Harden Firefox with the Arkenfox user.js Template

[kedaha]

Just a few notes to simplify enabling the arkenfox user.js template directly by means of a few commands. It should be read, for a start, in combination with the author's firefox-privacy-guide-for-dummies But to know more, please see the author's README.md and, before starting, read To Arkenfox or Not in the arkenfox/user.js/wiki.
Note: I've tested this with the current firefox-esr 91.7.0esr from Debian's main repos but webext-privacy-badger and webext-ublock-origin-firefox and browserpass, although all installed from main, became unavailable in the Menu Bar, but remained available in the usual default-esr profile. I guess that the template is updated for, and better suited for use with the latest version of firefox; for details, please see wiki.debian.org/Firefox]
[Edit 21.03.22] Tested again with firefox-esr 91.7 and it works fine with the above extensions from Debian main repository. See #p752202 below for details.] Use user.js/releases/tag/91.1
If you wish to revert to the firefox defaults, just back up and/or delete the new profile.
Use ALT and F2 keys to Run Application
Type or paste: firefox -p
Use Create Profile Wizard to make a new profile called, for example privacy
Click finish
Now you need to launch firefox with the new privacy profile so its directories and files get created.
To have a choice of profiles, uncheck:
Use the selected profile without
asking at startup
Now close firefox.
Install wget if you don't already have it.
Note: Copy and paste the following commands, which must be executed as your user, not root, in your home directory (For details how to use user.js-notify.sh, see the linked page).

Code: Select all

$ cd .mozilla/firefox/*.privacy
$ wget https://raw.githubusercontent.com/arkenfox/user.js/master/prefsCleaner.sh
$ wget https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh
$ wget https://codeberg.org/12bytes.org/firefox-user.js-supplement/raw/branch/master/user-overrides.js
$ wget https://codeberg.org/12bytes.org/firefox-user.js-supplement/raw/commit/0cab6433addbf0fa5456873d5dfe5582d7e77ff6/misc/user.js-notify.sh  
$ chmod +x prefsCleaner.sh
$ chmod +x updater.sh

Now run the script. Do not change directory. You will still be in a directory which looks like this, with a different filename before the word privacy:

Code: Select all

user@debian:~/.mozilla/firefox/abcd1234.privacy$

So paste the command after the $ thus:

Code: Select all

$ ./updater.sh

Now you can launch firefox with this profile but you'll need to go to settings to customize things like your default home page, bookmarks toolbar and search engine etc.
Any time you wish to update, just re-run the script as before (the wildcard asterisk avoids having to type the first part of the filename before the dot):

Code: Select all

user@debian:~$ cd .mozilla/firefox/*.privacy
user@debian:~/.mozilla/firefox/abcd1234.privacy$ ./updater.sh

Thanks for reading.

[Bulkley]

Why so complicated? This is not a criticism of you or the guy behind Arkenfox. I've apparently done it all wrong. After reading the Choose your browser carefully Firefox page I got the arkenfox user.js from Github and stuffed it into ~/.mozilla/firefox/e2ior27r.default-esr and restarted Firefox-esr. I assumed that the user.js overrode my settings and it seems to have done just that since a bunch of settings have changed. Since the user.js is overriding my settings every time I open Firefox it must be doing exactly what it is supposed to. So why do I need to erase my settings and why do I need a separate profile? Am I missing the point of this exercise.

[sunrat]

I agree with Bulkley. This guide looks overcomplicated and put me off ever trying Arkenfox. Shame because it appears to be useful and effective. If all that is needed is to copy it to profile directory it is much more user-friendly and simple.
I have done quite a few tweaks in about:config to harden FF anyway so my interest was purely academic.

[kedaha]

Many thanks for your responses.
I think the Arkenfox template with its frequent updating may be better-suited for use with upstream firefox rather than with Debian's firefox-esr, where it seems Bulkley's suggestion will suffice. See the github.com/arkenfox/user.js/releases/tag/91.1 version for ESR.
So far haven't got the profile working with Debian's ublock-origin, privacy badger and browserpass, but this may not be difficult to fix.
Another option to create a Firefox profile: Firefox Profilemaker.

[Bulkley]

So far haven't got the profile working with Debian's ublock-origin, privacy badger and browserpass, but this may not be difficult to fix.[/url].

Arkenfox recommends ublock-origin and Cookie AutoDelete. I have had problems with Privacy Badger. It works well when newly installed but it collects data. After several months it has amassed so much data that it slows the browser. (Simply turning off Privacy Badger resuscitates the browser.) My desktop is an old one; a newer one might not suffer.

Both Ublock Origin and Cookie Autodelete are working with my Arkenfoxed Firefox-esr.

[Bulkley]

Arkenfox has a troubleshooter.js which is found in ~/user.js-master/scratchpad-scripts which came with the zip package. Maybe it will help with your profile problem.

[kedaha]

Hi Bulkley,
Cookie AutoDelete isn't in main but did you get privacy badger and ublock-origin from addons.mozilla.org or did you install webext-privacy-badger & webext-ublock-origin-firefox via apt from the Debian repository?

[Bulkley]

Originally I got privacy badger and ublock-origin from Mozilla. A while back I discovered that they were available as webext- and switched over. The original configs may be still in place.. Also, on this machine I'm still running Buster which may be an influence.

[canci]

Originally I got privacy badger and ublock-origin from Mozilla. A while back I discovered that they were available as webext- and switched over. The original configs may be still in place.. Also, on this machine I'm still running Buster which may be an influence.

Buster has the latest ESR version too by now, so the experience shouldn't be different from Bullseye.

[Bulkley]

This is interesting. Bullseye VM. I installed the Arkenfox user.js in Firefox-esr. Then I installed webext-ublock-origin-firefox via apt from the Debian repository and restarted FF. Ublock-origin did not show in either the tools panel or on the address bar. I had to install Ublock-origin from Mozilla for it to show up.

[kedaha]

A few more notes:
Arkenfox is highly-regarded by the librewolf team: librewolf.net/license-disclaimers/:

This also isn't Arkenfox. Arkenfox is a template user.js, fully documented, and the gold-standard on relevant Firefox preferences. We rely heavily on Arkenfox’s expertise, research, and knowledge, but we choose our own default preferences configuration. We endeavor to keep up to date with Arkenfox.

Under wiki.debian.org/Firefox#Profile,

Other projects aim at improving security and privacy in Firefox:

See github.com/pyllyukko/user.js.

I've also tested both pyllyukko's "fully-hardened" user.js and "relaxed" user.js templates with firefox-esr 91.7 and had no problem in Bullseye with the following installed from stable:
webext-privacy-badger
webext-ublock-origin-firefox
webext-keepassxc-browser

[Bulkley]

Just for kicks I started a fresh Firefox-esr; started it and immediately closed it. Then I added the Arkenfox user.js and started it again. Boom! The security features are in place without my having to set anything else. My previously saved bookmarks are easily added and Ublock-Origin and Cookie Auto Delete from Mozilla and I'm up and running.

Edited to add: the Arkenfox user.js blocks IPv6. Is IPv6 a security problem?

[kedaha]

Edited to add: the Arkenfox user.js blocks IPv6. Is IPv6 a security problem?

According to the user.js comments, apparently it can be:

Code: Select all

/* 0701: disable IPv6
 * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming
 * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4
 * [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6
 * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an
 * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
 * then this won't make much difference. If you are masking your IP, then it can only help.
 * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
 * [TEST] https://ipleak.org/
 * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/

[Bulkley]

Thanks. I had read stuff about it but thought it was an old problem, that by now it should be fixed. There has been enough time. One wonders if the security issues with IPv6 are intentional.

[kedaha]

This is interesting. Bullseye VM. I installed the Arkenfox user.js in Firefox-esr. Then I installed webext-ublock-origin-firefox via apt from the Debian repository and restarted FF. Ublock-origin did not show in either the tools panel or on the address bar. I had to install Ublock-origin from Mozilla for it to show up.

To use webext-ublock-origin-firefox and other things like webext-keepassxc-browser & webext-privacy-badger from Debian with this Arkenfox template, I've found that it is necessary to edit user.js, after about line 800, to comment out the following two lines under EXTENSIONS. It may be necessary to recreate the profile though first.
user_pref("extensions.enabledScopes", 5); // user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
So the section looks like this:

Code: Select all

/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
 * [SETUP-CHROME] This will break extensions, language packs, themes and any other
 * XPI files which are installed outside of profile and application directories
 * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
 * [1] https://archive.is/DYjAM (archived) ***/
   //user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
   //user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
/* 2661: disable bypassing 3rd party extension install prompts [FF82+]

And the missing extensions will show up in the tool bar.
Probably it would be even better to have the lines commented out in user-overrides.js so they don't get overwritten if you intend to update user.js.

[kedaha]

Even better than commenting out the two lines, it's better to uncomment them by removing the // change their value to 8 whereupon the webext extensions installed via apt can be enabled or disabled by the user in firefox settings under about:addons:
So the section in user.js should look like this.

Code: Select all

/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
 * [SETUP-CHROME] This will break extensions, language packs, themes and any other
 * XPI files which are installed outside of profile and application directories
 * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
 * [1] https://archive.is/DYjAM (archived) ***/
user_pref("extensions.enabledScopes", 8); // [HIDDEN PREF]
user_pref("extensions.autoDisableScopes", 8); // [DEFAULT: 15]
/* 2661: disable bypassing 3rd party extension install prompts [FF82+]

"Understanding add-on scopes" referenced in the above code snippet is worth a read and also kb.mozillazine.org/About:config_entries#Extensions

[Bulkley]

kedaha, thanks for your work on this.