From a2a5feaecb294ccf681f92cf1e17e6353477f82d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Sch=C3=A4ferdiek?= Date: Tue, 3 Dec 2019 13:26:59 +0100 Subject: [PATCH] Unify all app privacy related settings under one repository - initial commit --- README.md | 24 +++++ android/README.md | 27 +++++ android/captiveportal.sh | 8 ++ firefox/README.md | 77 ++++++++++++++ firefox/user.js | 219 +++++++++++++++++++++++++++++++++++++++ thunderbird/README.md | 58 +++++++++++ 6 files changed, 413 insertions(+) create mode 100755 README.md create mode 100755 android/README.md create mode 100755 android/captiveportal.sh create mode 100755 firefox/README.md create mode 100755 firefox/user.js create mode 100755 thunderbird/README.md diff --git a/README.md b/README.md new file mode 100755 index 0000000..a8cc24f --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# Privacy + +The following is a brief collection of scripts and settings to easily apply more privacy-friendly settings to your used devices and software. + +Don't give them your data away for free, fight for your digital rights _now_! + +The collection is heavily based on the follow sites. It's recommended to read them if possible. + +* [kuketz-blog.de (german)](https://www.kuketz-blog.de/empfehlungsecke/) +* [privacy-handbuch.de (german)](https://www.privacy-handbuch.de/) + +## Links + +Here are some additional links to think about. Most of them are in German. + +* [Deceived by design](https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf) +* [Facebooks attitude on encryption](https://img.pr0gramm.com/2019/07/30/7823552c9e4e8844.png) +* [Nothing to hide video (german)](https://vimeo.com/195446463) +* [Nichts zu verbergen (german)](https://www.heise.de/ct/ausgabe/2015-17-Editorial-Nichts-zu-verbergen-2755486.html) +* [Scroogled, a Microsoft campaign against Google (german)](http://www.wort-und-satz.de/scroogled.htm) +* [What is the 'chilling effect' (german)](https://de.wikipedia.org/wiki/Chilling_effect) +* [How tracking steals your data while surfing (german)](https://www.heise.de/security/meldung/Tracking-Skripte-klauen-E-Mail-Adressen-aus-Web-Browsern-3931772.html) +* [(menschliche) Assistenzwanzen hören auch euren Bettgesprächen zu (german)](https://netzpolitik.org/2019/googles-assistenzwanze-auch-bettgespraeche-werden-von-menschen-ausgewertet/) +* [Schmeisst die Assistenzwanzen aus dem Fenster (german)](https://netzpolitik.org/2019/schmeisst-die-assistenzwanzen-aus-dem-fenster/) \ No newline at end of file diff --git a/android/README.md b/android/README.md new file mode 100755 index 0000000..782f67d --- /dev/null +++ b/android/README.md @@ -0,0 +1,27 @@ +# Android + +Collection based on [kuketz-blog.de](https://www.kuketz-blog.de/empfehlungsecke/). + +## App Store + +Not using the Google PlayStore as source for your apps is a huge step forward. Try to replace your apps with privacy-friendly apps from the [fdroid app store](https://f-droid.org/). + +## Captive portal + +Periodically and on connect/disconnect of any Internet connection, Android queries a server endpoint from Google to test if Internet connectivity is (still) available. Sometimes you might have already seen a small 'x' indicating you have no Internet access. This is the result of this query. Those queries are logged consistently by Google: the time when you accessed it, with which device you accessed it and the IP you had when you accessed it. Just for the connectivity check you're giving away so much information. + +The `adb` cli tools provide a way to set a different captive portal not owned by Google which don't log data. You should change it. See `captiveportal.sh` for an example. + +## DNS + +By default Android will use Google DNS servers not secured with SSL. Starting from Android 8, Android provides means to overcome this by setting a _private DNS_ server in `Settings -> Network & internet -> Private DNS`. For example, set it to `fdns1.dismail.de`. + +## Scanning + +You're giving away information when you keep your WiFi on. Your device will automatically scan for nearby access points. Therefore you'll be uniquely identifiable across locations. + +To overcome follow these instructions: + +1. Disable WiFi and Bluetooth scanning because it's easily possible to create an accurate profile of your movement from it. In the settings, search for `Wi-Fi and Bluetooth scanning`. + +2. When you leave a known WiFi access point switch off your WiFi adapter. There are apps for this: [WiFi Automatic](https://f-droid.org/en/packages/de.j4velin.wifiAutoOff/). \ No newline at end of file diff --git a/android/captiveportal.sh b/android/captiveportal.sh new file mode 100755 index 0000000..32a3255 --- /dev/null +++ b/android/captiveportal.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env sh +# +# For more information see https://www.kuketz-blog.de/empfehlungsecke/#captive-portal + +adb shell 'settings put global captive_portal_http_url "http://captiveportal.myservermanager.com"' +adb shell 'settings put global captive_portal_https_url "https://captiveportal.myservermanager.com"' +adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.myservermanager.com"' +adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.myservermanager.com"' diff --git a/firefox/README.md b/firefox/README.md new file mode 100755 index 0000000..1c1d2ad --- /dev/null +++ b/firefox/README.md @@ -0,0 +1,77 @@ +# Firefox + +Make using the web more safe by disabling commonly used techniques and mechanism _without_ sacrificing usability. + +Why Firefox? It provides high configurability, is open source and thus better to be reviewed by external security advisories. + +Based on [https://www.privacy-handbuch.de/handbuch_21.htm](https://www.privacy-handbuch.de/handbuch_21.htm). + +## Recommended extensions + +``` +Cookie AutoDelete +HTTPS Everywhere +Neat url +Skip Redirect +uBlock Origin + +(Invidious Redirect to use liberated YouTube if needed) +(a Passwordmanager if needed) +``` + +1. First Party Isolation _might_ lead to malfunctioning of some websites. Disable it per page. +2. Fix white bar on YouTube when using uBlock Origin (_if applicable_). Add the following as a line in My Filters of the extension: + + `youtube.com##.no-scroll #page-manager:style(margin-top: 0px !important)` + +## Recommended search engines + +``` +https://www.startpage.com/do/mypage.pl?prfh=enable_stay_controlEEE0N1NsuggestionsEEE1N1Ngeo_mapEEE1N1Nwikipedia_iaEEE1N1Nother_iaEEE1N1Ndisable_open_in_new_windowEEE1N1Ndisable_video_family_filterEEE1N1Nenable_post_methodEEE1N1Nenable_proxy_safety_suggestEEE0N1Ndisable_family_filterEEE1N1Nconnect_to_serverEEEeuN1NsslEEE1N1Nlanguage_uiEEEenglishN1NlanguageEEEdeutschN1Nwt_unitEEEcelsiusN1Nnum_of_resultsEEE20N1Nlang_homepageEEEs/default/en/&op=un11 +``` + +``` +https://www.qwant.com/?r=DE&sr=de&l=en_gb&h=1&s=0&a=1&b=1&vt=0&hc=0&smartNews=0&smartSocial=0&theme=0&i=1&donation=0&qoz=0&shb=0&shl=0 +``` + +``` +www.kuketz-suche.de +``` + +## Recommended settings + +How to do it? + +* Use the provided `user.js` file and copy it into your Firefox profile folder while application is _not_ running. + + To find your profile folder, click on the menu top right, on `Help -> Troubleshooting Information`. You can directly open your **Profile Directory** from there or see it, typically it's something like `$HOME/.mozilla/firefox/...` or in Windows `%APPDATA%\Mozilla\Firefox\Profiles\...` + +* Adjust values by browsing `about:config` in the address bar. `""` means empty, just delete the characters and press ENTER. +* Create your own profile and copy it into the application data folder while application is _not_ running. See [https://ffprofile.com](https://ffprofile.com). + +Some settings _might_ break website behavior although this is not very likely. Be aware of that! + +Use an external password manager like KeepassXC, at least AutoFill is advised to be disabled). See [https://www.privacy-handbuch.de/handbuch_21j2.htm#08_07_18](https://www.privacy-handbuch.de/handbuch_21j2.htm#08_07_18). + +### Common User Preferences +Optional, but commonly used to ease browsing. Not security-related. + +``` +general.smoothScroll = false +general.smoothScroll.pages = false +mousewheel.min_line_scroll_amount = 40 +browser.newtabpage.activity-stream.feeds.topsites = true +``` + +Optional and **potentially dangerous in terms of website behavior**, for _GNU/Linux only_. + +``` +image.mem.max_decoded_image_kb = 512000 +media.getusermedia.aec_enabled = false +media.getusermedia.agc_enabled = false +media.getusermedia.noise_enabled = false +``` + +## Additional hints + +Besides securing Firefox, you should consider not using the DNS servers of your Internet provider and instead install system-wide [DNS alternatives](https://www.kuketz-blog.de/empfehlungsecke/#dns) or a [local DNS server](https://wiki.archlinux.org/index.php/Unbound) which directly queries root DNS servers. There's really no downside of this. \ No newline at end of file diff --git a/firefox/user.js b/firefox/user.js new file mode 100755 index 0000000..9ae36e8 --- /dev/null +++ b/firefox/user.js @@ -0,0 +1,219 @@ +# Mozilla User Preferences +# +# 2019/11/11 +# Based on +# +# Privacy-Handbuch, minimal/moderate user.js (vom 01.11.2019) +# Download: https://www.privacy-handbuch.de/handbuch_21u.htm +# +# +# Install when Firefox is closed! +# Feel free to comment in or modify if you don't like the default setting. + + +user_pref("general.warnOnAboutConfig", false); +user_pref("app.normandy.enabled", false); +user_pref("app.normandy.api_url", ""); +user_pref("app.shield.optoutstudies.enabled", false); +user_pref("beacon.enabled", false); +user_pref("browser.aboutHomeSnippets.updateUrl", ""); +user_pref("browser.cache.compression_level", 1); +user_pref("browser.cache.disk.enable", false); +user_pref("browser.cache.disk_cache_ssl", false); +user_pref("browser.cache.offline.enable", false); +user_pref("browser.contentblocking.category", "strict"); +//user_pref("browser.display.use_document_fonts", 0); +user_pref("browser.fixup.alternate.enabled", false); +user_pref("browser.formfill.enable", false); +user_pref("browser.link.open_newwindow.restriction", 0); +user_pref("browser.library.activity-stream.enabled", false); +user_pref("browser.newtabpage.activity-stream.enabled", false); +user_pref("browser.newtabpage.enabled", false); +user_pref("browser.newtabpage.activity-stream.asrouterExperimentEnabled", false); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); +user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); +user_pref("browser.newtabpage.activity-stream.telemetry", false); +user_pref("browser.newtabpage.activity-stream.feeds.sections", false); +user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); +user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false); +user_pref("browser.newtabpage.activity-stream.feeds.systemtick", false); +user_pref("browser.newtabpage.activity-stream.feeds.topsites", true); +user_pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", ""); +user_pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", ""); +user_pref("browser.onboarding.enabled", false); +user_pref("browser.pagethumbnails.capturing_disabled", true); +user_pref("browser.ping-centre.telemetry", false); +user_pref("browser.ping-centre.production.endpoint", ""); +user_pref("browser.ping-centre.staging.endpoint", ""); +user_pref("browser.privatebrowsing.autostart", false); +user_pref("browser.safebrowsing.downloads.remote.url", " "); +user_pref("browser.safebrowsing.downloads.enabled", false); +user_pref("browser.safebrowsing.phishing.enabled", false); +user_pref("browser.safebrowsing.malware.enabled", false); +user_pref("browser.safebrowsing.downloads.remote.enabled", false); +user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false); +user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); +user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); +user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); +user_pref("browser.safebrowsing.blockedURIs.enabled", false); +user_pref("browser.safebrowsing.provider.google.gethashURL", ""); +user_pref("browser.safebrowsing.provider.google.updateURL", ""); +user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); +user_pref("browser.safebrowsing.provider.google4.updateURL", ""); +user_pref("browser.safebrowsing.provider.mozilla.gethashURL", ""); +user_pref("browser.safebrowsing.provider.mozilla.updateURL", ""); +user_pref("browser.search.update", false); +user_pref("browser.search.countryCode", "DE"); +user_pref("browser.search.geoSpecificDefaults", false); +user_pref("browser.search.geoSpecificDefaults.url", ""); +user_pref("browser.search.geoip.url", ""); +user_pref("browser.search.suggest.enabled", false); +user_pref("browser.search.reset.enabled", false); +user_pref("browser.search.reset.status", ""); +user_pref("browser.search.reset.whitelist", ""); +user_pref("browser.search.widget.inNavBar", true); +user_pref("browser.sessionstore.max_windows_undo", 0); +user_pref("browser.sessionstore.privacy_level", 2); +user_pref("browser.slowStartup.notificationDisabled", true); +user_pref("browser.slowStartup.maxSamples", 0); +user_pref("browser.slowStartup.samples", 0); +user_pref("browser.startup.page", 0); +user_pref("browser.tabs.crashReporting.sendReport", false); +user_pref("browser.urlbar.speculativeConnect.enabled", false); +user_pref("browser.urlbar.trimURLs", false); +user_pref("browser.urlbar.oneOffSearches", false); +user_pref("browser.urlbar.suggest.openpage", false); +user_pref("browser.urlbar.suggest.searches", false); +user_pref("camera.control.face_detection.enabled", false); +user_pref("camera.control.autofocus_moving_callback.enabled", false); +user_pref("datareporting.healthreport.uploadEnabled", false); +user_pref("datareporting.policy.dataSubmissionEnabled", false); +//user_pref("devtools.webide.autoinstallADBHelper", false); +//user_pref("devtools.webide.enabled", false); +//user_pref("device.sensors.enabled", false); +//user_pref("dom.enable_performance", false); +//user_pref("dom.enable_performance_navigation_timing", false); +//user_pref("dom.enable_resource_timing", false); +//user_pref("dom.gamepad.enabled", false); +//user_pref("dom.idle-observers-api.enabled", false); +//user_pref("dom.webaudio.enabled", false); +//user_pref("dom.webnotifications.enabled", false); +user_pref("experiments.activeExperiment", false); +user_pref("experiments.enabled", false); +user_pref("experiments.manifest.uri", ""); +user_pref("experiments.supported", false); +user_pref("extensions.blocklist.enabled", false); +user_pref("extensions.blocklist.url", ""); +user_pref("extensions.getAddons.cache.enabled", false); +user_pref("extensions.htmlaboutaddons.discover.enabled", false); +user_pref("extensions.htmlaboutaddons.recommendations.enabled", false); +user_pref("extensions.ui.lastCategory", "addons://list/extension"); +user_pref("extensions.formautofill.addresses.enabled", false); +user_pref("extensions.formautofill.creditCards.enabled", false); +user_pref("extensions.formautofill.heuristics.enabled", false); +user_pref("extensions.pocket.enabled", false); +user_pref("extensions.screenshots.disabled", false); +user_pref("extensions.screenshots.upload-disabled", true); +user_pref("extensions.systemAddon.update.enabled", false); +user_pref("extensions.systemAddon.update.url", ""); +user_pref("extensions.webextensions.restrictedDomains", ""); +//user_pref("font.blacklist.underline_offset", ""); +//user_pref("layers.acceleration.disabled", true); +user_pref("media.cache_size", 0); +//user_pref("media.eme.enabled", false); +//user_pref("media.navigator.enabled", false); +//user_pref("media.navigator.video.enabled", false); +//user_pref("media.peerconnection.enabled", false); +//user_pref("media.video_stats.enabled", false); +//user_pref("media.webspeech.synth.enabled", false); +user_pref("network.allow-experiments", false); +//user_pref("network.dns.disablePrefetch", true); +user_pref("network.captive-portal-service.enabled", false); +//user_pref("network.http.altsvc.enabled", false); +//user_pref("network.http.altsvc.oe", false); +user_pref("network.http.referer.XOriginPolicy", 2); +user_pref("network.http.sendRefererHeader", 0) +//user_pref("network.http.speculative-parallel-limit", 0); +user_pref("network.IDN_show_punycode", true); +user_pref("network.manage-offline-status", false); +//user_pref("offline-apps.allow_by_default", false); +//user_pref("offline-apps.quota.warn", 0); +user_pref("places.history.enabled", false); +//user_pref("permissions.default.geo", 2); +//user_pref("plugin.default.state", 0); +//user_pref("plugins.enumerable_names", ""); +//user_pref("plugins.update.url", ""); +user_pref("privacy.clearOnShutdown.cache", false); +user_pref("privacy.clearOnShutdown.cookies", true); +user_pref("privacy.clearOnShutdown.downloads", true); +user_pref("privacy.clearOnShutdown.history", false); +user_pref("privacy.clearOnShutdown.offlineApps", true); +user_pref("privacy.clearOnShutdown.openWindows", false); +user_pref("privacy.clearOnShutdown.sessions", true); +user_pref("privacy.clearOnShutdown.formdata", true); +user_pref("privacy.clearOnShutdown.siteSettings", true); +user_pref("privacy.cpd.offlineApps", true); +user_pref("privacy.cpd.passwords", true); +user_pref("privacy.cpd.siteSettings", true); +user_pref("privacy.donottrackheader.enabled", true); +user_pref("privacy.firstparty.isolate", true); +user_pref("privacy.history.custom", true); +user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); +user_pref("privacy.sanitize.migrateClearSavedPwdsOnExit", true); +user_pref("privacy.sanitize.sanitizeOnShutdown", true); +user_pref("privacy.userContext.enabled", true); +user_pref("privacy.userContext.ui.enabled", true); +user_pref("privacy.userContext.longPressBehavior", 2); +user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); +user_pref("reader.parse-on-load.enabled", false); +user_pref("security.cert_pinning.enforcement_level", 2); +user_pref("security.family_safety.mode", 0); +user_pref("security.identityblock.show_extended_validation", true); +user_pref("security.insecure_connection_icon.enabled", true); +user_pref("security.insecure_connection_icon.pbmode.enabled", true); +user_pref("security.insecure_connection_text.enabled", true); +user_pref("security.insecure_connection_text.pbmode.enabled", true); +user_pref("security.mixed_content.upgrade_display_content", true); +user_pref("security.mixed_content.block_active_content", true); +user_pref("security.secure_connection_icon_color_gray", false); +user_pref("security.ssl.require_safe_negotiation", true); +user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); +user_pref("security.OCSP.enabled", 1); +user_pref("security.family_safety.mode", 0); +user_pref("signon.management.page.breach-alerts.enabled", false); +user_pref("signon.management.page.breachAlertUrl", ""); +user_pref("signon.autofillForms", false); +user_pref("signon.formlessCapture.enabled", false); +user_pref("shield.savant.enabled", false); +user_pref("startup.homepage_welcome_url", ""); +user_pref("toolkit.coverage.endpoint.base", ""); +user_pref("toolkit.coverage.opt-out", true); +user_pref("toolkit.telemetry.archive.enabled", false); +user_pref("toolkit.telemetry.coverage.opt-out", true); +user_pref("toolkit.telemetry.bhrPing.enabled", false); +user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); +user_pref("toolkit.telemetry.hybridContent.enabled", false); +user_pref("toolkit.telemetry.newProfilePing.enabled", false); +user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); +user_pref("toolkit.telemetry.updatePing.enabled", false); +user_pref("toolkit.telemetry.server", ""); +user_pref("toolkit.telemetry.unified", false); +user_pref("toolkit.telemetry.infoURL", ""); +user_pref("webgl.disable-extensions", true); +user_pref("webgl.disable-fail-if-major-performance-caveat", true); +user_pref("webgl.min_capability_mode", true); +user_pref("webgl.enable-debug-renderer-info", false); +user_pref("network.trr.resolvers", '[{ "name": "Cloudflare", "url": "https://mozilla.cloudflare-dns.com/dns-query" },{ "name": "SecureDNS", "url": "https://doh.securedns.eu/dns-query" },{ "name": "AppliedPrivacy", "url": "https://doh.appliedprivacy.net/query" },{ "name": "Digitale Gesellschaft (CH)", "url": "https://dns.digitale-gesellschaft.ch/dns-query" }, { "name": "Quad9", "url": "https://dns.quad9.net/dns-query" }]'); + +// customly set, adjust to your liking +user_pref("general.smoothScroll", false); +user_pref("general.smoothScroll.pages", false); +user_pref("mousewheel.min_line_scroll_amount", 40); +user_pref("geo.enabled", false); +user_pref("geo.wifi.uri", ""); +user_pref("webgl.disabled", true); +user_pref("media.video_stats.enabled", false); +user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); +user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); +user_pref("browser.sessionstore.resume_session_once", true); +user_pref("browser.sessionstore.max_tabs_undo", 3); \ No newline at end of file diff --git a/thunderbird/README.md b/thunderbird/README.md new file mode 100755 index 0000000..e67fcd3 --- /dev/null +++ b/thunderbird/README.md @@ -0,0 +1,58 @@ +# Thunderbird + +Go to `Settings -> Advanced -> config editor` + +## Remove Autocrypt and PEP + +In _config editor_ set to `false` or `""` for search values `pep`, `autocrypt` and `extraHeaders`. + +## Recommended settings + +``` +mail.inline_attachments = false +privacy.firstparty.isolate = true +mail.showCondensedAddresses = false +mailnews.headers.showSender = true +mailnews.headers.showUserAgent = true +mail.collect_email_address_outgoing = false +extensions.blocklist.enabled = false +extensions.getAddons.cache.enabled = false +mailnews.start_page.enabled = false +mailnews.start_page.url = +mailnews.start_page.override_url = +``` + +## Check all folders + +``` +mail.server.default.check_all_folders_for_new = true +``` + +## Sort view +``` +mailnews.default_sort_type = 18 +mailnews.default_sort_order = 2 // 1 (ascending) to 2 (descending) +mailnews.default_view_flags = 0 // 0 (unthreaded) to 1 (threaded) +``` + +## Commons addons + +* Allow HTML Temp +* Paranoia +* Enigmail +* Lightning +* Nextcloud for Filelink +* Provider for CalDAV/CardDAV +* TBSync + +Source: [privacy-handbuch.de](https://www.privacy-handbuch.de/handbuch_31d.htm) + +## Server specific settings + +**POTENTIALLY DANGEROUS** and might end up in spam! + +Right click in config editor -> new String in _config editor_ + +``` +mail.domain.tld.default.hello_argument;[127.0.0.1] +```