Simultaenous use of Firefox profiles to guard against CSRF attacks
Here’s a quick post to decrease your exposure to attacks against web application vulnerabilities. A couple months ago, I posted an article that detailed 8 Firefox extensions for safer browsing. In addition to the extensions listed in that post, I use another precaution while browsing websites: I simultaneously run multiple Firefox profiles. There are a couple reasons for this, such as oh… I dunno. I always thought people would run one profile for day-to-day activities/regular browsing, and another for doing security testing and web assessments. But did you know running separate instances of Firefox guards against CSRF attacks? Yes, it does!
If you’re not using multiple Firefox profiles already, start up Firefox with the -ProfileManager option. On Windows, you can edit the shortcut target and append -ProfileManager.
"C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager
MOZ_NO_REMOTE=1
To run Firefox profiles simultaneously, you’ll need to export MOZ_NO_REMOTE=1 user environment variable. You can enter new environment variables on Windows through System Properties > Advanced Tab > Environment Variables dialog. On Linux, you can do the same by running the following from the shell or in a startup script.
$ export MOZ_NO_REMOTE=1
An alternative to exporting the environment variable, you can append the -no-remote option to Firefox (through a shortcut icon, just add it to the target location). If you want to create icons to start specific Firefox profiles like I do, you can specify which profile by it’s name using the -P option.
Here are some Windows examples you can set:
"C:\Mozilla Firefox\firefox.exe" -P profilename -no-remote
"C:\Mozilla Firefox\firefox.exe" -ProfileManager
and for Linux:
/usr/bin/firefox -ProfileManager
/usr/bin/firefox -P profilename -no-remote
You can also go ahead and do what Joanna Rutkowska does, and practice “almost-full” privilege separation on Windows Vista and run different browsers with limited privileges.
I suppose you could use two profiles. One profile is used for times when you want to use a site you log into, for instance Gmail, Amazon, YourBank, MySpace, whathaveyou. And the other profile is for everything else, either throw-away accesses (for instance that forum you only post to once every 3 years) or random browsing of the Internet. That way CSRF actually never will be an issue unless you mix tasks between the two. Gogo user error!
That’s not a bad idea at all for people who don’t have two computers or a VM solution at their fingertips! And hell of a lot less overhead than those, just to protect against CSRF…
@ LonerVamp: I use a separate profile for things that requires cookies/logins. Mixing MySpace and my bank is exactly what I’m worried about most.
LV, what dre said said is what I do. I run separate sessions for sensitive websites (banking, stocks trading), one for sites I have to login to, (such as Facebook, MySpace, etc..) and another for regular web browsing.
One related variant is to have a shell script or batch file or whatever that re-creates a new “clean” profile each time.
I then have three different ways of running firefox:
Normal
Secured
Clean
The icon for the clean one points to the script which removes the entire profile directory, then extracts it back into place before running firefox. Probably could just do the same thing by deleting the profile directory or using some calls to the profile manager, but it works well enough for me. I usually do that when I want to test some bug or browser behavior and need a fresh install without any extensions or other oddities in the profile.
@ Jordan. I don’t know if that helps with the security of the browser. Also – I just do what you describe using -safe-mode.
Many people don’t understand the MOZ_NO_REMOTE=1 and using multiple profiles to protect against CSRF. I think this is mostly because they don’t understand CSRF or just want to be “helpful”. While it’s nice to want to help; I really think that having an understanding of the underlying issues is what the real crux of the problem is.
The only thing that is “similar” to using multiple profiles is “exiting all instances of the browser before you open it again” e.g. when switching between MySpace and your banking website. Or using IE, Firefox, and Opera all simultaneously: one for one website each e.g. IE for Live.com, Firefox for Amazon, and Opera for eBay.
I wonder if the content-restrictions, server-provided policies, or anti-xss browser mechanisms are making any progress?
Using several instances of Firefox or several different browsers could really help to protect you from CSRF. However, I normally care about a couple of accounts on various services, which I want to stay logged in for a long time.
So, in my case it was much easier to install Mozilla Webrunner (I guess it is called Mozilla Prism now) and create profiles for those accounts. That means they are executed with individual profile(s) and you don’t have to load a full-fledged browser, just the Gecko engine, which provides less overhead then running several Firefox instances. As a side effect, you may choose not to log out at all if you trust the security of your own machine.