Following are some questions i’ve been asked regarding the hardening of the Firefox web browser as outlined in the guides, The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
Note that most answers given assume you have followed one of the aforementioned guides or otherwise incorporated the ‘ghacks’ user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.
If you’re looking for an answer to a particular question, try Ctrl + F.
- CSP: Content Security Policy (see this)
- ESR: Extended Support Release
- FPI: First Party Isolation
- IDB: IndexedDB
- PB: Private Browsing
- RFP: Resist Fingerprinting
A: I think i’ve been asked this question more than any other. The tl;dr answer is: don’t bother with any 3rd party build, the Tor browser being the only exception.
I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there’s several key reasons for not using a 3rd party build/fork of Firefox, be it Waterfox, Pale Moon, etc.. The only exception is the Tor Browser. What follows is a compilation of ‘pants’ thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.
Our web browser is perhaps the most important piece of software we use since it’s our primary gateway to the www and all the attack vectors that go with connecting to the Wide Area Network. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 20 million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers (except for Pale Moon which i’ll get to), but their work does indeed lag behind Mozilla, sometimes by many months, plus they simply don’t have the technical resources at their disposal that Mozilla does. Pale Moon in particular has been obsolete for years and their decision to support legacy code and extensions is simply irresponsible in my opinion because they are subjecting their followers to potentially crucial vulnerabilities.
Lastly, there is little or nothing one can achieve with regard to privacy that you can’t with Mozilla’s Firefox, it just takes a bit more tweaking.
A: It seems a lot of people ask these questions about these very important add-ons. Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempts to target two different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.
Both can be used together, but because there is overlapping functionality they need to be properly configured to work together efficiently. If you’ve followed the The Firefox Privacy Guide For Dummies! only uBlock is used whereas both are used in the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
At one time there was only a single extension and i think the developer unnecessarily complicated matters when he split it, thus creating two extensions with a lot of overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for many users, while uM is targeted toward advanced users only. In practice however i find uM easier to use than uBO in it’s advanced mode. Q: What do you think about browser compartmentalization as suggested in this article, Incognito mode won’t keep your browsing private. Do this instead? What do you think about using Firefox Quantum for everyday use and Firefox ESR for accounts?
A: I think Michael’s advice to use multiple browsers for different tasks is unnecessary. If one is that privacy conscience (or paranoid), then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).
What Michael calls “incognito mode” is “private browsing” mode in Firefox and he’s right; PB isn’t a complete solution to prevent tracking, leaking, etc., however there is a whole lot more going on in Firefox when you employ the ‘ghacks’ user.js and suggested add-ons than just PB mode, one of them being First Party Isolation which isolates one domain (think Facebook) from being able to track you across other domains. Another defense against tracking and fingerprinting that is enabled in the ‘ghacks’ user.js is resistance to browser fingerprinting (RFP). Add to that uBlock Origin and some of its filter lists options and/or uMatrix and the isolation becomes even more complete.
It boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use Firefox and one profile for almost everything and then i’ll spin up a new default profile if i have trouble with a website which happens occasionally when making a purchase or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream social behavioral modification websites, aka “social media”.
Regarding purchases and banking, there’s obviously not much reason to hide when you’re providing accurate personal information, but creating a new and disposable profile is certainly not a bad idea.
A: There is very little advantage to using containers over FPI (
privacy.firstparty.isolate). I don’t use PB or containers at all because i think they’re largely unnecessary given my configuration and requirements. The best container add-on i know of is Temporary Containers and i don’t care for it because of its complexity and the fiddling it requires, plus it needs to be used with yet another add-on, Firefox Multi-Account Containers, to make using containers more transparent. FPI covers largely, though not quite exactly, what TC accomplishes and does so in a way that is far more transparent to the user. That said, if you still want to use the Temporary Containers add-on, then one profile is enough.
Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on and then back to the original domain. In this case the Site Bleacher add-on can break logons because it will auto-delete storage for the first domain as soon as you are forwarded to the second. One way to circumvent this is to whitelist the first domain in Site Bleacher. Another is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded. One website that uses cross-domain login is addons.mozilla.org. If you click the ‘Log in’ link, you’ll be forwarded to accounts.firefox.com and then back to addons.mozilla.org where you’ll find that, even if you have allowed cookies and JS for both domains, the logon will fail if you have Site Bleacher installed without using one of the aforementioned workarounds.
privacy. (FPI) can also break cross-domain logons (Disqus being one apparently), however FPI is such an important item that disabling it in your primary Firefox profile should be avoided at all cost unless containers are used. Instead i would suggest creating a new profile for the affected website(s) or, if that’s not feasible, consider disabling FPI and using containers instead.
A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you’re going to look somewhat unique.
Unless you’re using the Tor browser in its default configuration with no additional extensions installed, i’m not sure it’s possible to prevent fingerprinting entirely at this point.
Lastly, i don’t pretend to understand all the details of RFP as a lot of it is very technical and over my head. It is also incomplete at this time, but much has been done.
A: Don’t think of fingerprinting as being something that’s global or permanent. If you mess up and enable JS on a site where you didn’t want to for example, you can ignore the error as long as you’re using the ‘ghacks’ user.js and recommended and properly configured extensions. As a precaution you can dump your entire history, including cookies, but there shouldn’t be a need to create a new profile. Remember that FPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you’re using the Site Bleacher add-on, most storage is automatically dumped as soon as you leave the domain.
Lastly, your browser will be fingerprinted. The question is, how unique is that fingerprint.
A: I can’t offer intelligent advice regarding the Tor network because i’m simply not knowledgeable enough. That said, i’ll offer my personal thoughts at this particular time which is simply that i don’t trust it and that lack of trust is the result, in part, of reading horror stories about some of the people that are or were involved in the project and leaked emails between them and the MIB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown. Also Tor is funded in part by U.S. government agencies who use it to communicate secretly. So why is Tor free, open source and open to the public then you ask? My understanding is that the more people that use it, the more “noise” in the system, thus the harder it is for someone to identify who’s communicating with whom.
As for the web browser the Tor project recommends, it’s a hardened fork of Mozilla Firefox and some of what has been learned is being ported to Firefox as part of the Tor Uplift Project.
On the user end, i personally think Tor is limiting and annoying because you’re not supposed to use any browser extensions (uniformity among users is crucial), so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive gaming is out of the question and they also advise against torrenting. Even watching hi-def videos can be problematic.
Then there’s the question of who’s running exit nodes and what damage they can do (anyone can run an exit node, including the NSA, etc.). Tor advocates have an answer for almost everything, but they don’t convince me. That said, you cannot fully trust any VPN either, so take your pick (but do pick one). That said, using Tor and the Tor Browser is entirely free and Snowden promotes it, so what do i know.
The other thing to consider is who your foe is because the needs of a whistleblower or a journalist who is at risk of physical harm or career suicide are probably very different than the needs of the casual surfer. If it’s your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you’re worried about, then a good VPN should be enough. If it is the 3-letter “intelligence” agencies that concern you, well, good luck because hiding from them for any length of time might just be somewhere between difficult and impossible. The way we write and form sentences alone is enough to fingerprint us, then there’s technologies like Intel’s and AMD’s backdoors in virtually all of their processors, the baseband OS running in every phone, etc..
A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker is still a valuable addition to ones arsenal. Be sure to read the ‘ghacks’ wiki about how to set it up to avoid the CSP issue.
A: Don’t use any user-agent spoofing add-ons as they will tend to raise entropy by compromising what RFP already does. Enable RFP (
privacy.) and load a User-Agent test site and you’ll see that your UA has been spoofed without any add-ons, plus there’s a lot more going on with RFP than with the UA spoofing add-ons.
A: I think Request Control is a good add-on that fills gaps left by uBlock Origin and uMatrix, however it isn’t entirely a replacement for them and it isn’t worth the added hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn’t bother you, have at it.
A: Site Bleacher is the only storage cleaner at this time that removes IndexedDB storage automatically *while you surf*, though it removes it globally, not per-domain. All of the others remove IDB only at browser start, exit, or manually. This is due to a limitation in the Web Extension API that Mozilla hasn’t addressed, however if they ever do, then i might trade Site Bleacher for Forget Me Not once the developer adds the functionality to dump IDB storage per-domain upon tab closure.
Note also that if you use Site Bleacher, you can avoid many permission headaches by allowing all 1st party cookies globally in order to reduce web breakage, then let Site Bleacher dump everything for domains you haven’t added to its whitelist. I think this approach is much simpler than fiddling with cookie permissions every time denying them breaks a website and it presents little or no privacy issues i’m aware of other than the ability for a website to track you within its domain as long as you have its tab open, which i don’t particularly care about.
A: I think ETag Stoppa is a good add-on that helps to guard against object cache tracking and i really like the developer (he contributes heavily to the ‘ghacks’ user.js project). Also check out his other add-ons, particularly HTTPZ and POOP (Privacy-Oriented Origin Policy).
A: Header Editor is a useful add-on if you need it. Personally i don’t use it anymore.
A: I don’t use Smart Referer because there’s settings in both uMatrix and Firefox for configuring when and what referrer is sent to a website, though i’m not sure they cover every bit of ground that Smart Referer does. If you don’t use it, and you use uMatrix, i’d suggest using that to control the referrer since there’s a switch for it and you can set it per-domain.
A: It’s not supposed to, and if it did your fingerprint would be more unique since very few people block the referrer. uMatrix sends the referrer for the domain of the one you’re visiting, but will not send it from one domain to another. For example, if you visit 12bytes.org, uM will send 12bytes.org as the referrer, then if you go to corbettreport.com, instead of sending 12bytes.org as the referrer, it will spoof it by sending corbettreport.com. This can break website functionality in some cases, such as cross-domain logins, just so you’re aware, but you can easily toggle it on/off per-domain in uM.
A: I think it would be the berries if there was one good, comprehensive add-on that could do it all, but i tend to agree with ‘pants’ of the ‘ghacks’ user.js project in that Trace isn’t it.
A: If you’re using the ‘ghacks’ user.js and appropriate filter lists in uBlock Origin, then no. uBO with the appropriate filter lists enabled covers much more ground than the Firefox lists because Mozilla has to be super careful not to break anything, else they’ll have a few million irate users pounding down their door.
A: For all except those you want to keep, sure, but you don’t have to worry about it if you’re using Site Bleacher or you adjusted the relevant preferences within the ‘ghacks’ user.js. You can also allow all 1st party cookies globally in Firefox and let Site Bleacher crush them automatically if you want to avoid some pain. For those you want to keep, like maybe the settings for DuckDuckGo for example, you can whitelist the domains in SB.
A: Good question. I don’t know, but i doubt it, though it may depend on what you mean by zooming (with Ctrl + mouse wheel or with the
layout. preference). My response would be to ask how much convenience you’re willing to sacrifice in the name of privacy. Also this would depend on JS being enabled.
A: Get Rid Of Flash Player! It’s a proprietary insecure (nearly) useless privacy-hating piece of junk. I have yet to come across any video anywhere on any video platform or website that requires Flash. You likely don’t need the Adobe PDF Reader plugin either, nor any other proprietary browser plugins.
A: The built-in Firefox home/new tab page presents a privacy issue, though i don’t recall the details.
A: You can set the new tab/home page to whatever you want, it’s just recommend to not use the default Firefox one or any other resource that isn’t serious about protecting user privacy. Be aware that whatever you use as the home page may not be subject to filtering (think uBlock/uMatrix) before it loads when you first start the browser, so don’t set your home page to malicious-hackers-on-acid.com (or Facebook, etc.).
A: Content Security Policy is used, in part, to protect you and your browser against malicious behavior. Basically it consists of document headers that instruct the browser what it can and cannot to do with a webpage and it contents and how it should interact with it.
A: You never have to reinstall Firefox because everything that websites store is deposited outside of it’s installation directory, mostly in your profile directory, and its cache is kept in RAM if you’re using the ‘ghacks’ user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of ‘Everything’ and if that doesn’t make you feel comfy, you can create a new profile, import what you need, then delete the old one, but this is usually unnecessary in my opinion.
A: If you’re using my user-overrides.js in addition to the ‘ghacks’ one, then yes, that’s what you’ll see if there were no syntax errors in either one, however if you’re using only the ‘ghacks’ user.js, you should see “SUCCESS: No no he’s not dead, he’s, he’s restin’!”. Don’t forget to do the browser console check as well. This is important because if Firefox finds one little thing wrong in the user.js, it won’t process anything after that point. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the ‘ghacks’ user.js directly).
A: HTTPZ is basically an install-it-and-forget-it add-on. It’s small, simple to configure, and it just works. There may be an advantage with the EFF’s HTTPS Everywhere when you visit a secure site that pulls content from a non-secure one (think images). In this case i believe HTTPS Everywhere will attempt to upgrade the 3rd party requests whereas i don’t believe HTTPZ will. On the flip side, HTTPS Everywhere may not upgrade an insecure site at all if it’s not in the database. It also consumes significantly more memory than HTTPZ. The other HTTP to HTTPS add-ons i wouldn’t bother with.
A: Because “most” <> “all”. Anyone in between you and your destination can potentially see *and manipulate* that traffic if it’s not encrypted, starting with your ISP if you’re not using a VPN or Tor. This could include your neighbor if you’re wireless.
A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they’re stored locally and remotely. I don’t use Sync.