Customizing Firefox in dispVMs (brand new profile on every dispVM startup)

[mekken1et]

Problem
===========================

Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs.
See e.g. [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1372288) and possibly many other bugs.


(Partial) solution
===========================

On every DispVM startup, we start without a Firefox profile, so a fresh one with random ID is created. However, the default settings are not very privacy friendly (and annoying), so we need to change some and we also need to auto install some extensions. (e.g. ad blocker)
We do this by deploying a Firefox `policies.json` file into `/usr/lib/firefox-esr/distribution/policies.json` _before_ FF starts, so it pulls these settings onto itself at startup. We use the Qubes `/rw/config/rc.local` script to deploy the FF policy, as it runs immediately after VM startup.


Limitations
===========================

There are still plenty opportunities to fingerprint the firefox+OS+HW combo, e.g. the classic [EFF panopticlick](https://panopticlick.eff.org/) (see fingerprint section after test) or the more advanced leak tests at [browserleaks](https://browserleaks.com).
For a whole list of leak test sites check this GitHub page of [ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-A---Test-Sites)

No bookmarks (perhaps also deployable by script), no history.


Qubes setup
===========================

Docs for the setup:

- [mozilla/policy-templates](https://github.com/mozilla/policy-templates/blob/master/README.md)
- [Qubes: running script on VM startup](https://www.qubes-os.org/doc/config-files/)

In a TemplateVM of DispVMs (DVM Template) put your settings in `/rw/config/firefox_policies.json`, e.g.:

```
$ cat <<EOF | sudo tee /rw/config/firefox_policies.json
{
"policies": {
"DisablePocket": true,
"DisableFirefoxAccounts": true,
"DisableFirefoxStudies": true,
"DisableTelemetry": true,
"OverrideFirstRunPage": "",
"OfferToSaveLogins": false,
"Extensions": {
"Install": ["https://addons.mozilla.org/firefox/downloads/latest/ublock-origin"]
},
"SearchEngines": {
"Default": "DuckDuckGo",
"Remove": ["Google", "Twitter", "Bing", "Amazon.com"]
},
"Homepage": {
"StartPage": "none"
},
"Permissions": {
"Location": {
"BlockNewRequests": true
}
}
}
}
EOF
```

and set up `/rw/config/rc.local` to deploy the policy at VM startup:

```
$ cat <<EOF | sudo tee --append /rw/config/rc.local

# Deploy Firefox policies
cp /rw/config/firefox_policies.json /usr/lib/firefox-esr/distribution/policies.json
EOF
```


Further ideas, TODO
===========================

- Install more extensions: NoScript or uMatrix, etc.
- How to setup extensions, e.g. add a list to uBlock?
- Perhaps use Debian central `user.js`: `/etc/firefox-esr/firefox-esr.js`
fill it with
`https://github.com/ghacksuserjs/ghacks-user.js`
or
`https://github.com/pyllyukko/user.js`

[awokd]

'mekken1et' via qubes-users:

>
> Problem
> ===========================
>
> Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs.

Thank you; nice list.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[mekken1et]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, October 19, 2019 2:42 PM, 'awokd' via qubes-users <qubes...@googlegroups.com> wrote:

> 'mekken1et' via qubes-users:
>

> > Problem

> >

> > ========
> >

> > Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs.
>

> Thank you; nice list.
>

Forgot to mention, /usr/lib/firefox-esr/distribution/policies.json may or may not be a Debian specific location.

[pr...@tutanota.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

t 19, 2019, 00:05 by qubes...@googlegroups.com:

    Problem
    ===========================

    Firefox can leak various IDs from a profile to websites, so different sessions can be correlated across different qubes, including DispVMs.
    See e.g. [this bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1372288) and possibly many other bugs.


    (Partial) solution
    ===========================

    On every DispVM startup, we start without a Firefox profile, so a fresh one with random ID is created. However, the default settings are not very privacy friendly (and annoying), so we need to change some and we also need to auto install some extensions. (e.g. ad blocker)
    We do this by deploying a Firefox `policies.json` file into `/usr/lib/firefox-esr/distribution/policies.json` _before_ FF starts, so it pulls these settings onto itself at startup. We use the Qubes `/rw/config/rc.local` script to deploy the FF policy, as it runs immediately after VM startup.


    Limitations
    ===========================

    There are still plenty opportunities to fingerprint the firefox+OS+HW combo, e.g. the classic [EFF panopticlick](https://panopticlick.eff.org/) (see fingerprint section after test) or the more advanced leak tests at [browserleaks](https://browserleaks.com).
    For a whole list of leak test sites check this GitHub page of [ghacks-user.js](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-A---Test-Sites)

    No bookmarks (perhaps also deployable by script), no history.


    Qubes setup
    ===========================

    Docs for the setup:

    - [mozilla/policy-templates](https://github.com/mozilla/policy-templates/blob/master/README.md)
    - [Qubes: running script on VM startup](https://www.qubes-os.org/doc/config-files/)

    In a TemplateVM of DispVMs (DVM Template) put your settings in `/rw/config/firefox_policies.json`, e.g.:

    ...

    and set up `/rw/config/rc.local` to deploy the policy at VM startup:

    ...

    Further ideas, TODO
    ===========================

    - Install more extensions: NoScript or uMatrix, etc.
    - How to setup extensions, e.g. add a list to uBlock?
    - Perhaps use Debian central `user.js`: `/etc/firefox-esr/firefox-esr.js`
    fill it with
    `https://github.com/ghacksuserjs/ghacks-user.js`
    or
    `https://github.com/pyllyukko/user.js`

I've created a salt for my set up, it also includes the further ideas section
with a few hacks to get everything to work properly. I install the add-ons from
the debian repos and make modifications to the source of umatrix to allow
changing the default rules. This isn't necessary on ublock as there is a way to
deploy custom settings from a file. I've taken the ghacks user.js file as my
starting point and added my customisations into the user-overrides file. I also
delete the .mozilla folder in the home folder at start up. The repo is
available here:

https://gitlab.com/prago/my-salt
-----BEGIN PGP SIGNATURE-----

iIgEARMKADAWIQRFNnsoPo7HH0XEMXc88cBGMbAIWAUCXctfWBIccHJhZ29AdHV0
YW5vdGEuZGUACgkQPPHARjGwCFg0dgD/RTthgBj2ToJEy1Cgi9mvYc7vyc6UmaEk
trvfWgzMD9IA/1XZ2Gj1aO6UJmm82UbBorQ5yK83zG/mtM4GH+ln+yCz
=tuEw
-----END PGP SIGNATURE-----