Topic: Deleted (Read 413 times)

MozillaWiki and mozillaZine are usually good places to start for anything Firefox related. Unfortunately some of the pages can be quite out dated, particularly on mozillaZine. Relevant pages from these sites would be https://wiki.mozilla.org/Privacy/Privacy_Task_Force/firefox_about_config_privacy_tweeks and http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries.

There are plenty of other sources out there that will discuss the same things that I have, and Google or Duckduckgo are your friends for this. Here are a couple of other good sites that may be of some help: https://wiki.archlinux.org/index.php/Firefox/Privacy and https://gist.github.com/0XDE57/fbd302cef7693e62c769.

There are plenty of other about:config tweaks you can make to improve your privacy which you can read about on the sites I've linked, but many of them (such as disabling all cookies, which will break any site you need to log in to, or disabling phishing and malware prevention because it sends every URL you visit to Google to be checked) don't appeal to the average user, which is why I didn't mention them in my last post.

Thanks alot for the reply. Just wondering, where to read up about these things? When you said DYOR, which sources do you commonly refer too? Thanks.

It seems you are right. Looking in to a bit more, it seems that this is defaulted to "false", and now needs to be set to "true" for it to take effect. I have no idea why or when Firefox made this change, but it seems rather backwards to me.


Disclaimer: Do your own research. Don't just go tinkering about in your browser based on the word of an anonymous internet user without understanding what you are doing. Some of these changes could affect or even break the functionality of add-ons or websites that you use. In this case, you can always revert your changes, but I cannot be held responsible for any consequences.

Set to "true". This isolates any identifying browser information to the first party domain, so as to prevent tracking across multiple domains.

Set to "true". Built in tracking protection.

Set to "true". Tries to prevent identifying browser information being accessed.

Set to "true". Same as previous.

Set to "true". Self explanatory. Prevent crypto mining websites.

Set all of these to "2". These have the combined effect of cutting down what is included in the "Referer header", which lets websites see which other sites you just visited and were linked/redirected from. Anti-tracking measure.

Set to "1". This will only accept cookies from the first party site, and block any third party cookies.

Set to "false". Prevents websites seeing your battery status/charge.

Set to "false". Prevents websites seeing what you copy from their site to your clipboard.

Set to "false". Prevents geolocation.

Set to "true". WebGL is a JavaScript application, and like all things Java, a security risk.

Set to "false". Prevents websites accessing your microphone or camera.

Set to "false". Allows for voice and video communications through your browser, but will leak your real IP address, even if behind a VPN.

Generally, these tips are good, but there are still some things which need some improvement / are not completely correct.




You don't need a complex password, if it is long enough.




This is true, but only for windows and android / iOS.
I wouldn't call it crucial for MacOS / Linux.




HTTPS alone doesn't secure you too much.
You need to make sure that you are on the correct site (and theoretically that the certificate has been signed by the correct CA if the website owner doesn't use certificate pinning (to be on the very safe side)).

A small typo can lead you to a website which looks like the original one and is using HTTPS. But i'd call that the fault of the user.

But yes.. HTTPS over HTTP. Always.




To be more precise:
The server 'sends the cookie' to the client (Set-Cookie header in the HTTP response).
And the cookie doesn't contain any information about what you have done. It is simply an identifier (which can be used to track you across several site (by the site admins) / replace login information).

The only way a hacker can read the data you are receiving / sending to / from your browser is when you either don't use HTTPS or your browser / computer is compromised.
In the second case, deleting cookies / history doesn't help you. It only helps you if your computer gets compromised afterwards. In this case the attacker won't be able to reconstruct what you did in the past, but will still be able to read your future traffic.




Computers of which you don't control the hardware are always risky.
But using an open Wifi is absolutely fine if you encrypt and route your whole traffic via a trustworthy server (e.g. a small VPN server at your home).

I think this thread in which tackles about phishing scam sites can also help

https://bitcointalksearch.org/topic/crypto-scam-howto-protect-yourself-4264404

And also this one whos about Scam websites though the threads aren’t active these days but still there are some posts than considered helpful

https://bitcointalksearch.org/topic/how-to-know-if-the-website-is-a-scam-there-you-find-it-4456502

To OP thanks for this interesting and helpful topic Bookmarked now so i can share also in future

Hacking Linux with virus or something similar might a bit harder as some of the programs might need some library that is not available on the victim computer. On top of that, the majority of users don't love Linux as it requires some 'more advanced tech' knowledge compared to Windows where you can use simple click to do this and that.

---

Brave is also a good alternative for web browser.

Thanks for the reply o_e_l_e_o. Never used Firefox for regular browsing just downloaded it for the purpose of testing the link. Tried what you said, it was set to "false" as a default option. After turning it to "true" then it shows up as "https://www.xn--80ak6aa92e.com/". Good stuff.

Would you happen to know of other manual tweeks that are required to make Firefox safer? Such as the one you mentioned. Would like to read more about it. Thanks.

How strange. On my same version of Firefox, it shows up as "https://www.xn--80ak6aa92e.com/".

Wikipedia states that his has been a feature of Firefox since version 22. You can see the relevant bug report here, which confirms it was solved in Mozilla 22, which was around 6-7 years ago.

Is it possible you (or perhaps a browser add-on) modified your Firefox to turn this feature off, for some reason? You can check by opening a new tab, typing "about:config" (without quotes) in the URL bar, and then searching for "network.IDN_show_punycode". This should be set to "true".

Downloaded the latest Firefox version on their website to produce the screenshots in the post above. Are you sure about that?

Here is a screenshot of the version that was used.




Yes, Chrome isn't best for privacy/security but with users can download relevant add-ons eg. duckduckgo, privacy badger.

Exactly. Using HTTPS isn't a defense against phishing because it's not meant to be.


Firefox does indeed guard against this kind of attack, and has done for many versions now. You must be using a very outdated version. Recommend that anybody use Chrome is poor advice - it is a terrible browser for all things privacy and security related.

"Tips for a Secured Net Surfing and Hacking Prevention (Guide)"

• Use Tails OS.

It happens to implement all those suggestions already:


The same thing you could say to someone who never bothers to lock the front door of his home, or in the case of windows, not bothering with doors in the first place... Of course the thief is at fault, but he will go to the "easy" prey first, if only for speed. That should give you a hint.

I think that you have mentioned a lot of things about on the protection of their data and passwords but you only have provided them with only one solution with regards to their browsing habits. Looking for https certified websites as of the present isn't an enough thing to guarantee that you are on a safe website now since website owners can esily obtain it now. Before entering even anything and that includes your credit card numbers you must observe safety features such as “safe” certificate badges from known anti-virus softwares such as McAfee and Norton to see if the website is clean from any kind of trackers and can be trusted with your information.

Using Linux doesnot mean that you will never get attacked one day. No system is safe from hackers.
It's just probably because Windows is a high priority for the hackers since it has so many users in it compared to other operating systems.
So it's better you have an AV in there.

Also, get a browser that guards against IDN Homograph attacks. Certainly not a new thing but am sure it still pops up around the internet.

What is it?

To illustrate, click this link (totally safe): https://www.xn--80ak6aa92e.com/

For browsers that have not been patched eg. Firefox, this would show. Take note of what appears in the address bar:


For browsers that have been patched eg. Chrome this would show. Once again, take note of what appears in the address bar. Also note the presence of the lock and the HTTPS once again reminding us that their presence do not indicate a safe website.


How does this happen?

This can happen where a scammer uses "unicode characters that look the same as the appropriate ASCII characters for the site impersonated".

What to do?

Get a browser that guards against it like Chrome. Honestly think it is very easy to fall for this. For example, if a scammer masks the scam link behind a URL shortener like bitly, upon clicking it users would be directed almost immediately to the scam website which shows Apple.com without even having the opportunity to see that ugly looking link with dashes and numbers that could have alerted them that something was wrong.

Source 1: https://www.xudongz.com/blog/2017/idn-phishing/
Source 2: https://9to5mac.com/2017/04/20/how-to-spot-a-phishing-attempt-fake-apple-site/

never use anti-virus on my linux. i dont know it safe or not.
i have old pc 1 ram only when use that get lag for surfing

Of course HTTPS Everywhere won't help one if they visit a phishing website and lately most phishing websites run using secure certificates but in instances when one visits a website that is not secure. HTTPS everywhere will try to avoid a scenario where a user's unencrypted data gets leaked in case there is a security attack on the website at a given time due to the weak security protocol on the website.

It's never a guard against phishing.

^This. https helps a lot for privacy and security, but take note that it literally doesn't cost anything to have a website with https. You can easily get a free SSL certificate on sites like letsencrypt and cloudflare. Not because a website has https it doesn't mean that the website owner can't have malicious intents.

But don't rely on the HTTPS and the green lock too much. If I remember correctly the well known bitcointalk phishing site .to (I will not post the link here) is also a HTTPS but if you enter your login details there you are likely to get your account stolen.

HTTPS Everywhere should be a must-have for everyone. Download links can be found on the Electronic Frontier Foundation website here: https://www.eff.org/https-everywhere. If you are interested in security and privacy in general, then check out some of the other tools and add-ons on their website, particularly Privacy Badger.

There are many other great browser add-ons which will achieve some of the other things on OP's list. There are various cookie auto-deleters which you can customize to let you stay logged in to your favorite websites, whilst simultaneously nuking any tracking or privacy invading cookies. Ad blocking and javascript blocking is a must.

A reputable addon like HTTPS Everywhere can be quite resourceful in this case

Also, another important point you missed out is to avoid downloading and installing random software and addons without doing some background checks.
If the addon/software is brand new, hosted on a third party website, has fake reviews, has very few reviews and downloads etc do not download and install.

"Prevention is better than cure"