Is Firefox really an appropriate default browser for Qubes?

apparatus · April 26, 2024, 5:27am

You can also check this discussion:

Kicksecure Default Browser Discussion

opened 12:01PM - 21 Jan 24 UTC

closed 09:43AM - 16 Apr 24 UTC

I think it should be considered to move applicaiton specific hardening to its ow…n repository. Even if this happens or not, consider firefox as the default browser. Hardening might seem like a big undertaking, but it's not. There is a more maintainable way to harden mozilla applications, and that is to set policies. This allows more than just setting preferences. There are many useful macros to disable studies and/or telemetry. Ping and crash reports can also be disabled within the policy easily with preferences. To demonstrate the possibility of control and also the ease of maintainability, I want to present the following policy I created for firefox: ``` { "policies": { "Bookmarks": [ { "Title": "Kicksecure", "URL": "https://kicksecure.com", "Favicon": "https://www.kicksecure.com/favicon.ico", "Placement": "toolbar", "Folder": "Kicksecure" } ], "DisableFeedbackCommands": true, "DisableFirefoxAccounts": true, "DisableTelemetry": true, "DisableFirefoxStudies": true, "DisableFormHistory": true, "DisablePocket": true, "DisableSystemAddonUpdate": false, "EncryptedMediaExtensions": { "Enabled": false, "Locked": false }, "ExtensionSettings": { "uBlock0@raymondhill.net": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" } }, "ExtensionUpdate": true, "FirefoxHome": { "SponsoredTopSites": false, "SponsoredPocket": false, "Locked": true }, "FirefoxSuggest": { "SponsoredSuggestions": false, "ImproveSuggest": false, "Locked": true }, "PasswordManagerEnabled": false, "PDFjs": { "Enabled": false, "EnablePermissions": false }, "Preferences": { "browser.contentblocking.category": { "Value": "strict", "Status": "locked" } }, "PromptForDownloadLocation": true, "SearchEngines": { "Default": "DuckDuckGo", "PreventInstalls": true, "Remove": ["Google", "Amazon"] }, "SearchSuggestEnabled": false, "StartDownloadsInTempDirectory": true, "UserMessaging": { "WhatsNew": false, "ExtensionRecommendations": false, "FeatureRecommendations": false, "UrlbarInterventions": false, "SkipOnboarding": false, "MoreFromMozilla": false, "Locked": true } } } ``` What is done: * Remove all sponsor junk * Remove telemetry * Remove studies * Force install ublock origin and lock it * Enable ETP in strict mode and lock it * Remove mozilla recommending and shilling random stuff * Disable scripting and permissions for pdf viewer * Kicksecure default bookmark * Privacy respectin search engine * Disable drm * And some other stuff, more can be added, possibilities are limitless For this vast amount of settings, I would agree the policy file is very intuitive and human readable and brief and maintainable. It is also very solid, it provides more possibilites than just global preferences for firefox. We can control addons and stuff. A similar policy file can be maintained also for thunderbird. Kicksecure can lock security related settings this way too, like enforcing strong cipher, ssl etc. settings and locking them. Locking settings results in this: the user can't change the setting in the browser, not in settings, not in about:config, nowhere, it is locked. Disabling the policy is the only way to get rid of our defaults, if we wish so. Now, I already have some several suggestions for policies for firefox and thunderbird. I guarantee you they are all human understandable and reasonably brief to maintain. I suggest having a separate repository for ease. I already suggest, we reconsider the default applications Kicksecure ships. My comments: * Thunderbird - Already good, should stay * Firefox - Should be included (doubles as a secure pdf viewer) * Hexchat - Thunderbird has IRC, so why have this. Also, IRC is not common place, shipping a default application seems superfluous. * Bitcoin - Ok, understandable, maybe, niche, but passable * Electron - Superfluous since btc core is already present * Monero - Passable, I guess, but not necessary, like bitcoin * VLC - good, vital component for daily usage, should stay * Some Office - Unsurprisingly, an office suite is probably more seeked by an average user than hexchat

boreas · April 26, 2024, 7:55am

That’s an interesting read! Seems like Librewolf removed the “radio silence” feature after its fork from Librefox (at least in the standard settings).
Again, Mullvad Browser and ungoogled chromium were mentioned.

qubist · April 26, 2024, 11:00am

It’s a matter of control: hard coded parts vs. configurable parts.

Qubes OS already allows great control through firewall restrictions per qube. So, if one really really needs to browse the web using clearnet, it doesn’t matter much which HTTP client one runs.

B_ryr · April 27, 2024, 12:32am

Option #1…
purge, autoremove, autoclean = FireFox… GONE

Option #2

Add those domains to your firewall…“BLOCK that pass”: Exception … We “rooted” people have are little droid locked down and us a app called Tracker control. Basically a software firewall with a lot of options. Well we have found out that when you “BLOCK” somethings all of the sudden that Browser just will not work. Which leads us to believe some of these things are there intentionally, and if blocked, well then you can’t use that browser. Which puts us back at “Option #1”

privacyuser · April 27, 2024, 1:01pm

I wouldn’t recommend librewolf. As nice as a panel where you can turn on/off as many settings that impact your fingerprint might look, it’ll just make you stand out and you’ll be very vulnerable to fingerprinting. I would recommend either tor or the mullvad browser, depending on how paranoid you are.

qubist · April 27, 2024, 1:26pm

How is your reply related to what you quoted?

privacyuser · April 27, 2024, 3:33pm

Sorry about that, new to the forum. Fixed it

nama4359 · April 28, 2024, 9:46am

I installed brave browser on cloned fedora/debian templates, default browser, working great.
Was wondering as well why is firefox default in templates.

Francois · April 28, 2024, 9:29pm

I use the browser isolation technique described by Rob Braxmann on my other computers.
The following study gives a good idea of which browsers to choose

On QubesOS I use Whonix for privacy, then Brave, Librewolf and Mullvad.
Brave is the browser that gives me the most satisfaction, because it lets me access almost all sites without blocking, and videos are smooth on Qubes, which is not the case with Firefox, for example.

fsflover · April 29, 2024, 7:15am

If you care about fingerprinting, you should read this topic:

skyvine · April 29, 2024, 10:41am

This is why privacy is so tricky.

Is “phoning home” to a set of sites that all Firefox users phone to a problem? Maybe, depending on what data is being sent and what you’re concerned about. Is disabling that behavior favorable? It depends. The absence of the phoning home could be used as an identifying factor if somebody is monitoring your network and correlating activity.

TOR Browser’s settings provide increased privacy so long as everybody uses the same settings because it means the pool of TOR users appear identical. Using the TOR network is highly unusual (even though it should be the default), but there’s no way around that if that’s what you need (notwithstanding configurations that hide TOR use from the ISP).

Is using the same settings as TOR browser outside of the TOR network better? Not necessarily. This again puts you into a small pool of users who have that particular configuration, except now you’re ALSO not on TOR. It seems likely that the pool of users who have all of the default settings and no plugins added is a larger pool. But then, of course, other forms of tracking are easier.

The previously mentioned idea of having different “spins” for different kinds of users seems like a good one. Similar to how Tails defines different personas to consider when making design decisions, but each spin could be tailored for a specific persona. Some personas might want firefox with default settings, others TOR Browser, others Mullvad. But there’s no one “correct” browser to be the default on QubesOS for everyone. And without a correct default or comprehensive solution, the decision to minimize overhead by following upstream is perfectly sensible.

SteveC · April 29, 2024, 5:37pm

The phoning home is not much of a problem if you use a disposable qube for browsing sites you don’t have to log in to. You’re essentially running a fresh browser install with no history every time (and if you use split browser you still have access to bookmarks even on a fresh browser).

On the other hand the phoning home can be a problem for sites you log in to; there you probably want to shut all that stuff off. Fingerprinting isn’t an issue since, if you’re logging onto the site anyway, you’re telling it who you are. If you don’t want that site harvesting information about other places you go…well use that VM only to visit that site.

boreas · April 29, 2024, 7:03pm

If the browser in my dispvm has a fingerprint A and I use that to login into my mail account and then open another dispvm and do some random stuff with that, this new browser would still have fingerprint A and could therefore be connected, afaik.

qubist · April 30, 2024, 7:10am

The absence of the phoning home could be used as an identifying factor if somebody is monitoring your network and correlating activity.

If you don’t phone home to host X, you appear offline to that host, i.e. you practically don’t exist to it (just like millions of others). The only way this can be an identifying factor is:

a known and fixed set of network clients
all clients except you are connected to host X at a given moment (which assumes all clients use the same software, e.g. Firefox)

Even if the above is feasible at all, the information host X will get is “he is not connected” which is far less than “He is online, at this time of the day, having this set of HTTP headers, etc.”

As for someone else (not host X) monitoring your network, the actual question is who and for what purpose. Your ISP, for example, keeps a record of all clients and their connections anyway.

Is using the same settings as TOR browser outside of the TOR network better?

Better for what?

*BTW, it is spelled Tor, not TOR:

qubist · April 30, 2024, 7:12am

The phoning home is not much of a problem if you use a disposable qube for browsing sites you don’t have to log in to. You’re essentially running a fresh browser install with no history every time (and if you use split browser you still have access to bookmarks even on a fresh browser).

A disposable qube does not obfuscate the pattern of activities exercised inside the VM. If you connect to the same hosts at similar times of the day, that itself is a fingerprint (+ the all the other network-stack info you expose when connecting).

On the other hand the phoning home can be a problem for sites you log in to; there you probably want to shut all that stuff off. Fingerprinting isn’t an issue since, if you’re logging onto the site anyway, you’re telling it who you are. If you don’t want that site harvesting information about other places you go…well use that VM only to visit that site.

There is an essential difference between authentication with fingerprinting. The former is intentional and voluntary, using an explicitly defined and known set of tools and methods.

pr0xy · April 30, 2024, 8:01am

The Debian version of Ungoogled Chromium was unmaintained for the better part of the past few years. There’s been some recent activity, but it was unusable for quite a while. The GPG signature expired and the repo was inactive for quite a while.

nokke · April 30, 2024, 11:28pm

Just spotted IceCat in the Fedora repos, which sounds like it might suit some people here. I’d never heard of it, just went looking to see what the GNU folks do for browsing.

FranklyFlawless · May 1, 2024, 5:31am

GNU IceCat does not fit my use case at the moment, but I have considered it in the past. Other members of the Purism community forums do actively use it:

qubist · May 1, 2024, 8:24am

Some lightweight browsers like Dillo and netsurf are radio silent, however they are not full featured and usually don’t follow the latest web standards (and are not compatible with favorite addons like uBlock Origin). Considering the development speed, the security of those may be lagging behind the mainstream behemoths. So, you get one thing, but miss another.

In any case, there is no solution to the privacy problem through the browser alone.

Consider also things like:

https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html

hello_qubes · May 1, 2024, 3:22pm

While Whonix may not be directly privacy focused it’s features still make it probably the best OS for privacy which can be run as a daily driver.

There’s also a significant interplay between privacy and security with security being required for privacy and privacy significantly increasing security.

As a result of that I think it’s reasonable both from a security and from a privacy focused standpoint to expect the default browser (and other software) from qubes to come with a privacy focus.