Showing posts with label firefox. Show all posts
Showing posts with label firefox. Show all posts

04 January 2014

540. Briefly: prevent Youtube and Google from signing you in -- firefox version

The scenario: I've got a blogger account (i.e. this one) which is linked to my google account, and I'd like to be able to use youtube and google search without being considered as being logged in. If I log out in e.g. the google search page I also get logged out from blogger.  Gmail isn't an issue since I use thunderbird/evolution, but it would cause similar issue to blogger vs search/youtube.

The past year I've become increasingly annoyed by the behaviour of google applications -- they feel more intrusive and I keep on being asked to sign in and stay signed in. Without going into specifics, it's beginning to feel like Google is trying to turn the entire web into their version of Facebook. And I don't lie it.

Anyway, luckily there's a pretty simple way to stay signed out of Google search and youtube, even without using privacy mode -- by restricting the use of cookies.

Here's what you can do in Firefox:

1. Install the Cookies Manager+ add-on in firefox, and restart firefox
2. In firefox, go to Tools, Cookies Manager+
3. Click on Tools/Exceptions
4. Add google.com and youtube.com

Done. Now you can remain signed in to all other google sites, while staying signed out of Youtube and Google Search. Note that it doesn't make you  anonymous, but it just takes care of some of the minor nuisances associated with always being tracked by google.


18 November 2013

530. Briefly: Adding a new entry to Default applications in Gnome 3. Example using Firefox

I'm tired of google chrome/chromium -- for some reason more and more websites are rendering incorrectly in it. Part of the reason is because I refuse to allow just any website to set cookies, but that can't explain all instances (e.g. I'm having major issues with any elsevier journals). I'm also tired of google in general, especially after having spent some time with google plus.
Anyway, I recently showed how to install firefox: http://verahill.blogspot.com.au/2013/11/528-briefly-setting-up-64-bit-pre-built.html

I'll show here to set it as a selectable application in the System Settings/Details

At the beginning the following selections are available:

The key to adding a new 'Default Application' is simply making sure that it appears in the MIME file type associations. And one way to do that is to create a .desktop file and use update-desktop-database to read it:

sudo cp /usr/share/applications/iceweasel.desktop /usr/share/applications/firefox.desktop
sudo sed -i 's/Iceweasel/Firefox/g' /usr/share/applications/firefox.desktop
sudo sed -i 's/Exec=iceweasel/Exec=firefox25/g' /usr/share/applications/firefox.desktop
sudo sed -i 's/Icon=iceweasel/Icon=firefox/g' /usr/share/applications/firefox.desktop
sudo update-desktop-database

Once that's done we get the following:
 You can then set up a shortcut launcher, e.g.
(you could of course just have it execute the command directly, but what's the challenge in that?)

07 November 2013

528. Briefly: Setting up 64 bit pre-built firefox (25) binaries on debian

/usr/local/lib is just a suggestion (and probably not a very good one).

Anyway, here's the quick and easy way to get set up with 64 bit firefox. Start it by calling firefox25

mkdir ~/tmp
cd ~/tmp
wget ftp://ftp.mozilla.org/pub/firefox/releases/25.0/linux-x86_64/en-GB/firefox-25.0.tar.bz2
tar xvf firefox-25.0.tar.bz2 
cd firefox/
sudo mkdir /usr/local/lib/firefox-25.0
sudo cp * -R /usr/local/lib/firefox-25.0
sudo ln -s /usr/local/lib/firefox-25.0/firefox /usr/bin/firefox25

28 February 2013

348. Using the official firefox 19 binary on debian testing/wheezy

UPDATE 20/3/2013: installing a system from scratch I'm having issues with xulrunner-10.0:i386, since it pulls in libstartup-notification0:i386 which causes all sorts of headaches (uninstalls xulrunner-10.0 and everything it depends on)

This post made me realise that installing the pre-built firefox binary isn't as straight-forward as one might like. A small nuisance is that the getfirefox.com versoin is only 32 bit, but that's life.

Here we go.

Download the standard binary version of firefox from here:
http://www.mozilla.org/en-US/firefox/new/?from=getfirefox

You can install it wherever you want, but I'm going for a local installation. Put the firefox-19.0.tar.bz2 in your home folder and untar it:
tar xvf firefox-19.0.tar.bz2
cd ~/firefox/
./firefox

If you get
bash: ./firefox: No such file or directory

then you are missing 32 bit compatibility libraries:
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install ia32-libs
sudo apt-get install xulrunner-10.0:i386

To get flash set up you'll need the 32 bit version. Download the 32 bit version from http://get.adobe.com/flashplayer/?no_redirect

mkdir ~/.mozilla/plugins -p
mv ~/Downloads/install_flash_player_11_linux.i386.tar.gz ~/firefox
cd ~/firefox/
tar xvf install_flash_player_11_linux.i386.tar.gz
cp libflashplayer.so ~/.mozilla/plugins/libflashplayer.so

And that should leave you with a working firefox versions. Note that running 'firefox' as a command will invoke iceweasel if installed. To get around that you can e.g. do

echo "alias ffox='$HOME/firefox/./firefox'" >> ~/.bashrc
source ~/.bashrc

after which you can launch firefox by running ffox form the terminal. A standard installation would be to put everything in /opt and set up a .desktop file -- but there's plenty of guides to how to do that.

20 October 2012

262. chroot/jail your iceweasel (firefox)

Update: in my youth I thought that chroot=security. I now know better.
http://yarchive.net/comp/linux/chroot.html
http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

In other words, don't rely on chroot for security -- it's not meant to be a security tool. I personally use it to browse at work without leaving a too obvious a trail (nothing shady -- part of my job is to apply for permanent jobs, but it is not necessarily in the interest of my current employer to see me succeed. Academia is a weird place.)

Original post:
There are many reasons why you'd want to secure your browser -- ranging from paranoia to justifiable cautiousness (you're probably visiting the wrong kind of sites...).

A chroot environment doesn't make you anonymous -- it just helps sandbox your applications. To protect your anonymity you'll want to prevent your browser from setting cookies, and use a proxy via an ssh tunnel to encrypt your traffic and hide your true IP address. There's no silver bullet for these things.

I've chroot:d things in the past when compiling 32 bit applications on 64 bit machines, but for this guide I'm leaning heavily on this post: https://help.ubuntu.com/community/BasicChroot

sudo apt-get install coreutils debootstrap

Time to get rocking. Be aware that you should have a bit of free space on your target drive.


sudo debootstrap --arch amd64 wheezy /media/chroot/ http://ftp.au.debian.org/debian/

which gets stuff underway:


I: Retrieving InRelease
I: Checking Release signature
I: Valid Release signature (key id 9FED2BCBDCD29CDF762678CBAED4B06F473041FA)
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://ftp.au.debian.org/debian...
I: Retrieving libacl1
I: Validating libacl1
I: Retrieving apt
[..]
I: Configuring dpkg-dev...
I: Configuring build-essential...
I: Base system installed successfully.

So far, so good.

Create a shell script, e.g. chroot.sh, with the following in it:
xhost +
sudo mount -o bind /proc /media/chroot/proc
sudo cp /etc/resolv.conf /media/chroot/etc/resolv.conf
sudo chroot /media/chroot

Run it everytime you want to enter you chroot environment:
sh chroot.sh

In the chroot shell, do
apt-get install locales sudo vim
echo 'export LC_ALL="C"'>>/etc/bash.bashrc
echo 'export LANG="C"'>>/etc/bash.bashrc
echo 'DISPLAY=:0.0' >> /etc/bash.bashrc
source /etc/bash.bashrc
adduser sandbox
usermod -g sudo sandbox
echo 'Defaults !tty_tickets' >> /etc/sudoers
apt-get install iceweasel
su sandbox
cd ~

Launch iceweasel/firefox:

sandbox@beryllium:/$ firefox


And you're pretty much done.
Next time you want to launch a sandboxed version of firefox just do:

me@beryllium:~$ sh chroot.sh 
access control disabled, clients can connect from any host
root@beryllium:/# su sandbox
sandbox@beryllium:/$ firefox

18 October 2012

259. Compiling firefox 16.0.1 in debian testing/wheezy

I actually mainly use chromium/chrome for my normal browsing needs, and have set up an ssh tunnel with an American university for iceweasel so I can access sites that filter on IP.

There's nothing particularly wrong with iceweasel, but it's nice to check out the latest and shiniest versions of different projects every now and again, so here's how to compile the latest firefox:

The source is just a hair under 90 Mb and the build takes around 40 minutes on a three-core AMD.

I've got so many -dev packages installed on my system that I don't really know what the dependencies are anymore, but here's a guess:
sudo apt-get install build-essential gfortran gawk libpango1.0-dev libgconf2-dev libgnomevfs2-dev libcogl-pango-dev libpangomm-1.4-dev libgconfmm-2.6-dev libnotify-dev libgnomeui-dev libdbus-1-dev libdbus-glib-1-dev 

Anyway:
cd ~/tmp
wget ftp://ftp.mozilla.org/pub/firefox/releases/16.0.1/source/firefox-16.0.1.source.tar.bz2
tar xvf firefox-16.0.1.source.tar.bz2
mkdir firefox_build
cd firefox_build/
../mozilla-release/./configure --prefix=$HOME/.firefox --disable-necko-wifi
make
make install

I'm getting tired of the clutter in my PATH, so
echo "alias firefox16='$HOME/.firefox/bin/firefox'" >> ~/.bashrc



Note that iceweasel puts a firefox in/usr/bin/, hence the use of firefox16

04 May 2012

134. Introducing a CA certificate in debian

So, for some reason you've been issued a CA certificate. Now what?

I've presumed that you've somehow downloaded both the root certificate (cacert.crt) and your personal certificate (usercert.pem). You'll need both.


Openssl

Convert to .p12
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out usercert.p12

Verify
You can verify your issued certificate, e.g.
openssl verify  -CAfile ~/Downloads/cacert.crt ~/.globus/usercert.pem


Browsers:

Iceweasel/Firefox 
Go to Edit, Preferences, Advanced, Encryption: View certificates. Click import under Your Certificates and select your usercert.p12 (see above for conversion).  Got to servers, import cacert.crt.

Make sure that your cert authority shows up under the authority tab (otherwise try importing cacert.crt). Highlight the relevant authority, and click on edit trust: select the relevant fields of identification (e.g. website and/or email).


Chrome/Chromium
Click on the spanner icon, go to Settings, Under the bonnet, Manage Certificates and select Import under Your Certificates. Click on server, import the cacert.crt. Approve the certificate authority for the intended uses of the certificate. If you did it already in firefox it may have carried over.


Email:

Evolution
First go to Edit, Preferences, scroll down to Certificates and import your certificate and, under authorities, import the root certificate (cacert.crt).

Under the Authorities tab, select the issuing authority, click on edit and set the trust level (probably all)


Next, go to Edit, Preferences, Mail Accounts, Select an account and click on Edit. Select the Security tab


Repeat this for all accounts you want to use this certificate with.

Test it:


Send it. Receive it.

If all is correct, this is what greets you

If you don't add the certificate authority as being trusted -- and this will be the case for some of your recipients, this is what you see. Signature no good.


Thunderbird
Go to Edit, Account Settings... and under each account click on Security, then on View Certificates -- import your certificate and the issuing authority's certificate here, or you won't be able to Select the certificates under Digital Signing and Encryption.

Also, under View Certificates, highlight the certificate authority and select Edit Trust -- click on Edit CA trust, select website, mail etc., then select I do trust...
I presume that you do trust the authority or this is an exercise in futility.
You need to do this for ALL accounts that you intend to use, or you'll run into trust issues.

You can select/de-select signing when composing using the S/MIME menu.

If all goes well, users which also have the same certificate authority listed as trusted (probably not the case, but whatever) will see a sealed envelope (this message has been signed by pgp as well as S/MIME: