Sunday, September 23, 2018

Firefox ESR 52 : End of Support Life and Legacy Extensions

By closing support to Firefox 52.9 ESR this September, Mozilla finally abandoned all XUL overlay, bootstrap and jetpack extensions. Firefox ESR 52 is the final release that is compatible with legacy add-ons. Simultaneously Mozilla will start to disable legacy add-ons on addons.mozilla.org. All classical (legacy) add-on versions will be disabled in October, 2018 and won't be available anymore. Once this happens, users will no longer be able to download their extensions. That's because Mozilla folks are disabling add-ons' versions.


https://blog.mozilla.org/addons/2018/08/21/timeline-for-disabling-legacy-firefox-add-ons/

To restore Firefox 52.9 ESR after its automatic update to Firefox 60.x

1. Download
Windows
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/win64/en-US/Firefox%20Setup%2052.9.0esr.exe
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/win32/en-US/Firefox%20Setup%2052.9.0esr.exe
Linux:
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/linux-x86_64/en-US/firefox-52.9.0esr.tar.bz2
https://ftp.mozilla.org/pub/firefox/releases/52.9.0esr/linux-i686/en-US/firefox-52.9.0esr.tar.bz2
https://www.mozilla.org/en-US/firefox/organizations/

2. Installation and Profiles
Set the update preferences to "Never check for updates to prevent autoupdate to Firefox 60 and later.

This method works in Linux Mint Cinnamon and with slight variations in many Ubuntu and Debian based systems:

a.)
Extracting tarball
If directory /opt doesn't exist:
sudo mkdir /opt
Open terminal in the Download directory and extract archive to /opt:
sudo tar -xvjf firefox-52.9.0esr.tar.bz2 -C /opt
(Replace firefox-52.9.0esr.tar.bz2 file name for your version)

b.)
Linking the new Firefox ESR
sudo ln -s /opt/firefox/firefox /usr/bin/firefox-esr52

c.)
Creating a shortcut
Right-click on the Desktop and choose Create a new launcher here...
(or edit your system menu directly )
In the Launcher Properties window browse from the Command field to /usr/bin/firefox-esr52
In the Name field enter Firefox-ESR52
Click on the generic icon on the left and browse to /opt/firefox/browser/icons/mozicon128.png and select it, then click OK.
Press OK to Would you like to add this launcher to the menu also?

This will create a copy of Firefox ESR alongside your current Firefox browser. You may add the Firefox ESR launcher to the Panel.

d.)
Profile
To use Firefox ESR 52.x and Firefox Quantum intermittently you need to create separate profiles directories and edit your profiles.ini accordingly:

/home/user/.mozilla/firefox/profiles.ini

To start both versions simulateously use --no-remote switch:
ESR52
--no-remote -p ESR52
Quantum
--no-remote -p Quantum
(You need to edit Firefox Quantum menu launcher)

Sample of ini file:

[General]
StartWithLastProfile=0

[Profile0]
Name=ESR52
IsRelative=1
Path=ESR52
Default=0

[Profile1]
Name=Quantum
IsRelative=1
Path=Quantum
Default=0


3. Save compatible extensions (ADD-ONs) locally for future use to install your add-ons later from file.
All legacy add-on versions will be disabled on addons.mozilla.org in October 2018.


Example:

Search for noscript at https://addons.mozilla.org/en-US/firefox/

https://addons.mozilla.org/en-US/firefox/addon/noscript/

Scroll down to Version History
Click See all versions
Go back to the compatible version (look for the green button)
Click to install or save link as the *.xpi file

Some popular or useful extensions:

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
https://addons.mozilla.org/en-US/firefox/addon/blank-your-monitor-easy-readin/
https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/
https://addons.mozilla.org/en-US/firefox/addon/colt/
https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
https://addons.mozilla.org/en-US/firefox/addon/ghostery/
https://addons.mozilla.org/en-US/firefox/addon/lastpass-password-manager/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/
https://addons.mozilla.org/en-US/firefox/addon/quickproxy/
https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/
https://addons.mozilla.org/en-US/firefox/addon/add-to-search-bar/
https://addons.mozilla.org/en-US/firefox/addon/clear-flash-cookies/
https://addons.mozilla.org/en-US/firefox/addon/context-search/
https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/
https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
https://addons.mozilla.org/en-US/firefox/addon/edit-cookie/
https://addons.mozilla.org/en-US/firefox/addon/find-replace-for-text-editing/
https://addons.mozilla.org/en-US/firefox/addon/its-all-text/
https://addons.mozilla.org/en-US/firefox/addon/pinger/
https://addons.mozilla.org/en-US/firefox/addon/save-text-to-file/
https://addons.mozilla.org/en-US/firefox/addon/session-manager/
https://addons.mozilla.org/en-US/firefox/addon/tab-mix-plus/
https://addons.mozilla.org/en-US/firefox/addon/tab-session-manager/
https://addons.mozilla.org/en-US/firefox/addon/transliterator/
Autofill Forms
Certificate Patrol
ChatZilla
Clear Fields
deduplicate-tabs
Disable Ctrl-Q and Cmd-Q – Add-ons for Firefox
DownThemAll!
Form History Control
https://formhistory.blogspot.com/
FoxyProxy Basic
FoxyProxy Standard
Greasemonkey
HTTP Header Live
Image Zoom
infoRSS
Pale Moon: infoRSS Reloaded
Keybinder
Keybinder (github)
Live HTTP Headers
Lock The Text
New Tab in Tab Context Menu
Private Tab
Session Resurrection
SQLite Manager
Stylus
Tabboo - Session Manager
Tab Mix Plus
Torrent Status Tool


4. Alternative browsers that supports legacy Add-Ons
So, you can either use Firefox 52 ESR or/and several other browsers that support the XUL add-on interface:


Pale Moon
https://www.palemoon.org/
Basilisk
https://www.basilisk-browser.org/ 
WaterFox
https://www.waterfoxproject.org/
SeaMonkey
https://www.palemoon.org/

Friday, July 27, 2018

Clearing GnuPG 2.1 Cached Passphrases in Ubuntu 18.04, Linux Mint 19, Debian 9 and 10


Clearing cached passphrases using GPG  2.1 and later


The problem is that after encrypting the file, the passphrase doesn't get deleted immediately. gpg-agent caches keys by default for a certain amount of time (up to two hours, with a ten minute inactivity timeout). So anyone who has access to the PC can decrypt the file without knowing a passphrase.


gpg --version
gpg (GnuPG) 2.2.8

Example (for symmetric encryption):
Create some file file_in. Encrypt it with GPG from the terminal with the following command:

gpg --output file_enc --symmetric --cipher-algo AES256 file_in
or
gpg -o file_enc -c file_in

Enter the decryption command right after (up to 10 minutes):
gpg --output file_in_2 --decrypt file_enc
or
gpg -o file_in_2 -d file_enc

And it will decrypt the file automatically without asking for the passphrase.

To change the defaults, create or edit a file
~/.gnupg/gpg-agent.conf
For one minute inactivity timeout and 10 minutes maximum, enter in it:

default-cache-ttl 60
max-cache-ttl 600

Then reload the configuration (try gpgconf --kill gpg-agent).

default-cache-ttl - Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset.
max-cache-ttl - Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently. The default is 2 hours (7200 seconds)

One-time solution: Right after the encryption execute command:
gpgconf --kill gpg-agent

Test:
date && sleep 60 && gpg -o file_in_copy -d file_enc && date
Just check if a passphrase was asked after 60 seconds of inactivity.

Friday, January 5, 2018

Some Web Browser Security & Privacy Related Measures

Stealing Personal Information via Automatic Form Filling

Countermeasures.
 
1. disable brouser login autofill. For Firefox and Palemoon:
enter in the address bar about:config 
set the variable signon.autofillForms to false.

2. install ad blockers or tracking protection extensions to prevent tracking by invasive third-party scripts. The domains used to serve the two scripts (behavioralengine.com and audienceinsights.net) are blocked by the EasyPrivacy blocklist.

3. install the NoScript add-on.


Link:
Web trackers exploit browser login managers
 


dom.event.clipboardevents.enabled

dom.event.clipboardevents.enabled lets websites get notifications if the user copies, pastes, or cuts something from a web page, and it lets them know which part of the page had been selected. The emitting of the oncopy, oncut and onpaste events are controlled by this preference.

Type : boolean
Default value : true

true (default)
The oncopy, oncut and onpaste events are enabled for web content.
false
The oncopy, oncut and onpaste events are disabled for web content.


Third Party Cookies. Firefox and Pale Moon Settings: 

Under the "Privacy" tab, complete the following steps:
Select "Use custom settings for history"
Deselect "Remember search and form history"
Set "Accept third-party cookies" to Never
Set cookie storage to "Keep until I close Firefox"

Additionally, under the "Security" tab:
Verify that "Warn me when sites try to install add-ons", "Block reported attack sites" and "Block reported web forgeries" are all selected.
Deselect "Remember passwords for sites".


Web Push notifications

These allow Firefox to deliver on-screen notifications from websites, even when those sites aren’t loaded. Web push notifications keep a connection to the site in the background so you can get notifications even after the last tab for the site is closed. Regular notifications end when you close the last tab for a site.

There are two different preferences for notifications, a master switch, and one which is specific to background (web push) notifications that can appear after you leave the site which sends them.

Perhaps you would prefer to turn off notifications:
(1) In a new tab, type or paste about:config in the address bar and press Enter.
(2) In the search box above the list, type webno and wait while the list is filtered
(3) To disable PUSH NOTIFICATIONS, double-click the dom.webnotifications.serviceworker.enabled preference to switch its value from true to false
(sites can still generate desktop notifications while you have a tab open to the site)
(4) To disable ALL NOTIFICATIONS, double-click the dom.webnotifications.enabled preference to switch its value from true to false
(this is a master switch, you won't get any desktop notifications from sites)



Google Chrome security: site isolation feature


When you turn on site isolation, Chrome offers more security protections for your browser.
Chrome will load each website in its own process. So, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing your data from another website. 

  1. On your computer, open Chrome.
  2. In the address bar at the top, enter chrome://flags/#enable-site-per-process and press Enter.
  3. Next to "Strict site isolation," click Enable.
  4. Click Relaunch now.