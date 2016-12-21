Hacker News new | comments | show | ask | jobs | submit login
Feeling safer online with Firefox (astithas.com)
125 points by nachtigall 3 hours ago





I am sure there are people who would love a browser that can control their car or pacemaker and report their bank balance on the welcome page.

But I personally would feel far more secure if there was a firefox-lite where no sensitive stuff (access camera, share screen) were included to start with. And I don't mean turned off by default, I want it removed at compile time.

As mido22 said, the alternative right now is a closed plugin (Flash) or installing software on your computer completely outside of the sandbox. Putting these features in the browser in a controllable way is a step forward. If you don't need them, Firefox is open source and I'm not just saying that to be glib. You can easily grab the source https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g... and compile it with --disable-webrtc https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g...

But I am not familiar enough with the firefox code to do this. I might unknowingly create a whole new set of security issues by changing a few lines in a project of this complexity.

The suggestion is that you compile it with a flag to disable the feature. No need to change any lines of code.

FF you first start by looking at their long guide for version control/build instructions http://mozilla-version-control-tools.readthedocs.io/en/lates...

Then you make a custom mozconfig file to disable or enable features, or to add your own extensions (ie: windows): https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g...

  ac_add_options --disable-activex  
  ac_add_options --disable-activex-scripting
  ac_add_options --disable-installer
  ac_add_options --disable-crashreporter
You can further abstract this with a mozconfig wrapper https://github.com/ahal/mozconfigwrapper

But I agree, I can't find any documentation what exactly every feature is and why you would not want to disable/enable them. The Chromium build process is much more straight forward, or you could just use 3rd party sandbox and regular release FF.

Your first link is misleading because it's targeted toward onboarding new Firefox contributors and includes a Mercurial tutorial and development workflow guide in addition to build instructions. Simple build instructions are here:

https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g...

On Linux I clone the source and run "./mach build".

So get Firefox back to where it was, just a browser that supported extensions. Everything beyond core browsing should be an extension or plugin.

I have no use for WebRTC, so I would not install the addon/plugin. You may want it, so you would. When there was a problem with Mozilla's implementation, I wouldn't have to care, and neither would anyone else who didn't use or want it. Only those that chose to have the functionality would need to be concerned, and even then it could be updated without a full browser update.

If you want that you can use the Pale Moon browser. It's a very fast, non-bloated, fork of Firefox that has significantly diverged from FF. See https://www.palemoon.org/technical.shtml for details and in particular why they don't support WebRTC.

The catch using something like this - while great from many perspectives is that you risk vulnerabilities just due to it not being as popular and as commonly attacked.

So if your threat model includes targeted attacks, where an attacker might invest some (even a small) level of effort to find a 0-day vulnerability, I don't think I'd use it.

I disagree, I trust WebRTC enough for camera and screen access, the one real issue might be, it exposes your local ip

It seems uBlock Origin has a setting (right on the main settings page) that can prevent the local IP to be leaked: https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-l...

You can test it here: https://browserleaks.com/webrtc

I tried that test page with the mentioned setting 1) enabled and 2) disabled. I did not see my local IP on 1), I did get see it reported with 2) - so it seems the block works. NOTE: Whether uBlock Origin was enabled for the specific page did not matter, the WebRTC block setting seems to be global and independent of whether the extension blocks anything else on the site.

This is a good point. Is there just a global variable? allowCameraAccess = false;

Yup, there are instructions on this test page: https://browserleaks.com/webrtc#webrtc-disable

Let's patch dillo and make it an HTTP static document reader, and embed lua for everything else.

The incorrect system time detection is a small feature, but actually pretty neat. I've run into that before, when testing time-sensitive features in my software and forgetting to change it back, then wondering why on Earth nothing secure works anymore.

The status "Use the Camera - Allow - X" can be confusing. Is the site currently allowed to use the camera, or not? The word Allow could either mean "currently allowed" or "click to allow." The X could mean either "currently blocked" or "click to block."

Did Firefox unbloat yet?

I run FireFox on Linux for personal on-line banking. It's the only browser that I am able to run with Tomoyo Linux in enforcing mode (level 3). I'm sure, if given enough time, I could build a Tomoyo policy for Chrome, but it's far more verbose than FireFox and the last few times I tried, I gave up.

Am I only the one who finds "new" (well, it was there for about an year, I believe) "Site Identity and Permissions Panel" panel to be literally useless for the "site identity" part?

It has no information on CA, whenever it's first time you saw this exact certificate or not, whenever a "weak" or "strong" ciphers are used (and if PFS is enabled), etc - things one'd really want to see if they care about their connection encryption and authentication. It's all still available, but hidden after long sequence of button clicks. Heck, it would be useful to have client certificate and HTTP auth status there as well - it would actually make those nice things closer to being usable.

I really fail to understand why it can't be displayed in a sanely concise manner - and why things that were there before were removed. Surely there's a plenty of screen space and it's not like it would scare Joe Sixpack off to Chrome, or confuse anyone. Or analytics show it otherwise?

i'm also not a fan of all the ui reduction and "simplification" just for the sake of a refresh. needless to say the only reason i'm still able to use firefox is Classic Theme Restorer. Once that is unable to run, i'll be off to Opera or Ungoogled Chromium or maybe Servo (hopefully we get a few years for "power" users before that gets gutted too)

As long as more and more features get added the more the attack surface increases on firefox and all other browsers.

Feeling safe, and being safe are two different things.

Same goes for self signed (or expired) certificates and 'not secure' connections, they are not per definition 'not secure'.

not sure if you can call these features, these are basically options to see what permissions you have given and what are being used by whom, and as for the features question, any day I would prefer camera access through WebRTC than installing and using flash plug-in.

Could not agree more (see my other comment). Firefox should slim down to reduce the attack surface.

It's a step in right direction, but would certainly feel safer if in addition to cookies/storage/geolocation permissions, Firefox allowed to whitelist JavaScript on certain domains out of box, with no need to resort to NoScript. Using NoScript results in two different whitelist mechanisms with completely different UI which breaks the browsing experience.

Ironically, as far as "privacy-oriented browsers" go, Chrome has domain whitelisting of Cookies/JS/Plugins easily accessible from address bar and it works as expected.

Nice post, it's hard to realize progress made in secondary UI elements such as security panels.

Firefox is not even looked at pwn2own competition because it's too easy to hack and not using good OS or sandbox protection https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-w...

After an absolutely massive engineering effort to make the browser multi-process, Firefox is starting to roll out OS-level sandboxing with Firefox 50.

https://blog.mozilla.org/futurereleases/2016/12/21/update-on...

The statement quoted in Slashdot is really unfair.

How do you know with such certainty that it is because it is too easy to hack and not because Chrome is the current "big fish" among browsers and Google gives monetary rewards to white hats, both of which could reasonably fuel disproportionate interest in breaking Chrome?

For what it is worth, Firefox also has a security bounty program, one that is older than Chrome itself. :) Of course, the payouts are smaller than those from Pwn2Own, but on the other hand, reporters don't have to demonstrate a full exploit that can actually execute arbitrary code.

Reasons aside, the fact remains that when a group of white-hat hackers says they "won't bother" with a given target, it doesn't speak well to that target's security. There are no-doubt tons of exploits in Firefox still waiting to be found, as there are in Chrome, Opera, Edge, etc. Given that the Tor Browser is built on top of Firefox, it's a huge loss for everyone that Firefox is not being included in the attacks; the vulnerabilities that the white-hats find would be reported and promptly plugged, rather than left open for nefarious three-letter agencies to exploit.

> Reasons aside

No. Reasons not aside. Reasons are very important.

If we don't know what the reason was, and they won't elaborate on it, what importance does it have? Pwn2Own 2016 already happened. Firefox wasn't included, for whatever reason. The damage is already done at this point, as its exclusion created the impression that it was "not worth attacking".

If the guys had said, "We didn't bother with Firefox because they weren't willing to pay us as much as Google or Microsoft", okay. But they didn't. What they said was:

'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

And now Firefox looks weak by comparison.

But the Safari browser is? And Tor Browser uses Firefox?

The only thing that would make me feel safer would be the sandbox.

Mbox exists for this or FireJail, Sandboxie (Windows)or OSX sandbox-exec https://pdos.csail.mit.edu/archive/mbox/

https://wiki.mozilla.org/Security/Sandbox

Sandboxie is nonfree and after a trial period only allows sandboxing one app at once. Firejail just had a local privilege escalation exploit, but I'm still using it (although more cautiously than before). Mbox appears unmaintained, and sandbox-exec isn't even for a platform I use.

I'm quite glad that Firefox implements sandboxing of its own.

Look at the sandbox used for SubgraphOS (Debian/Jessie only) https://github.com/subgraph/oz

