Tutorial

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

See the revision history at the end of this document for a list of changes.

Introduction

Many of us are aware of the immense threats to our privacy and security posed by a plethora of technology corporations, governments and malicious hackers, some of which often go to great lengths to monitor our communications and web browsing habits. Governments and their “intelligence” apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of many mega-corporations to do so, including Google, Facebook, Verizon, Comcast, Amdocs and countless others, many of which most of us have probably never heard of. While this data may be used for relatively benign purposes, such as displaying ads on web pages, all too often the intentions are far more sinister and invasive. Much of what Edward Snowden has brought to the table is not new at all, but it seems the information has been presented in a way that has captured the attention of much of the public, prompting those who value their privacy to seek ways to mitigate the threats. The goal of this guide is to help the reader to thwart some of the efforts to track and profile us as we surf our way around the World Wide Web. Notice i intentionally use the word “some” for several reasons; 1) because there are too many variables and vectors for attack and 2) because i am in no way an expert on computer security or privacy.

I’ll share a personal experience here that may interest you…

I once sold a PC to a guy and we got to talking about the government. He said he had either worked for the government directly, or as a contractor, i don’t recall which. He said he had a security clearance and i believe it was a crypto clearance. Our time was limited because he had to be somewhere, but he touched upon some very interesting topics that i wanted to know more about and so i suggested we could continue our conversation through email using encryption. He looked at me and said “encryption is useless”. Obviously encryption is not entirely useless, but i think what he meant is that, if it is certain government agencies that are targeting you, then indeed it is useless. The point is that one should never make the mistake of assuming that their privacy is guaranteed no matter what precautions have been taken and i think it’s important to keep that general rule in mind as you sift through this guide.

For many of us, our web browser is the primary interface we use to explore the digital world and it is therefore necessary for any privacy conscious individual to consider what information our web browsers are sending and receiving and how that information can be used to track our on-line activities and profile us. Only then can we take action to circumvent some of these threats.

Contrary to the statements made in The Mozilla Manifesto, it is my opinion that, while its flagship product, the Firefox web browser, may be more privacy-centric than the other mainstream web browsers, securing the privacy of its audience is but a second thought of the non-profit, multi-million dollar Mozilla Foundation. This is readily apparent when one considers the array of ethically challenged multinationals which Mozilla has chosen to hop in bed with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Even the now defunct Firefox Pocket service was tied to a 3rd party company and it seems more “features” are being added with each iteration of the browser. Google Chrome is no better and Internet Explorer isn’t worth the effort required to express an opinion.

That being said, i think Firefox is still a good product in many ways and it is certainly one of the most hackable mainstream web browsers going. Because it is open source and wide open to customization, i believe the Gecko family of browsers are good candidates for those who wish to reduce their exposure to privacy and security threats. The folks behind the Tor Project seem to think so as well since Firefox is included in their Tor Browser Bundle, though i suspect possibly not for much longer.

This guide covers primarily the configuration of Firefox and the add-ons we will be employing and ends there. For additional privacy you may wish to consider using a VPN. Personally i use and recommend AirVPN due to their privacy policy, ethics, price, great service and the fact that they run a lot of servers all around the world and do not restrict any protocol, including BitTorrent traffic.

A special note about cryptocurrency miners

People are now creating scripts to mine cryptocurrencies using your computing power while you visit any websites which employ these scripts. I first learned about this when The Pirate Bay used such a script in certain sections of their website.

This is a very interesting development and it will be just as interesting to see how wide-spread this becomes. Just days after TPB was found running such a script, there was already a cryptocurrency miner WordPress plug-in on wordpress.org with 300+ active installs as of Sep. 27, 2017.

At first i saw this as malware and, in fact, i would say it was indeed malware when The Pirate Bay introduced it secretively and didn’t make it an opt-in option for its users. It also appears that ad-blockers, including uBlock Origin, as well as anti-virus software vendors, are targeting these mining scripts. After giving it some thought however, this seems like it might be an excellent way for independent journalists and others to generate some “cash” to support their work.

In the “uBlock Origin configuration” section below, you will find that i have included a filter list to block these cryptocurrency scripts from running, at least for now. Hopefully this will change in the near future.

Audience

This guide is intended for those who are somewhat technically inclined, or are at least willing to learn, and who wish to reduce the threats to their privacy while enhancing browser security and performance. We will attempt to accomplish these goals while maintaining a reasonably carefree web browsing experience which means there will be some trade-offs between security and privacy for ease of use, but you can always adjust to suit your particular needs. This guide is not intended as a complete solution for those whose well-being depends on anonymity (whistle-blowers, investigative journalists, etc.), though it may be a worthy supplement to more specific information. This guide is, a), a work in progress and b), not authoritative since i do not claim to be an authority on Firefox, internet security or digital privacy. There are simply too many technologies, options and attack vectors for me to comprehend in something as incredibly complex as the modern web browser.

Though this guide is centered around Firefox, it should also be useful for users of other Gecko-based programs, including the SeaMonkey and Iceweasel browsers, as well as the Mozilla Thunderbird email client and perhaps any others who value their privacy.

The Mozilla Firefox browser is based on the Gecko layout engine and, as with any mainstream browser, it is a very complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, obscure, or even hidden. Change a few settings without knowing what you’re doing and things can go south pretty quick. Poorly coded add-ons can compound the problem, especially when they conflict with one another. Here we will attempt to accomplish our goals in an efficient manner with a minimal dependency upon 3rd party browser add-ons.

There is a huge selection of Firefox add-ons for tweaking privacy and security, some of the most popular of which are Adblock Plus and it’s many derivatives, NoScript, Flashblock, Ghostery, Web of Trust, BetterPrivacy, Lightbeam, Disconnect, Self-Destructing Cookies, Cookies Manager+, Request Policy, Policeman, Bluhell Firewall, RefControl, Smart Referer, HTTPS Everywhere and many, many others. With some possible exceptions, we won’t be using any of these, yet will retain much of the most important functionality offered by most of them with just a few add-ons, along with a plethora of changes to our Firefox configuration.

A bit of a trade-off should be expected as we tighten up on security and privacy insomuch as some websites will cease to function properly until the settings for the affected sites are adjusted. Anyone who has used a content filter such as NoScript will understand that certain resources must be allowed for many websites to function in a way that is acceptable to us. As with NoScript however, the process of allowing these resources with the add-ons suggested herein, usually requires little more than a mouse click or two and a page refresh. Furthermore, once we have visited all of our favorite websites and made the necessary adjustments, our workload will be greatly reduced. Nevertheless, you should be prepared to put a little more effort into your web browsing experience in general and expect the occasional hard-case which will require more fiddling than usual to get a particular site to function properly. The pay-off however is a much cleaner, faster, garbage-free web that is less able to track and profile us as well as a hardened Firefox that is more resistant to attack.

Terminology

AMO: The Mozilla add-ons website.

Browser fingerprinting: A method whereby a web server attempts to uniquely identify your configuration (browser, operating system, etc.) using various methods, including information contained in the HTTP headers, information collected with JavaScript, querying cached data, enumerating installed plug-ins, visited websites, installed languages and more. For more information, see A Primer on Information Theory and Privacy.

Browser storage (web storage: cache, cookies, etc.): The modern web browser is a far more sophisticated tool than most people probably realize. In addition to HTTP cookies and web caching, any modern web browser also allows a web server to store data using local and session storage, indexedDB storage, window.name storage, Etag cache storage and whatever other methods i may not be aware of. If you are concerned about preserving your inherent right to privacy, you have far more to worry about than so-called “cookies” which were once just simple text files.

Crapware: For the purpose of this document, crapware is considered to be code that is included in a browser or browser extension which is not relevant to the functionality users expect. For me, the term crapware encompasses adware, tracking mechanisms and malicious code. Crapware is often added to browser extensions (add-ons) by a marketing company or solo developer for the purpose of monetizing the extension. Crapware can present a significant threat to user privacy and browser security.

CDN: A Content Delivery Network is a service that often hosts reusable content, such as graphics and scripts, which website authors can leverage to make pages load faster. CDNs can also present a threat to our privacy by tracking our web activities.

CSS: Cascading Style Sheets are used to format and beautify website content. CSS itself presents little or no risk to privacy or security so far as i am aware since it is used primarily to apply visual styling to HTML elements, however it can be used for nefarious purposes when combined with a scripting language such as JavaScript.

Domain / Sub-domain / Hostname: For the purposes of this document a domain name and a hostname are interchangeable, both being human-friendly names for a website, such as example.com. A 1st party domain is the website you are currently viewing, (12bytes.org at the moment) while a 3rd party domain could be a web server which supplies content to the 1st party domain. For example, the web page http://example.com/video may include a video that is provided by youtube.com, making youtube.com a 3rd party domain. A sub-domain is a separate part of the main domain. For example, sub.example.com is a sub-domain of example.com.

TLD: Top Level Domain. For example, com is the top level domain in example.com.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are protocols used for sending and receiving data across the Internet. For HTTP, an unsecured, unencrypted connection to the server is established, while a secure, encrypted connection is used with HTTPS. One reason you should be concerned with unencrypted connections is the fact that it is possible for anyone between your computer and the site you are visiting, including your ISP (Internet Service Provider), to eavesdrop on your traffic and discover exactly what websites you are visiting and what you may be doing there. While browser extensions like HTTPS Everywhere will attempt to encrypt your connection whenever possible, some web servers simply do not offer HTTPS. For this reason i will again point out the advantage of using a VPN.

IndexDB (aka “local storage”, “web storage”): The IndexDB API (application programming interface) is somewhat similar to what we once knew as “cookies” before IndexDB was developed. It is a method which websites can leverage to permanently store a very large amounts of data locally, meaning on your computer. The path where this data is stored for Firefox is: /[your Firefox profile folder]/storage/default/. IndexDB data for a particular domain can only be accessed by that domain. If you choose to delete IndexDB data, be aware that some Firefox add-ons use IndexDB to store their settings, including uBlock Origin and uMatrix. The IndexDB objects for extensions is prefixed with moz-extension.

JavaScript (JS): A powerful programming language that is used to run code within the browser. Although JavaScript is used by many websites for legitimate reasons, it can and often is used maliciously to perform a wide variety of attacks against the browser and your privacy.

UI/GUI: A User Interface, also known as a Graphic User Interface, is the graphical portion of a program usually containing various controls, such as buttons, check-boxes and other widgets which allow you to interact with the underlying code. UIs are often referred to as “windows”.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.

Prerequisites

Getting Firefox

There are several flavors of Firefox other than the mainstream release, including the Firefox ESR (Extended Support Release) version which is usually an older version that may not contain the latest features, but may be more stable. If you’re running Linux, you may already have Iceweasel installed, which is nearly identical to Mozilla Firefox. Another option is the Firefox Developer Edition which, though i have not tested it with the configuration outlined in this guide, should work fine. Another option is Cyberfox from 8pecxstudios, though, again, i have not tested it with the configuration outlined in this guide. Cyberfox may be more privacy-centric than other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature. One caveat with Cyberfox is that, like Pale Moon, it uses a different format for some of the profile files which requires using a tool to convert your current Firefox profile should you want to import your data. Lastly i would mention Waterfox as it seems to be an excellent, speedy, privacy-centric alternative to the official Mozilla build which i have tested with this guide. As for the many other custom builds of Firefox, a lot of them are not worthwhile and can/will cause problems due to bugs, add-on incompatibilities, etc.. The last time i tried Pale Moon i ran into some problems as well, though that was long ago and so the issues i had may have been resolved so feel free to try it.

Firefox post install cleanup

Some browsers that are based on Firefox may have some extensions, plug-ins and/or search engines preinstalled. Take care to check for this and uninstall or disable any extras that you don’t want. The search engine configuration files are located in the \Mozilla Firefox\browser\searchplugins folder. I highly suggest reading my guides, Opting out of the Firefox / Google / Yahoo partnership and Firefox Search Engine Cautions and Recommendations for more detailed information about how Mozilla monetizes Firefox with the included search engines and what you can do to opt out of this affiliate scheme if you so choose. The latter guide also includes information regarding what Mozilla calls “system extensions” which are essentially hidden from the user, some of which are used for quite nefarious purposes in my opinion, as well as how to get rid of them.

If you have already run Firefox you may notice that it has installed the OpenH264 Video Codec plug-in by Cisco Systems without asking you. Currently this plug-in seems to be used only for the WebRTC feature. If you do not use these features and do not want the browser to load this plug-in, you can delete the \gmp-gmpopenh264 folder in your profile directory along with the all of its contents. To prevent re-installation, make sure the configuration preferences media.gmp-gmpopenh264.enabled and media.gmp-gmpopenh264.autoupdate are both set to false before the browser is restarted (they already are in the user.js file linked to below).

Browser object caching

Browser caching is a disk intensive activity. If you intend to store cache data, i would suggest storing it in system RAM rather than on your hard drive or SSD if you have enough memory available. Even 50 or 100 megabytes of space can help reduce disk workload for websites which you visit often. In addition to minimizing hard drive/SSD wear and tear, your web browser will be able to render revisited pages faster as long the resources for the site are still cached. The settings in the Pants/ghacks user.js file linked to below will accomplish this, so if you do not want to store web cache in RAM, you will need to change these settings accordingly. Note that Firefox requires cache size values to be in kilobytes where 1024 KB = 1 MB.

The user.js file

The primary user.js file we will be using is a result of allot of effort by the ‘ghacks’ guys whose work became rather popular when it was published under the title, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann at ghacks.net. This work is also now published on GitHub which is where we will be getting it from.

The ghacksuserjs/ghacks-user.js user.js file that we want is hosted on GitHub. To download the file, click on the “release” link. Make sure to download the version which corresponds to the major version of Firefox you are running, so if your Firefox version is 51.0.1 for example (51 being the major version), then download version v51 of the user.js file.

Whether you want to use my user.js file in addition to the ghacks one is entirely optional. Note that my user.js depends largely upon the ghacks user.js above and is intended to supplement it, not replace it. Some of my preferences are original and some are copies of those in the ghacks version where i changed their values to suit my own needs. In the latter case i tend to be slightly more relaxed with my privacy and security settings in return for a less problematic web surfing experience. My user.js also contains preferences to enable smooth, dynamic scrolling when using a mouse wheel.

The ghacks crew and i both follow a similar versioning scheme except i add a revision number after the major version number, so where their version might be v51, mine would be v51r1 if it is the first revision, v51r2 for the second revision and so on. If you supplement the ghacks user.js with my own, you will want the latest revision that corresponds to the major version of Firefox that you’re running. How to combine the two files is explained at the top of my user.js.

The necessary (and not so necessary) add-ons

This guide depends heavily upon the following add-ons:

  • uMatrix: You can think of uMatrix as a browser firewall which can block requests to 1st and 3rd party resources such as JavaScript, images, CSS, plug-ins, frames and more. uMatrix works with Firefox, Chrome and Opera and is available on AMO.
  • uBlock Origin: uBlock Origin, by the same developer of uMatrix, is a powerful content filter which works similarly to uMatrix but is tailored to blocking ads. These two excellent extensions compliment each other nicely when they are configured properly. uBlock can use the same filter lists as Adblock Plus for blocking ads, as well as many more which it cannot. There are currently two versions available; the original by Raymond Hill which has been renamed to uBlock Origin, and a fork by Chris Aljoudi which you do not want to use. uBlock Origin is an active project that offers features not found in Chris’ build, which appears to be dead anyway.

The following add-ons are optional, but recommended:

  • Decentraleyes: this add-on helps protect privacy and speeds-up page rendering by loading several common JavaScript resources locally rather than fetching them from a CDN. If you use this add-on, you will need to whitelist several domains in uMatrix. When adding the list of domains, be sure that no block rules exist for the same domains.
  • Load from Cache: similar in principle to, but not the same as Decentraleyes, Load from Cache forces the browser to reuse cached data instead of downloading it again. The two work well together.
  • Clean Links: helps to protect user privacy by striping tracking/garbage parameters from URLs, such as those used by Google Analytics (utm_source, etc.). Unfortunately this add-on was removed from AMO due to an apparent issue with e10s support, but the developer has stated that they may submit a different build to AMO in the future. In the mean time you can get the add-on at GitHub. Neat URL (AMO) is an alternative for removing garbage from links and there are several others on AMO which serve the purpose. Pure URL (AMO) is another.
  • EmbedUpdater: converts the code used to embed Flash video in 3rd party websites so that the HTML5 player is used instead. Most 1st party sites, such as YouTube, already make use of the HTML5 player.

The following add-ons are completely optional:

  • NoScript Security Suite: since uMatrix will be used to block scripts, this functionality is not required from NoScript, though it may add a bit more protection in terms of cross-site request forgeries, click hijacking and possibly other areas. If you use NoScript i would recommend disabling global script blocking and use uMatrix to handle scripts, though you could do it the other way around if you wanted.
  • Cookie Controller: apparently handles cookies, local and session storage, though in a manual and granular way that appears to require significant user interaction. I much prefer to handle browser storage with uMatrix.

For more possibilities regarding add-ons, see my article Firefox Extensions: My Picks. as well as the Scripts section of the ghacksuserjs wiki.

If you’re running Windows (shame on you) and want to unpack an add-on to have a look at the code, you can use 7-Zip. I believe the built-in Windows archive utility can unpack .xpi files also, though you may have to add the .zip extension.

Automatic add-on updates

Regarding automatic add-on updates, they are disabled in the user.js file that is linked to below and i would highly suggest keeping them disabled. Automatic checking for updates may be enabled in the ghacks user.js by the time you read this and that’s fine, however the problem with automatic add-on updates is that developers may, at any time and without warning, partner with or sell their work to a 3rd party which often results in added code to monetize the add-on at the cost of your privacy. Examples of some very popular Firefox add-ons which contain such crapware are Abduction, a screen capture utility, Quick Locale Switcher, a language switcher, FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn’t, BlockSite, a content blocker, Google’s Search By Image, a reverse image search utility, and many others. Not all of these extensions contained crapware when they were first developed which is why i strongly suggest keeping automatic add-on updates disabled and reading the change logs and privacy policies carefully each time an add-on update is available.

For peace of mind, you can also search your prefs.js file for all instances of “http” and check what the URLs are used for. If you want to disable the functionality you can simply add the preference to your user.js file and replace the URL with “”, or localhost, or you could point the URL to localhost in your HOSTS file.

Backup your current profile

Before you make any changes, be sure to back-up your current Firefox profile (click here to find it if you don’t already know). The easiest way to do this is to simply to select your profile folder inside the /Firefox folder, press Ctrl+C to copy it, then Ctrl+V to paste it in the same place with a different name. I might suggest keeping the original name and just appending .bak to the copy. Next, delete your current user.js file if you have one in your profile folder, but keep the one in your backup profile.

Editing the user.js file

If you do not have a comprehensive understanding of the the user.js file that is used by Firefox, i highly suggest reading this wiki article at GitHub.

We will be changing many Firefox preferences and storing them in a custom user.js file. You should always use this file to add, remove or change settings that you want to keep across sessions instead of editing the prefs.js file or using about:config. If you’re running Windows i would suggest using a quality text/code editor that has syntax highlighting such as Notepad++ or PSPad (the latter being a little simpler to use) for editing code. Linux users will likely already have something suitable installed, like Kate.

Build your new user.js file by starting with the ghacks file and then, if you want to use my settings also, simply append the code from my user.js to theirs. If you already have a user.js file you will want to be sure to address any preferences which may be duplicated in your new user.js file in order to avoid unexpected results.

!!! IMPORTANT !!!

Please read through this section in its entirety before making any changes in order to gain an understanding of exactly what we will be doing and how to revert those changes should it be necessary.

Because my user.js file is updated frequently and i wish to avoid the hassle of editing these settings for public consumption each time i update it, the settings in it are a direct copy of both the ghacks user.js and my personal settings. You should therefore read all of the comments in these files and review each of these settings carefully as it is very likely that you will want to change some of them. See below for my advice on how to edit the existing settings, as well as adding your own.

In the user.js file(s) you downloaded, you will notice the presence of a bogus preferences, _user.js.parrot, that the ghacks boys and i insert at the beginning of each section of our preferences. Firefox reads the user.js file from the top down and, if it encounters a syntax error, it will ignore everything following that error which could present a serious risk to those concerned with privacy and security. Not good! To make it easy to discover whether Firefox loaded all of the preferences successfully, these bogus preferences, which Firefox essentially ignores, are used for troubleshooting (this will be explained later).

If you want to make changes to your new user.js file, such as incorporating settings from your old one, or change anything else in it, i highly recommend appending all of your changes to the end of the file in your own custom section instead of editing the settings throughout the file. You will find an example section has already been created at the end of my user.js file for you to place your personal preferences. There is a very good reason why i suggest placing your preferences at the end of the file. Again, these user.js files are updated frequently and therefore it will be vastly easier to simply delete the contents of the old file, with the exception of your personal settings which you appended to the end of it, and copy and paste the contents of the new files above your personal preferences. This avoids the headache of having to sift through the entire file trying to remember and reset everything you changed prior.

Making changes to your user.js file is easy to do. For example, the value for the preference  browser.tabs.warnOnClose might be ‘false‘ and you might want to change it to ‘true‘ to have Firefox warn you when you try to close it with multiple tabs still open. The best way to accomplish this is to copy that line of code, user_pref("browser.tabs.warnOnClose", felse);, and paste it at the end of the file in your own personal preferences section where you would then change ‘false‘ to ‘true‘. Having duplicate preferences with different values is not a problem since Firefox will use the value of the last one it reads, thus why you need to place your personal settings at the end of the file.

At this point it is important to read all of the comments and review each of the settings in your new user.js file to be sure each preference is configured the way you want, preferably before you start Firefox. As stated above, any preferences you want to change should be copied to your personal preferences section at the end of the file where you will then make the change to the preference value. Note that if you comment out or delete a setting after having run Firefox, that setting will remain active because it will have been copied to the prefs.js file, so if you want to comment out or remove something from your new user.js file, you should do so before starting Firefox. If you delete or comment out a setting after you have run Firefox, simply enter about:config in the Firefox address bar, find the preference, right click it and click “Reset”. The preference and/or value will then be deleted. This only need be done if you remove or comment out a preference and is not necessary when simply changing their values.

Once you are finished editing your new user.js file, simply drop it in your profile folder alongside prefs.js and start Firefox.

Verifying the integrity of your user.js file

This integrity check should be performed every time you edit or update your user.js file.

When you run Firefox for the first time after making any changes to your user.js file, the first thing you should do is check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference (it will likely be the very first preference listed). If you are using only the ghacks file and have not added anything more to it, then the value should be “SUCCESS: No no he's not dead, he's, he's restin'!“. If you have appended my user.js to the ghacks file and have not added anything more, then the value should be “12bytes.org settings loaded” If you have added anything to the file in your personal preferences section at the bottom, and regardless of which user.js you are using, the value should be whatever you set it to, such as “user settings loaded“. An example troubleshooting preference and further instructions are contained in my user.js.

If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section the syntax error lies. It will not tell you on which line the problem exists, but at least you will know in which section to begin looking. Some common mistakes (at least that i have made) are forgetting to end a line with a semi-colon, forgetting a bracket, a quote character or comma, a typo in user_pref, forgetting to put string values in quotes, or mistakenly putting quotes around integer or boolean values.

Updating the user.js file

If you want to keep up with the latest and greatest version of the user.js files that are published, you might want to subscribe to the following news feeds:

Before updating your user.js, be sure the ones you download correspond to the version of Firefox you are using as described earlier. If you followed my advice and located your personal preferences at the end of the file in your own personal preferences section, then your job should be very easy. All you need to do is:

  1. backup your current profile (might want to dump your old backup if you were happy with the way Firefox was working)
  2. open your current user.js and delete everything above your personal preferences section if you created one
  3. copy everything from the new file(s) and paste it above your personal preferences section, being sure to paste the ghacks code first and then mine under theirs but above yours
  4. check the change logs for the new user.js files so you can determine whether you need to change anything in your personal preferences section
  5. start Firefox and check the value for the troubleshooting preference as described in the ‘Verifying the integrity of user.js‘ section above

Removing system add-ons

Mozilla forcefully and without consent installs and then essentially hides from the user several so-called “system add-ons”, some of which are used to push browser updates and others which are used specifically to gain an insight as to how you use the default search engine plugins that are packaged with the browser. I would highly suggest disabling or deleting those which you decide present a risk to your privacy. You can learn how to deal with these system add-ons by refering to the Removing the ‘Follow On Search’ system add-on section of the article Firefox Search Engine Cautions and Recommendations.

Sanitizing the default search engine plugins

Every time you preform a search using one of the search engines Mozilla has partnered with, apparently regardless of whether you search using the search bar or the search engine web page directly, Firefox is collecting data about your habits. To circumvent this risk to your privacy, please read the article Firefox Search Engine Cautions and Recommendations.

Add-on configuration

Between the features offered by Firefox, uMatrix and uBlock Origin, we have some overlapping functionality and it is therefore necessary to configure our settings with this in mind. Let’s start with uMatrix since this is probably the most important add-on of them all…

uMatrix

We will be using uMatrix as a browser firewall to block entire domains and specific resources (cookies, CSS, images, plug-in enumeration, JavaScript, XHR, frames and ‘other’ requests) from both 1st and 3rd party domains, while uBlock Origin will handle the advertising, annoyance and malware site blocking.

uMatrix configuration

In the upper-left corner of the uMatrix main interface there is a blue or black block and it is imperative that you understand how it is used. Clicking this block sets the scope of the filter rules. When the block is set to an asterisk with a black background, any filter rules you set will be applied in the global scope. In other words, any filter rules you set will be applied to all websites and not just the one you happen to be visiting. If you select any other scope, then you are working in a local scope and any filter rules you set will be applied only for that scope. For example, if we visit addons.mozilla.org, we will have a choice to apply filtering at the global scope level, or for the subdomain addons.mozilla.org only, or the root domain of mozilla.org which includes all subdomains (addons.mozilla.org, etc.). Just to be perfectly clear, if you set the scope to the root domain — mozilla.org in our example — then any rules you set will be applied to the root domain and all subdomains. In many cases websites still prefix their root domain with “www.” and this is actually a subdomain of the root domain. How you set the scope of uMatrix in such instances depends entirely upon what filtering you want to apply where. For instance you may visit some website, let’s say subdomain.example.com, and you want to allow JS for the subdomain but not the root domain (example.com). In this case you would set the scope to subdomain.example.com. On the other hand, maybe you want to allow JS for the entire domain in which case you would set the scope to the root domain.

uMatrix - Setting the filter scope
Setting the filter scope

IMPORTANT: Always keep in mind the scope you are working within before applying any filter rules.

By default uMatrix allows very little, so even images and CSS will not be loaded for any website. As a matter of convenience you may want to allow both images and CSS in the global scope so we don’t have to create filter rules for nearly every single site we visit. Other than the scope block, most of the rest of the blocks are divided into an upper and lower half. Clicking the upper half will allow the resource for a domain by changing its color to green, while clicking the lower half will disallow the resource, changing its color to red.

To allow CSS and images for all websites by default, set the scope to the global scope and click the top half of the “css” and “image” filter blocks in the “all” row:

uMatrix Global Scope Rules
Setting filter rules in the global scope

Once you are finished, don’t forget to click the padlock icon to save the changes:

uMatrix - Saving changes
Saving temporary changes to the filter rules

The last filter i would suggest creating in the uMatrix main interface will block IndexDB storage globally. This is an ongoing battle at the time of this writing (end of Sep., beginning of Oct., 2017) because of the transition to the WebExtension API, Firefox v55 stupidity (and possibly v56), large changes in the upcoming Firefox v57, the transition to WebExtensions, etc.. In short, there are multiple issues at this time and there doesn’t seem to be any good alternative to automate the removal of IndexDB storage per domain after its tab is closed and so you may want to use uMatrix to block IndexDB storage globally. This is easy enough to accomplish by setting the “other” filter in the “all” column to red while in the global scope. The problem here is that, if you visit a website that uses local storage, like youtube.com, you may not see any populated blocks under the “other” column in uMatrix for youtube.com, leaving you to assume that there is nothing to block when, in fact, there is. Keep this in mind when you visit a website that doesn’t work properly and try toggling the “other” filter in the “1st-party” row for that domain and see if that solves the problem.

You can verify (and i suggest you do) that IndexDB storage is being blocked by watching the contents of the /storage/default folder in your Firefox profile folder before and after you visit YouTube (make sure to delete any YouTube storage items in /default prior).

Next, open the uMatrix Dashboard by clicking the black title bar at the top of the main interface and we’ll configure some more settings:

uMatrix Dashboard
Opening the uMatrix Dashboard

Following are my recommendations for the more important settings for each tab:

Dashboard > Settings > Privacy:

[x] Delete blocked cookies
[x] Delete non-blocked session cookies 15 minutes after the last time they have been used
[x] Delete local storage content set by blocked hostnames
[x] Clear browser cache every 90 minutes (adjust as necessary)
[x] Spoof HTTP referrer string of third-party requests
[x] Strict HTTPS: forbid mixed content (you may have to disable this if you have trouble with encrypted (HTTPS) sites
[x] Block all hyperlink auditing attempts
[  ] Spoof User-Agent string by randomly picking a new one below every minutes (not recommended – see section 4700 of the ghacks custom user.js file to understand why)

Dashboard > Settings > My rules:

The default rules will suffice unless you are using the Decentraleyes add-on in which case you need to add the filter rules supplied here under where is says “If you’re using uMatrix, […]”. Decentraleyes will not work properly otherwise.

Dashboard > Settings > Hosts files:

No filter sets are enabled here since all 3rd party filters are handled by uBlock Origin which has many more options in this regard. If you choose not to use uBlock however, then you should probably enable some or all of these.

With the configuration of our global scope settings for uMatrix complete, you will find that many websites will no longer function or display properly and therefore you will need to configure the local scope settings for these sites. While this may be a nuisance, the up-side is that you will be far better protected against browser tracking, fingerprinting, malware and other attacks and once you have set the rules for your favorite sites, you usually won’t have to fool with them again.

uMatrix usage

Make sure to read the manual to learn how to properly use uMatrix! And once again, always make sure you are aware of what scope you are working in before applying filter rules. Remember: if you have the global scope selected (the upper-left box is an asterisk as shown earlier), then any rules you create will affect all websites, whereas if the scope is set to the current domain or subdomain, then the rules will affect either the entire domain or just a subdomain of the root domain, depending on what scope you have selected.

Any changes you make to the filter rules using the main interface are temporary. To make your changes permanent you must click the lock icon. If you make multiple changes to multiple domains and you click the lock icon, only the changes for the current scope (the domain being visited) will be saved.

Typically when i visit a website that isn’t displaying or working correctly, i open the uMatrix main interface and see what resources the website is using. In the example below, stats.searx.oe5tpo.com is using JS. It is up to me if and at what scope i want to allow JS to run. If i never, or rarely visit this site, and i trust it, then i might temporarily enable JS for the subdomain stats.searx.oe5tpo.com only and refresh the page without ever saving my changes. On the other hand, if this is a site i visit often, i may want to allow JS for the root domain as well, in which case i would enable JS for the root domain by clicking where my mouse cursor appears in the image below, after which i would save my changes by clicking the lock icon.

uMatrix - Filter Scopes
Setting filters for different scopes

Another little trick to using uMatrix is to choose how much information is displayed in the main interface. By default, only root domains are displayed (12bytes.org, 1dmp.io and postimage.org in this instance). If you want to display the subdomains as well so you can make even more granular rules, then find that little drop-down arrow in the “all” cell and click it…

uMatrix - Show root domains only
Showing only the root domains

…and now both the root and subdomains will be displayed:

uMatrix - Show Subdomains
Show the root and subdomains

uBlock Origin

uBlock Origin is a powerful content filter which can be used to prevent the loading of resources, or hide page elements when load blocking is not possible. While uBlock Origin can block in-line, 1st party and 3rd party JavaScript, ads, images, frames, remote fonts and more, we will be using it primarily for ad blocking, tracking and malware blocking. uBlock can use all of the same filter lists as Adblock Plus/Edge plus many others. It also features a wizard for easy element hiding and a network request logger which is invaluable for troubleshooting when a website does not display and/or function properly.

Because uBlock filters unwanted content (ads), websites will generally load much faster while still retaining all the functionality we require once the rules are configured properly for each site.

uBlock Origin configuration

Once the uBlock icon is on your tool-bar, click it to reveal the main interface, then click the settings icon to reveal the Dashboard:

uBlock Origin - Main Interface
uBlock Origin – Main interface
uBlock Origin - Settings
uBlock Origin – Settings

Following are my recommendations for the more important settings for each tab:

Dashboard > Settings > Privacy:

All options in this section are enabled

Dashboard > Settings > Default behaivor:

[x] Block remote fonts

All other options on the Settings tab are optional

Dashboard > 3rd-party filters:

[x] Auto-update filter lists
[x] My filters​​​​​
[x] uBlock filters​

Dashboard > 3rd-party filters > Ads:

[x] EasyList

Dashboard > 3rd-party filters > Privacy:

All options in this section are enabled

Dashboard > 3rd-party filters > Malware domains:

[x] Malvertising filter list by Disconnect​​​​​​​
[x] Malware Domain List​​​​​​​
[x] Malware domains​​​
[x] Malware filter list by Disconnect​​​​​

Dashboard > 3rd-party filters > Social:

[x] Fanboy’s Anti-Thirdparty Social

Dashboard > 3rd-party filters > Multipurpose:

[x] Dan Pollock’s hosts file​​​​​
[x] hpHosts’ Ad and tracking servers​​​
[x] MVPS HOSTS​​​
[x] Peter Lowe’s Ad and tracking server list​

Dashboard > 3rd-party filters > Custom:

Here you can add custom filter lists to uBlock. At this time i have only one filter and it is used to block cryptocurrency miner scripts running on websites you visit. You can find the source for this filter list on the hoshsadiq / adblock-nocoin-list repository on GitHub. Simply copy and paste the following code in the Custom box and click the “Apply Changes” button:

https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt

Note that we are not enabling the “I am an advanced user” option since all dynamic filtering will be handled by uMatrix.

For the “My filters” tab, i have added a few filters which override any exception filters that may be used in the 3rd party filter lists because i want to be sure they are always blocked. This is by no means an extensive list:

! override exceptions in existing filter sets - see: https://github.com/chrisaljoudi/uBlock/wiki/Privacy-stuff
||google-analytics.com^$important
||platform.twitter.com/widgets.js$third-party
||gravatar.com^$third-party
||doubleclick.net^$important
||adserver.yahoo.com^$important

The “My rules” tab is empty since we are using uMatrix to create our filter rules.

All other settings for the remaining tabs can remain at their defaults.

uBlock Origin usage

We are not using the advanced dynamic blocking features of uBlock Origin since this functionality is being handled by uMatrix. As such, there is basically nothing to configure or adjust after the initial setup, other than possibly disabling uBlock Origin for those websites where you do not want it to run and allowing remote fonts for sites where you want remote fonts to be displayed. Disabling uBlock for a given domain is done by simply clicking the big blue power button on the main interface. Allowing remote fonts for a domain is done by clicking the “A” icon in the lower right of the main interface. Both of these settings will be saved and remembered across browser sessions.

Please refer to the uBlock Origin wiki to better learn how to use its many features.

Clean Links configuration

You can enable all of the options, though some will be ignored when running when the Event Delegation Mode is enabled. While i prefer to have Clean Links rewrite and highlight links in real time, the developer has stated that the code for accomplishing this is old and unmaintained, therefore i personally use the Event Delegation Mode.

Securing DNS traffic

The Domain Name System (DNS) is an infrastructure which uses DNS resolvers to convert human-friendly domain names (12bytes.org) to IP addresses (143.95.38.204) which are used by the computers that route internet traffic. The problem with DNS is that this traffic is not encrypted or secured and is therefore open to various attacks. To help secure your DNS traffic, please read my guide, Encrypting DNS Traffic (and why you want to). Another option, and perhaps an even better one, is to use a Virtual Private Network provider (VPN) which provides a DNS service, such as AirVPN which i use myself. In this case, assuming everything is configured correctly, all of your internet traffic is encrypted and your real IP address is not revealed.

Testing your configuration

To test your configuration, see the Appendix C: Test Sites section of the ‘ghacksuserjs’ wiki.

Troubleshooting

General: Both uMatrix and uBlock Origin have the ability to log network requests, similar to how a firewall log might work. This can be a great help when troubleshooting website display or functionality issues. On the uMatrix main interface you will notice a tiny ‘window’ icon that can be clicked to reveal the network request log. See the Logger documentation to learn how to use this feature.

Website does not display correctly, uMatrix: Check that content is allowed for the domain, as well as other domains which supply content to it.

Problems making a purchase, Firefox: make sure to allow 1st party cookies. uMatrix: Check that the necessary functionality is temporarily allowed for the 1st party domain (typically JavaScript, cookies, XHR), as well as any other content that may be needed which is supplied by 3rd party domains. If you are forwarded to a payment gateway such as PayPal during the transaction, make sure that the necessary functionality is allowed for the payment gateway domain as well as any 3rd party resources it may require.

Further reading on 12bytes.org

References and resources

Revision history

Click to expand...

11-APR-2015

  • first publishing

14-APR-2015

  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.

15-APR-2015

  • updated user.js file
  • several other small updates and a few corrections

16-APR-2015

  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a “Current notices” section
  • misc. other corrections/updates/edits

17-APR-2015

  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits

18-APR-2015

  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.

22-APR-2015

  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes

23-APR-2015

  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes

25-APR-2015

  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources

26-APR-2015

  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner

2-MAY-2015

  • updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a

3-MAY-2015

  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section

5-MAY-2015

  • updated list of recommended filters for uBlock
  • updated user.js file contents

13-MAY-2015

  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner

14-MAY-2015

  • minor updates to user.js file contents

17-MAY-2015

  • added information for securing DNS traffic
  • misc. minor updates

5-JUN-2015

  • switched to Raymond Hill’s version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates

25-JUN-2015

  • updated uBlock settings to match the current development version (0.9.9.2)
  • misc. minor updates

8-JUL-2015

  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix

9-JUL-2015

  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits

13-JUL-2015

  • Minor edits for uMatrix usage text

20-AUG-2015

  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it

5-FEB-2016

  • updated user.js file contents

12-FEB-2016

  • updated user.js file contents

29-APR-2016

  • updated guide information
  • updated user.js file and added a revision history to the file

1-MAY-2016

  • updated user.js file

12-MAY-2016

  • updated user.js file
  • minor grammar/spelling corrections

3-JUN-2016

  • corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored

17-JUN-2016

  • set ‘browser.fixup.hide_user_pass’ back to its default value
  • added ‘network.http.redirection-limit’

23-JUN-2016

  • added some basic information for configuring the Clean Links add-on

1-JUL-2016

  • corrected ‘plugin.scan.*’ values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems

3-JUL-2016

  • changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading – a huge thanks to commenter ‘Pants’ for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, ‘Pants’ is the author of the user.js config file used in the ghacks article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i’m very glad to have his input here)

16-SEP-2016

  • removed duplicate preferences in use.js file (see change-log in the file for details)

28-SEP-2016

  • removed Extension Defender from the list of recommended add-ons since it’s home page is gone and the code hasn’t been updated in two years
  • updated user.js file

18-FEB-2017

  • switched to using Pants’ config v0.11 and mostly just appending my settings to the end of his – because this is a major update, no history of changes to individual preferences will be published

19-FEB-2017

  • published my user.js on GitHub which was forked from Pants’ code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants’ where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants’ config – no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes

20-FEB-2017

  • updated user.js to version 51r2 – see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js

12-MAR-2017

  • deleted the GitHub repository which i forked from Pants’ ghacks repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories

17-SEP-2017

  • rewrote and updated much of the content pertaining to umatrix
  • added section “Removing system add-ons”
  • added section “Sanitizing the default search engine plugins”

22-SEP-2017

  • i didn’t keep track of all the changes and many were made – you’ll have to re-read the guide :)

27-SEP-2017

  • added section “A special note about cryptocurrency miners”

30-SEP-2017

  • added more info about IndexDB storage in the “Terminology” and “uMatrix configuration” sections.

164 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs

    1. the ghacks user.js is constantly updated and i update my user.js as needed

      as far as the rest of the guide, yeah, i will update it at some point – subscribe to the RSS feed if you want to be informed of updates

  1. I want to use your user.js file in Thunderbird 52. Do I have to change anything in your user.js file in order for it to work in Thunderbird 52, such as any setting in your user.js file not related or not used by Thunderbird 52? Thanks!

    1. Thunderbird is a whole new ball game – if you want to adapt the FF user.js to fit Thunderbird, you might want to compare all the preferences to see which ones exist in Thunderbird and then adjust accordingly – essentially you’d have to start all over i think

  2. One last question please: is there a way to add exceptions of ‘block pop-up windows’ (I hope it’s the right translation)
    Options > Content.

    1. you’ll need to troubleshoot this yourself – this is the problem with hardening software; it often comes at a cost

      all i could do is the same thing you can do yourself, which is essentially backing up your user.js and creating a new, blank one – paste about 1/2 the code from your backup to the new one, then try the site again – if it’s still broke, then you know the problem is with the code you pasted, so you begin the process of elimination – if it’s not broken, then you know the problem is in the other half

      see here: https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.4:-Troubleshooting

      1. Yes I understand. Trial and error ;-)
        By the way the user.js overwritten the pref.js . I always closed FF before applying and removing my custom user.js.
        I don’t know how it happened…
        Thanks.

        1. By the way the user.js overwritten the pref.js

          if i understand you correctly, you’re saying the user.js overwrote the prefs.js? that’s normal – any code you add to the user.js will be imported to the prefs.js – keep this in mind when you remove something from user.js; whatever you remove will still be present in prefs.js, so you need to remove it there also

  3. Another question. Here is my user.js: https://paste.ee/p/SFIGV
    “browser.tabs.loadInBackground” is set to:
    1. true in the default file
    2. false in your customizations
    3. true in mines
    After restarting FF the value is false. I thought FF takes the latest config in case of duplicates.
    Any idea? Thanks.

    1. you missing a troubleshooting pref before and after your code – once you get that in there, check it for errors – i explain how to use this pref in my user.js

    2. The problem is nothing to do with parrot internal prefs. The cause prefs stopped loading is because you have a syntax error, which does not exist in 12bytes, but does in your paste – on approx line 1700 (different browsers will count the lines differently)

      user_pref(“browser.tabs.warnOnOpen”, false); // disable warning when opening too many tabs
      */

      /*
      * === 12BYTES.ORG MISC ===
      */ <— this! Who put that there? What is it closing? Nothing

      user_pref("ghacks_user.js.parrot", "syntax error @ 12BYTES.ORG MISC");

      1. godamn ^^ ignore that I picked on the wrong line, this resizable comment box doesn’t resize

        user_pref(“browser.tabs.warnOnOpen”, false); // disable warning when opening too many tabs
        */ <— this! Who put that there? What is it closing? Nothing

        /*
        * === 12BYTES.ORG MISC ===
        */ <— this is fine

        user_pref("ghacks_user.js.parrot", "syntax error @ 12BYTES.ORG MISC");

  4. Something happened with the email notifications of this thread. The ‘Click here here to read the rest’ button no longer links to the precise comment it prompts about. Instead it just links to the OP @ http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs which missed the point of the email notification altogether. It did use to be like that. The ‘Click here here to read the rest’ button linked to the precise comment made, and that is no longer the case. Noticed this issue in the last few weeks and it wasn’t there prior to that.

    1. thanks much for reporting this – there was an update to the comment notifier plugin and i think it’s got a few bugs – i opened a support request, so hopefully this will be resolved shortly

      in the mean time, you can copy the comment excerpt in the email, click the link, and Ctrl+F and paste the excerpt to quickly locate the comment

          1. I was a bit wary when I said that cos I though it might trigger negative response but to be clear – had nothing bad in mind :) – if it’s 10 billion pixels tall, so be it. The point it that your effort (any anyone who contributed) with this project is completely gr8 and in the right direciton!

                1. seen this yesterday – was waiting for someone else to confirm it :)

                  funny thing is, the link is accurate – if you stick your cursor in the address bar and hit ‘enter’ it works as it should, however if you F5 (refresh) it goes to the bottom

                  i’ll see what i can do

                  1. Yeah, the link itself is absolutely correct. However, when you open the link from the notification email it displays wrong. That is, it’s only when you are redirected to the link from another client that it displays wrong. Tried only in PM, not other browsers. Also, tried opening the link in the email both from Outlook 2010 client and from the web-interface @ http://www.live.com – both times fail. As to refreshing and reloading – once you hit the email link and it takes you to the bottom of the page neither f5, nor the reload button on the browser, nor Alt+D followed by Alt+Enter (to reopen in new tab) help. The only thing that helps is as you said – stick your cursor in the address bar and hit ‘enter’. Once you’ve done that both f5 and the browser’s reload button do NOT revert you back to the bottom of the page but instead display the page correctly.

                    An easier alternative to your ‘stick your cursor in the address bar and hit ‘enter’’ is to hit Alt+D and then Enter (not Alt+Enter as that would reopen in new tab, and as I said that doesn’t work for some odd reason).

Leave a Reply

Your email address will not be published. Required fields are marked *