [browserleaks](https://browserleaks.com). For a whole list of leak test sites check this GitHub page of [ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-A---Test-Sites) No bookmarks (perhaps also deployable by script), no history. Qubes setup =========================== Docs for the setup: - [mozilla/policy-templates](https://github.com/mozilla/policy-templates/blob/master/README.md) - [Qubes: running script on VM startup](https://www.qubes-os.org/doc/config-files/) In a TemplateVM of DispVMs (DVM Template) put your settings in `/rw/config/firefox_policies.json`, e.g.: ... and set up `/rw/config/rc.local` to deploy the policy at VM startup: ... Further ideas, TODO =========================== - Install more extensions: NoScript or uMatrix, etc. - How to setup extensions, e.g. add a list to uBlock? - Perhaps use Debian central `user.js`: `/etc/firefox-esr/firefox-esr.js` fill it with `https://github.com/ghacksuserjs/ghacks-user.js` or `https://github.com/pyllyukko/user.js` I've created a salt for my set up, it also includes the further ideas section with a few hacks to get everything to work properly. I install the add-ons from the debian repos and make modifications to the source of umatrix to allow changing the default rules. This isn't necessary on ublock as there is a way to deploy custom settings from a file. I've taken the ghacks user.js file as my starting point and added my customisations into the user-overrides file. I also delete the .mozilla folder in the home folder at start up. The repo is available here: https://gitlab.com/prago/my-salt -----BEGIN PGP SIGNATURE----- iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXctfWBIccHJhZ29AdHV0 YW5vdGEuZGUACgkQPPHARjGwCFg0dgD/RTthgBj2ToJEy1Cgi9mvYc7vyc6UmaEk trvfWgzMD9IA/1XZ2Gj1aO6UJmm82UbBorQ5yK83zG/mtM4GH+ln+yCz =tuEw -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LtXQU3y--3-1%40tutanota.de.