Category Archives: Tech

Articles about software and technology

Update: Firefox Configuration Guide for Privacy Freaks and Performance Buffs

The article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, has heavily been updated with new information while other parts were edited to bring the information up to date. The most important changes include the addition of two sections, one dealing with how to sanitize the default search engines that ship with Firefox and another which details how to remove unwanted system add-ons which are packaged with the browser and install themselves without prompting the user.

I am currently testing Waterfox with the guide and so far, so good. Waterfox is a 64 bit web browser for Linux, Mac and Windows that, though based on Firefox, is more privacy-centric than Firefox. Its features include the removal of Telemetry and Pocket, as well as other methods which collect user data.

New tut: Firefox Search Engine Cautions and Recommendations

A new tutorial has been published titled Firefox Search Engine Cautions and Recommendations which covers the risks to your privacy when using any of the major search engines in general, but specifically when using the default search engine plugins that are packaged with the Firefox web browser, though this problem is certainly not limited to Firefox. I also cover how to circumvent the risks to your privacy when using the default Firefox search engine plugins, as well as make suggestions for alternative search engines.

I have to say that i’m becoming more and more disillusioned with the multi-million dollar Mozilla corporation and its flagship product, Firefox. Firefox was never a great web browser in my opinion, but it is/was appealing to many because of how completely customizable it is. In it’s earlier days it was just a little slow and buggy, but more recently Mozilla is making highly unethical choices with regard to the privacy-hating corporations they willingly partner with and how these partnerships have manifested and have been monetized in Firefox is a result of utter stupidity and greed in my opinion. I stuck with Firefox all these years because it has always been one of the most hackable browsers out there, but these days i stick with it primarily because i’m not (yet) able to reproduce the functionality i have added to it via add-ons with any other browser, and Chrome is out of the question, much less Google’s spyware version of it.

It’s sad and frustrating that a company who produced a decent, super-highly customizable browser for a niche market has lost its way and turned its back on the very market it once served by deciding to become a Google Chrome clone in order to appeal to the masses.

Screw you Mozilla.

But let’s end on a lighter note, shall we? Here, have a look.

Tutorial

Firefox Search Engine Cautions, Recommendations

See the revision history at the end for a list of changes to this document.

Introduction

The scope of this tutorial is limited primarily to preserving your privacy when using the default Firefox (or derivative thereof) search engine plugins, as well as discovering new search engines and finding alternative ways to use the big search indexes, such as Google, Bing and Yahoo. For a more in-depth tutorial regarding Firefox privacy issues and customization, please see my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Free software isn’t always free

Many of us probably tend to associate the open-source software community with individuals or small organizations that freely give away their work and expect little or nothing in return, however nothing could be further from the truth regarding the multi-million dollar Mozilla Foundation. The hundreds of millions of dollars that Mozilla rakes in annually is largely due to its partnership with search engine companies such as Google, Yahoo and several others. These multi-billion dollar ethically challenged mega-corporations then track your web activities and sell the data they collect to advertisers and who knows who else. It seems to me that these kinds of partnerships are clearly at odds with Mozilla’s statement, “Committed to you, your privacy and an open Web“.

So how does Mozilla get paid by the mega-giants like Yahoo and Google? Simple: Any time you use any of the default search engine plugins that are packaged with the browser, parameters like these are added to your search query:

client=firefox-a
name="appid" value="ffd"
name="hspart" value="mozilla"

These parameters tell the search engine that you are using a Firefox/Mozilla product and that’s all it takes to rake in millions for Mozilla. If you do not wish to participate in the Mozilla/Google/Yahoo affiliate scheme, or you just like being a little more anonymous, read on.

Types of search engines

It appears there are basically two types of search engines; meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example, use software robots known as “crawlers” to index web content. In other words these companies actively seek out updated and fresh content to store in their databases so that it’s ready for you to find. Meta search engines, on the other hand, typically do not index the web and instead rely primarily on third parties to provide their search results, including Google, Yahoo and Bing. As such, even when using a so-called “alternative” search engine such as DuckDuckGo, Startpage, Searx, etc., you are still subject to at least a portion of the content manipulation and censorship employed by the big corporations which deliver their results to your chosen alternative. While these alternative search engines do indeed make a great deal of sense from a privacy perspective since one can avoid using the big indexes directly, they are not true alternatives as they are often described, but more like search engine proxies which simply provide their own interface to display the search results as provided by the big boys. Furthermore, these alternative search engines are also free to choose who they partner with and are subject to local laws, such as secret surveillance requests issued by a government.

Indexing the web can be an incredibly expensive proposition and this is why centralized companies like DuckDuckGo, Startpage, Searx and others rely on search results provided by corporations like Google. There is an even better solution however, one which both respects your privacy and is censorship resistant and these are distributed search indexes. Imagine a free, open-source search engine that is completely decentralized where the search index is distributed among millions of computers like yours, each storing a piece of the whole. There are probably no for-profit corporations involved, no office headquarters and no board of directors. This is what the developers behind YaCy have done with their peer-to-peer search engine and i think it’s a great way to move forward and away from corporate censorship.

Adding search engines to Firefox

Possibly the easiest way to mitigate risks to your anonymity posed by using the default Firefox search engines is to simply disable all of them and find alternatives. One of my favorite choices is the open source and highly configurable Searx meta search engine which you can host an instance of on your own server if you wish, but you don’t have to in order to use it. Searx, like DuckDuckGo, Startpage and many others, is not an index and so it does not crawl the web seeking out and storing content like Google and the others do. Like most of the alternative search engines, Searx is a meta search engine meaning that it pulls its search results from third party indexes. The difference between Searx and many of the other meta search engines, is that Searx is capable of pulling results from many other indexes and meta search engines, any of which you can enable or disable.

An easy way to add Searx to Firefox is to simply find a hosted instance which you like, preferably one close to you, and from the Firefox search bar, click “add”. While searx.me is the original instance of Searx, it is best not to use it because it can become overloaded. The developers may even disable it at times in order to promote the many other third party instances. This is done because it is very expensive to run a search engine and searx.me cannot afford to have too many people using their instance without donations from folks like us. A potential pitfall to using a 3rd party instance of Searx is that the server may be logging information, such as IP addresses, etc., so you’ll have to decide what’s best for you.

You can add most other search engines to Firefox using the same process as described above, but there are other ways also. The Mycroft Project hosts tens of thousands of preconfigured search engine plugins for a variety of web browsers and has a form for writing your own plugins. These plugins can be added to Firefox simply by clicking on their names, the top 100 of which are listed here. Unfortunately it is not possible to review the code from the main search plugins listing before adding the plugin to your browser, however you can use their submission form to do so by mousing over the plugin name to reveal its numeric ID and then filling in that ID in the submission form page.

Privacy-centric search engines

See: Alternative Search Engines That Respect Your Privacy

Sanitizing the default search engine plugins

If you choose to use the default search engine plugins provided by Mozilla, you may want to sanitize them in order to circumvent some of the risks to your privacy, however you should be aware that sanitizing the default plugins will not prevent tracking or privacy risks at the search engine level when using the services provided by Google, Bing, Yahoo, etc.. If you are going to use the default search engine plugins, then you should also use something like the Neat URL add-on which strips tracking parameters from URLs.

If you want to sanitize the default search engine plugins yourself you might want to install the XML Search Engines Exporter/Importer (legacy add-on that won’t work for Firefox v57+) Firefox add-on which makes it super-easy to export and import the modified plugin code wherein we will remove the monetization schemes and browser fingerprinting which Mozilla employs. Unfortunately, using the XML Search Engines Exporter/Importer add-on is the only reasonable way i am aware of to extract the data from the search.json.mozlz4 file where the search engine code is stored, so that it can be edited. This will require a bit of time but is not difficult to accomplish. You will also want a decent code editor, such as Kate for Linux (already included in some distributions) or something like Notepad++ or PSPad for Windows. Another alternative if you do not want to sanitize the default search engine plugins manually, is to simply download my pre-sanitized search engine plugins below.

By default, at the time of this writing, Firefox includes the following search plugins:

  • Amazon
  • Bing
  • DuckDuckGo
  • Google
  • Twitter
  • Wikipedia
  • Yahoo

Sanitizing manually

After installing XML Search Engines Exporter/Importer, open the Firefox preferences UI and navigate to the “Search” tab (or enter about:preferences#search in the address bar). You should probably make sure that all of the search engines are enabled at this point, even those you don’t use, else you will not be able to edit them. Click the “Restore Default Search Engines” button if necessary. Near the bottom of the search preferences UI you will notice some new buttons, but the one we are interested in is labeled “Export All Search Engines to File…”. This will export all of the default search engine plugins, as well as any others you may have added, to a ZIP archive, the extraction of which will reveal a bunch of XML files and it is these which we will be editing.

The following uses the yahoo.xml file as an example. Note that the base64 image code for the Yahoo icon was removed to shorten it:

<?xml version="1.0" encoding="UTF-8"?>
<Searchlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
  <os:ShortName>Yahoo</os:ShortName>
  <os:Description>Yahoo Search</os:Description>
  <os:InputEncoding>UTF-8</os:InputEncoding>
  <os:Image width="16" height="16">data:image/x-icon;base64,[icon code removed]</os:Image>
  <SearchForm>https://search.yahoo.com/yhs/search?p=&ei=UTF-8&hspart=mozilla&hsimp=yhs-001</SearchForm>
  <os:Url type="application/x-suggestions+json" method="GET" template="https://search.yahoo.com/sugg/ff" resultDomain="search.yahoo.com">
    <os:Param name="output" value="fxjson"/>
    <os:Param name="appid" value="ffd"/>
    <os:Param name="command" value="{searchTerms}"/>
  </os:Url>
  <os:Url type="text/html" method="GET" template="https://search.yahoo.com/yhs/search" rel="searchform" resultDomain="yahoo.com">
    <os:Param name="p" value="{searchTerms}"/>
    <os:Param name="ei" value="UTF-8"/>
    <os:Param name="hspart" value="mozilla"/>
    <!--The original definition of this search engine included too some non-standard 'MozParam' parameters. As they are recognized by Firefox only if they are found in an engine included by default in the application, they were omitted here.-->
  </os:Url>
</SearchPlugin>

Examining the above code reveals parameters which can be used to fingerprint and track our browser and are not necessary for performing a search with Yahoo. Following are the parameters which we want to edit:

In the <SearchForm> tag, everything after /search in the URL, beginning with the question mark, can be removed so we end up with the following:

<SearchForm>https://search.yahoo.com/yhs/search</SearchForm>

The entire block beginning with <os:Url type="application/x-suggestions+json" and ending with the first of the two </os:Url> closing tags can be removed. This will disable some fingerprinting as well as search suggestions.

The line <os:Param name="hspart" value="mozilla"/> can be removed.

The last thing you must to do is rename the search engine since the XML Search Engines Exporter/Importer add-on will not import a search engine plugin with the same name as a default plugin included with Firefox. This will also allow you to be sure you are using the sanitized version of Yahoo rather than the default one as provided by Mozilla since the modified name will be the one displayed in your search bar and in your search preferences. To rename the plugin, simply edit the following line and change Yahoo to whatever you wish:

<os:ShortName>Yahoo</os:ShortName>

I might suggest something like this, where the (s) stands for “sanitized”:

<os:ShortName>Yahoo (s)</os:ShortName>

The above is how the Yahoo search engine will be displayed in your search bar and in the Firefox preferences.

The name of the XML file does not have to be changed, but you may want to append something like _s to it to indicate it has been sanitized so you don’t get it mixed up with the default search plugin.

For the remaining search engine plugins you basically want to repeat what we have done above with Yahoo. The parameter names and values will sometimes differ from the examples above, but basically you want to look for anything that identifies your browser, operating system and, potentially, your local and remove it. For example, if you exported the Wikipedia search plugin XML file, you will find in it &amp;sourceid=Mozilla-search and <os:Param name="sourceid" value="Mozilla-search"/>, both of which can be removed. The exception with all of the search plugin XML files is that you do not need to alter the <SearchPlugin xmlns= line even though it may contain a mozilla.org URL.

To import the sanitized search engine files if you are using the XML Search Engines Exporter/Importer add-on:

  1. Start Firefox, open the search preferences UI (about:preferences#search) and import your sanitized search plugins. Optionally you may want to disable/remove the default search plugins.

To import the sanitized search engine files if you are not using the XML Search Engines Exporter/Importer add-on:

  1. Place your sanitized search plugin XML files in the /searchplugins folder within your Firefox profile folder (create the directory if need be).
  2. In your Firefox profile folder, rename the search.json.mozlz4 file to search.json.mozlz4.bak.
  3. Restart Firefox and, optionally, open the search settings in the preferences UI (about:preferences#search) and disable/remove the default search plugins.

Using these pre-sanitized plugins

If you would rather avoid the hassle of sanitizing the default search plugins manually, you can simply use my pre-sanitized files below which include Amazon, Bing, DuckDuckGo, Google, Twitter, Wikipedia and Yahoo. Each will have an “(s)” appended to its name in your search bar and search preferences. Note that you should still sanitize the prefs.js preferences corresponding to these search plugins as described below.

In all cases the search suggestion code has been removed and _s was appended to the XML file names. In the case of Google it has been further customized to disable safe search, auto-complete, personalized search and other annoyances. Google has also been configured to use only google.com, thus disabling the automatic country redirect (in other words if you live in Canada and want to use google.com, Google will no longer redirect to google.ca) and both the displayed name and file name include “NCR” which stands for “No Country Redirect”.

Preform the following steps to install the sanitized search plugins:

  1. Download the sanitized_search_plugs.zip archive and extract it in the /searchplugins folder within your Firefox profile folder (create the directory if necessary).
  2. In your Firefox profile folder, rename the search.json.mozlz4 file to search.json.mozlz4.bak.
  3. Restart Firefox and, optionally, open the search settings in the preferences UI (about:preferences#search) and disable/remove the default search plugins.

Sanitizing the prefs.js search engine preferences

Another step we need to perform is to sanitize any browser.search.param. preferences in the prefs.js file. To do this it is best to create a custom user.js file to store our modified preferences if you don’t already have one. You can read the tutorial, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, for information on creating the file, as well as many additional things we can do to protect our privacy and tighten the security of Firefox.

To sanitize the search engine preferences, open the about:config URL in your browser and enter browser.search.param. in the search field. At the time of this writing there are only two preferences that will be displayed and they are browser.search.param.yahoo-fr and browser.search.param.yahoo-fr-ja. The default values may be different in your case, but in mine they are data:text/plain,browser.search.param.yahoo-fr=linuxmint and an empty string, respectively. What you need to do is copy both preference names to your user.js file and set the values to an empty string:

user_pref("browser.search.param.yahoo-fr", ""); // sanitize Yahoo
user_pref("browser.search.param.yahoo-fr-ja", ""); // ^

If you are going to sanitize the other default search engine XML files, you may as well sanitize any other prefs.js preferences related to the other search engines as we did above. Simply enter browser.search.param. in the search field and copy all the preference names to your user.js file and set the empty the values as shown above (again, at the time of this writing, the only two preference names refer to Yahoo).

Removing the ‘Follow On Search’ system add-on

Mozilla packages some system add-ons (browser extensions) with Firefox and installs them without your permission. Also these system add-ons are not listed in the Extensions section of the Preferences UI (about:addons). The technology behind one of these system add-ons is called “Follow-on Search” (also see the Mozilla GitHub repository page) and it is used to collect data about the way you use the Google, Bing and Yahoo search engines. Note that this add-on works independently of the search engine plugins discussed in this article.

To see if the Follow-on Search add-on is installed, open about:support in the Firefox address bar and look under the section titled “Firefox Features”. In my particular case under Linux Mint, there was no “Firefox Features” section included on the support page, nor was the add-on found on my system, however there were other system add-ons found.

The Follow On Search add-on, which has the file name followonsearch@mozilla.com.xpi, is located at /usr/lib/firefox/browser/features on Linux Mint (and very likely other flavors of Linux as well) and at \Program Files (x86)\Firefox\browser\features or \Program Files\Firefox\browser\features on Windows and i would suggest either deleting or disabling it. Under Linux, i am not aware of how it can be disabled, but it can certainly be deleted:

Or if you want to delete all of the system add-ons:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

On Windows you can apparently use CCleaner to disable these system add-ons from the Tools > Browser Plugins menu.

Note that these system add-on files will be recreated when Firefox is updated and therefore you will need to delete/disable them after each update. On Windows, CCleaner may keep these add-ons disabled after a Firefox update but you should check to be sure. Since i use Linux, i just created a link to the /feature folder on my desktop to remind me to delete the add-ons (i’m sure there’s a much more elegant way to auto-remove them, but i’m a Linux noob at this point).

We’ve only scratched the surface…

Sanitizing the Firefox search engine plugins is a good start, but there is much more to do if you’re interested in circumventing the risks to your privacy and computer security that are inherent in any of the popular web browsers. For further information, please refer to my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs. You may find it helpful even if you aren’t using Firefox.

Resources

Special mention goes to ‘Thorin-Oakenpants’ (aka ‘Pants’) as well as the ‘ghacks’ crew and their GitHub repository where they host an excellent privacy and security centric custom user.js for Firefox, as well as a Wiki which is full of valuable information.

Change log

Click to expand...

15-Sep-2017

  • first publish

16-Sep-2017

  • added this change log
  • corrected an error in the pre-sanitized Wikipedia search plugin and re-uploaded sanitized_search_plugs.zip
  • added information as suggested by ‘Pants’ in his comment below, particularly details and resources regarding the followonsearch@mozilla.com.xpi system add-on in a new section titled “Removing the ‘Follow On Search’ system add-on
  • added Hulbee and MetaGer to the search engine list
  • added a “Decentralized” column to the search engine table
  • added resource: 5 Best Search Engines That Respect Your Privacy – BestVPN.com
  • misc. cleanup and edits

17-Sep-2017

  • corrected typo in metager URL
  • added “Requires JS / Cookies” column in search engine table
  • changed links for search engines in table to point to company/about page and added links to point to search page
  • added link to the ‘lite’ version of DDG
  • added a link to the uBO filters to block Startpage/Ixquick tracking images
  • misc. minor edits

18-Sep-2017

  • added “Client Required” column to search engine table
  • corrected some info regarding the search engines in the table
  • minor misc. edits

24-Sep-2017

  • added a link to the Duck Duck Go: Illusion of Privacy article
  • added findx to the search engine list
  • minor edits

27-Sep-2017

  • added Qwant to the search engine table

29-Sep-2017

  • misc. edits and added info, nothing really important

3-Oct-2017

  • very minor edits

23-Oct-2017

  • moved the list of alternative search engines to it own page
  • minor edits
Tutorial

Tutorial: Remove Firefox Title Bar On Linux KDE – Alternate Methods

the problem…

One of the issues i had when i scrapped Windows and installed Linux Mint was that i missed how easy it was to hide the Firefox window title bar in order to gain that extra bit of vertical real estate under Windows. With Mint and the KDE desktop environment i found several options to accomplish a similar result, but i liked none of them and so off i went seeking a better alternative.

Most of the the options i found either advised to install the Hide Caption Titlebar Plus extension for Firefox, which works on Linux, more or less, or to apply a custom window style using the Window Actions and Behavior settings in KDE (System Settings > Workspace > Window Management on Mint 18.x). The problem with the former is that it is hugely bloated with options i don’t use nor want and it didn’t produce a very nice looking result, plus i prefer to do things without installing more Firefox extensions if possible. The problem with the latter option is that, while it is indeed trivial to remove the Firefox window title bar using the Window Management tool provided by KDE, this left me with a borderless window that couldn’t be resized when it wasn’t maximized.

the solutions…

By accident i stumbled upon what i personally think is a better solution while playing with the KDE Window Decorations utility in System Settings > Appearance > Application Style > Window Decorations settings and no additional software or configuration tweaks were needed.

System Settings - Application Style
click to enlarge

On the Theme tab of the Window Decorations utility, you’ll see the previews of whatever window themes you have installed. In Mint 17.x/18.x with KDE, i think the defaults are Breeze and Plastik.

Window Decorations - Theme
click to enlarge

For this to work, you have to be using the Breeze theme or another one that supports windows-specific overrides (the Plastik theme does not, nor do any of the custom themes i tried). Using Breeze as the example, if you click on the little tool icon on the lower-left of the theme preview, you’ll get a menu which opens the settings for the theme.

Window Decorations - Theme Settings
click to enlarge

On the Windows-Specific Overrides tab you can add a couple of window specific styles for a given window, or even all windows if you want. The only two options are to change the border size and hide the title bar. These options are not nearly as comprehensive as those found in the System Settings > Workspace > Windows Management > Window Rules utility, but the difference between the two is that, as previously mentioned, you lose the window border and thus the ability to resize the window with the mouse when removing the title bar using the Window Rules utility, while you retain the window border when using the Windows Decorations utility.

So to accomplish what we want, simply click that little tool icon on the window theme preview and switch to the Windows-Specific Overrides tab. From here, click Add and a utility to identify the window for which you want to remove the title bar will be displayed.

Breeze System Settings - Add

In this window you have two options; you can either set the Matching window property to Window Title or Window Class Name. I recommend you select the Window Class Name option (if you don’t, you’ll eventually figure out why i recommend this option). In the Regular expression to match field, enter Navigator Firefox (in the image below i use Navigator Waterfox because i use Waterfox). In the next section you can enable or disable the window border size option if you want, but most importantly you’ll want to select the Hide window title bar option, then click “OK” and “Apply” and you’re done with this part.

 

KDE: Window-Specific Overrides

The caveat with this method verses using an extension, is that we lose our browser window exit, restore and minimize window controls and so you’ll have to get used to exiting Firefox using another method such as a keyboard shortcut or a menu item, but what i prefer is to simply middle-click the task bar icon to close windows. This is easily accomplished by right-clicking any task bar icon and selecting the Task Manager Settings menu item, then setting the On middle-click option in the General section to “Close Window or Group”. Note that i personally do not group windows.

Task Manager Settings - Plasma
click to enlarge

Returning to Firefox, you may still have a bit of a problem in that you will need a way to drag the window so we can restore (un-maximize) it, resize it and move it around since our title bar is now gone. My solution was to simply add a bit of fixed space to the end of the tab bar (i set tabs to be on top). This is really only needed when you have enough tabs open so as to fill the space on the tab bar. I suppose there are a couple of ways to accomplish this, including a userChrome.css hack, however the easiest way is to put the browser in customize mode and drag one or more fixed-width spaces to wherever you want on the tab bar.

Mozilla Firefox - Add Static Space
click to enlarge

So hopefully you now have an easy way to exit, move and resize Firefox, along with a bit more screen real estate, and it can all be done without having to edit a single configuration file.