I’ve been absent from this blog for a while. Other projects are occupying my time. I hope to return to regular blogging soon… but it may be a bit longer yet.
However, one of my projects involved getting a new laptop. Since getting a new laptop is a good excuse to redo things and do them better, I decided to take a closer look at my Firefox profile setup.
I play a lot of roles, ranging from security researcher to consultant. There are different Firefox configurations that I need for each, but it’s a pain to constantly log in to different user accounts. To make this process simpler, I decided to create four different Firefox profiles, each tuned to a specific set of tasks. What follows is a description of what I did under Linux. The same process should apply to other operating systems… but I’ve not testing them there. With one exception (noted) all add ons are from addons.mozilla.org.
Warning, geekery below this line.
I started with my basic add ons:
- Adblock Plus to prevent those annoying ads (and ad-based malware infections)
- Neo Diggler to give me a quick way to clear the location bar and give me the ability to add custom stuff
- No Script to prevent scripts from running. I did a quick whitelisting of the sites I use a lot (Google, Amazon, Alliance, LinkedIn, etc)
- Web of Trust to give me a hint before I click on a link.
- Tiny Menu to maximize screen real estate. (I love me the tiny laptops)
- TorButton for quickly accessing The Onion Router (requires installing additional software to utilize)
Sadly, LongURL is not supported on the new Firefox yet.
I restarted Firefox to activate everything and configured the plugins the way I like. I also customized the Nav bar and moved everything up to the Menu bar that TinyMenu made nice and small. Then I used the View menu to turn off Navigation and Bookmarks.
Then I went into Preferences->Privacy and set Firefox to “Never remember history” and suggest “Nothing”. I also cleared my history that was created thus far. In Preferences->Security, I told it to never remember passwords, block reported attack sites, web forgeries and add ons. (By not remembering passwords, I render myself less vulnerable to risk from theft of my profile directories, but more vulnerable to keyloggers… it’s a good tradeoff to me.)
I then shutdown Firefox and went into ~/.mozilla/firefox. I did a cp -a of my profile directory to other names (this bit would be different on Windows):
cp -a blahblah.default research
cp -a blahblah.default paranoid
cp -a blahblah.default webdev
Then I edited profiles.ini and copied the four top lines of [Profile0] to new blocks of Profiles 1 through 3. I edited the Name and Path to reflect each of my new profile directories (research, paranoid, webdev). I edited the Firefox launcher and appended “-ProfileManager –no-remote” to the “run command”. This way, when I click on the little icon, Firefox will prompt me for the profile I want each time I launch it, and it lets me run multiple profiles at once.
I then launched it and selected my “research” profile.
Here, I went back into Preferences->Privacy and told it to go ahead and remember history and make suggestions (as when I’m researching things, I often forget where I found things and what I searched on.) Then I installed the following add ons:
- Add N Edit Cookies for cookie manipulations
- HackBar for SQL injection fun
- PassiveRecon for exactly what it sounds like
- RefControl for mangling HTTP headers
- DeeperWeb for those occasional rambling searches.
Then I added the following search engines to the dropbox:
- Offensive Security Exploit Database
- Security Focus Vulns Search
- Security Wire Search
I’ll probably add more as I play with it. I’m still not used to using this feature to search the deep web. (Wonder if one could be written to access our corporate wiki?)
Then it was time to restart Firefox and activate, set preferences, yada yada yada.
After that, I restarted to access the “paranoid” profile. I went into Preferences->Security and turned on ALL warning messages. It’s annoying to use now, but that’s partly the point.
I set StartPage to my initial home page, using the “Generate Custom URL” feature on the site. Since I’m not storing any cookies at all, this is how it has to be done. I removed all search engines and added IxQuick HTTPS, Startpage HTTPS and Scroogle SSL. On the AddOn side, I added:
- Force-TLS to force HTTPS connections (though it really doesn’t do all I’d like it to)
- Certificate Patrol to track certificate details
- Perspectives for a paranoid check against SSL certificate alteration. This one is linked to from the Mozilla add ons site, but not installable from there.
I then disabled the CNNIC SSL certficate (Preferences->Advanced->Encryption->View Certificates->Authorities, scroll to “CNNIC ROOT” click “Edit” and unselect “This certificate can also identify web sites”.) It’s a matter of debate as to whether or not this is necessary… but so long as it’s being debated, my paranoid side will be careful. (The other profiles don’t care. :)
Lastly, I installed the Orange Fox theme, which is ugly and garish, but since I wanted a visual reminder that I was in the paranoid profile, it was exactly what I wanted.
After another restart I entered the webdev side. The fun new add ons here were:
- Firebug for tracing DOM and CSS issues, which I don’t do much anymore, but it’s still nice to have.
- CodeBurner For Firebug to add reference to Firebug
- FlashGot for massive download fun on archive.org
- Live HTTP Headers for watching traffic in real time, when I don’t want to launch a real proxy
- Web Developer for the same reason as Firebug
From here, I am in a position to fire up the profiles as I need them, and am able to work on the web without worrying about my tools being available.