FAQ: Firefox Hardening

Know-it-all

Following are some questions i've been asked regarding the hardening of the Firefox web browser as outlined in the guides, The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Note that most answers given assume you have followed one of the aforementioned guides or otherwise incorporated the 'ghacks' user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.

If you're looking for an answer to a particular question, try Ctrl + F.

Terms used:

Q: Any thoughts on Waterfox? I don't trust Mozilla.

A: I think i've been asked this question more than any other. The tl;dr answer is: don't bother with any 3rd party build, the Tor browser being the only exception.

I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using a 3rd party build/fork of Firefox, be it Waterfox, Pale Moon, etc.. The only exception is the Tor Browser. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.

Our web browser is perhaps the most important piece of software we use since it's our primary gateway to the www and all the attack vectors that go with connecting to the Wide Area Network. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 20 million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work does indeed lag behind Mozilla, sometimes by many months, plus they simply don't have the technical resources at their disposal that Mozilla does.

Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with Mozilla Firefox, it just takes a bit more tweaking.

Q: What's the difference between uBlock and uMatrix? Can they be used together? Which one should i use?

A: It seems a lot of people ask these questions about these two very important add-ons. Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempts to target two different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.

Both can be used together, but because there is overlapping functionality they need to be properly configured to work together efficiently. If you've followed the The Firefox Privacy Guide For Dummies! only uBlock is used whereas both are used in the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

In the case where both are used, i suggest using uBO to handle the static filtering (the 3rd party filter lists used for ad blocking and such) and uMatrix to handle the dynamic filtering (JavaScript, cookies, frames, etc.). In this scenario you can essentially forget about uBO after installing and configuring it.

At one time there was only a single extension and i think the developer unnecessarily complicated matters when he split it, thus creating two extensions with a overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users only. In practice however i find uM easier to use than uBO in it's advanced mode. Q: What do you think about browser compartmentalization as suggested in this article, Incognito mode won’t keep your browsing private. Do this instead? What do you think about using Firefox Quantum for everyday use and Firefox ESR for accounts?

A: I think Michael's advice to use multiple browsers for different tasks is unnecessary. If one is that privacy conscience (or paranoid), then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).

What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in Firefox when you employ the 'ghacks' user.js and the suggested add-ons than just PB mode, one of them being First Party Isolation which isolates one domain (think Facebook) from being able to track you across other domains. Another defense against tracking and fingerprinting that is enabled in the 'ghacks' user.js is resistance to browser fingerprinting (RFP). Add to that uBlock Origin and some of its filter lists options and/or uMatrix and the isolation becomes even more complete.

It boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use Firefox and one profile for almost everything, however i'll spin up a new default profile if i have trouble with a website which happens occasionally when making a purchase, or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream social behavioral modification websites, aka "social media".

Regarding purchases and banking, there's obviously not much reason to hide when you're providing accurate personal information, but creating a new and disposable profile for these kinds of things is certainly not a bad idea.

Q: Do you think using different profiles and the multi-account containers/temporary containers within each browser would make things more secure/private?

A: I think there's very little advantage to using containers over FPI (privacy.firstparty.isolate). I don't use PB or containers at all because i think they're largely unnecessary given my configuration and requirements. The best container add-on i know of is Temporary Containers and i don't care for it because of its complexity and the fiddling it requires, plus it needs to be used with yet another add-on, Firefox Multi-Account Containers, to make using containers more transparent. FPI covers largely, though not quite exactly, what TC accomplishes and does so in a way that is far more transparent to the user. That said, if you still want to use the Temporary Containers add-on, then i would suggest that one profile for each major use case is enough (banking, casual browsing, etc.).

Q: After following your Firefox guide I can't log on to 'x' website.

A: Certain preferences in the 'ghacks' user.js could cause this as well as certain add-ons. Most often JavaScript and cookies must be allowed for logons to succeed, so if you're using uBlock Origin and/or uMatrix, you may need to alter their settings for specific domains accordingly.

Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case the Site Bleacher add-on can break logons because it will auto-delete storage for the first domain as soon as you are forwarded to the second. One way to circumvent this is to whitelist the first domain in Site Bleacher. Another is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded. One website that uses cross-domain login is addons.mozilla.org. If you click the 'Log in' link, you'll be forwarded to accounts.firefox.com and then back to addons.mozilla.org where you'll find that, even if you have allowed cookies and JS for both domains, the logon will fail if you have Site Bleacher installed without using one of the aforementioned workarounds.

Enabling privacy.firstparty.isolate (FPI) can also break cross-domain logons (Disqus being one apparently), however FPI is such an important item that disabling it in your primary Firefox profile should be avoided at all cost unless containers are used. Instead i would suggest creating a new profile for the affected website(s).

Q: I followed your privacy guide and now my FVD Speed Dial add-on doesn't work right.

A: Remove it immediately and either dump ALL history for your Firefox profile or create a new one and import only the essentials. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets FVD Speed Dial (and they have the balls to beg for donations). If you want to store personal data off-site so it's accessible using other devices, consider something like Nextcloud which is free, open source software. Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.

Q: I read somewhere that enabling RFP would make the browser more unique.

A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique.

There are a myriad of ways to fingerprint the browser, one being to grab the dimensions of the browser view port (the part that actually renders a web page) because it offers a high degree of entropy, though this relies on JavaScript being enabled. This is why, when RFP is enabled, Firefox starts with generic viewport dimensions rather than the size it was when it exited last, assuming you resized the window at some point. This is something i override with an extension because i want it maximized, period, so again, it's a question of convenience vs. privacy.

Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely at this point.

Lastly, i don't pretend to understand all the details of RFP as a lot of it is very technical and over my head. It is also incomplete at this time, but much has been done.

Q: If I run one of those fingerprint tests and I’m fingerprinted on FF, will I be tracked even if I create a new profile afterwards?

A: Don't think of fingerprinting as being something that's global or permanent. If you mess up and enable JS on a site where you didn't want to for example, you can ignore the mistake as long as you're using the 'ghacks' user.js and recommended and properly configured extensions. As a precaution you can dump your entire history, including cookies, but there shouldn't be a need to create a new profile. Remember that FPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using the Site Bleacher add-on, most storage is automatically dumped as soon as you leave the domain.

Lastly, your browser will be fingerprinted. The question is, how unique is that fingerprint.

Q: For what use case would you recommend using TOR browser? What's your thoughts on it?

A: I can't offer intelligent advice regarding the Tor network because i'm simply not knowledgeable enough. That said, i'll offer my personal thoughts at this particular time which is simply that i don't trust it and that lack of trust is the result, in part, of reading horror stories about some of the people that are or were involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown. Also Tor is funded in part by U.S. government agencies who use it to communicate secretly. So why than is Tor free, open source and available to the public then you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.

As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and some of what has been learned is being ported to Firefox as part of the Tor Uplift Project.

On the user end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial), so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive gaming is totally out of the question and they also advise against torrenting. Even watching hi-def videos can be problematic.

Then there's the question of who's running exit nodes and what damage they may be able do (anyone can run an exit node, including those in the "intelligence" community). Tor advocates have an answer for almost everything, but they don't convince me. That said, you cannot fully trust any VPN either, so take your pick (but do pick one). That said, using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that.

The other thing to consider is who your foe is because the needs of a whistleblower or a journalist who is at risk of physical harm or career suicide may be very different than your threat profile. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it is the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might just be somewhere between difficult and impossible. The way we write and form sentences alone is enough to fingerprint us, then there's technologies like Intel's and AMD's backdoors in virtually all of their processors, the baseband OS running in every phone, etc..

Q: What do you think about CanvasBlocker?

A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker is still a necessary addition to ones arsenal.

Q: What do you think about the Chameleon/Random User Agent/User-Agent Switcher add-ons?

A: Don't use any user-agent spoofing add-ons as they may very well raise entropy. The answer is to enable RFP (privacy.resistFingerprinting) instead. With RFP enabled, load a User-Agent test site and you'll see that your UA has been spoofed without any add-ons, plus there's a lot more going on with RFP than with the UA spoofing add-ons.

Q: What do you think about ClearURLs/Neat URL?

A: I prefer ClearURLs because you can install it and forget it exists. Neat URL would be my 2nd choice, but it will probably break websites more often than the former.

Q: What do you think about Request Control?

A: I think Request Control is a good add-on that fills the gaps left by uBlock Origin and uMatrix, however it isn't entirely a replacement for them and it isn't worth the added hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn't bother you, have at it.

Q: What do you think about cookie/storage cleaners like Cookie Autodelete, Self-Destructing Cookies, SecretAgent and Site Bleacher?

A: Site Bleacher is the only storage cleaner at this time that removes IndexedDB storage automatically *while you surf*, though it removes it globally, not per-domain. All of the others remove IDB only at browser start, exit, or manually. This is due to a limitation in the Web Extension API that Mozilla hasn't addressed, however if they ever do, then i might trade Site Bleacher for Forget Me Not once the developer adds the functionality to dump IDB storage per-domain upon tab closure.

Note also that if you use Site Bleacher, you can avoid many permission headaches by allowing all 1st party cookies globally in order to reduce web breakage, then let Site Bleacher dump everything for domains you haven't added to its whitelist. I think this approach is much simpler than fiddling with cookie permissions every time denying them breaks a website and it presents little or no privacy issues i'm aware of other than the ability for a website to track you within its domain as long as you have its tab open, which i don't particularly care about.

Q: What do you think about ETag Stoppa?

A: I think ETag Stoppa is a good add-on that helps to guard against object cache tracking and i really like the developer (he contributes heavily to the 'ghacks' user.js project). Also check out his other add-ons, particularly HTTPZ and POOP (Privacy-Oriented Origin Policy).

Q: What do you think about Header Editor?

A: Header Editor is a useful add-on if you need it. Personally i don't use it anymore.

Q: What about Smart Referer?

A: I don't use Smart Referer because there's settings in both uMatrix and Firefox for configuring when and what referrer is sent to a website, though i'm not sure they cover every bit of ground that Smart Referer does. If you use uMatrix i'd suggest enabling the option to spoof the referrer. Also uM has a switch so you can set it per-domain.

Q: So I have got uMatrix set to ‘spoof HTTP referrer string of third-party requests’, but on my tests it does not block the referrer.

A: It's not supposed to, and if it did your fingerprint would be more unique since very few people block the referrer. If you have the option enabled then uMatrix will spoof the referrer by setting the referrer to the domain you're visiting as though the domain was the very first you visited after opening your browser. For example, if you visit 12bytes.org, uM will send 12bytes.org as the referrer, then if you go to corbettreport.com, instead of sending 12bytes.org as the referrer, it will send corbettreport.com. This can break website functionality in some cases, such as cross-domain logins, just so you're aware, but you can easily toggle it on/off per-domain in uM.

Q: Trace seems to cover a lot of what the several extensions you recommend do. Would you recommend it?

A: I think it would be the berries if there was one good, comprehensive add-on that could do it all, but Trace isn't is, not even close. Have a look at what 'Pants' of the 'ghacks' user.js for Firefox project discovered after playing with Trace for a very short time.

Q: Is the browser easier to fingerprint if JS is allowed?

A: Absolutely! Many fingerprinting and tracking techniques rely upon JavaScript, which is why i *strongly* suggest disabling it globally with uMatrix or uBlock Origin, then allowing it only for websites where you need it. Also see the Changing how websites look or work section of the Firefox Tweaks and Fixes and Styles and Things page to learn how you can get around having to enable JS in some cases.

Q: In my Firefox preferences I see it is set to deny trackers and scripts but only in custom mode, should I change it to Standard or Strict?

A: If you're using the 'ghacks' user.js and appropriate filter lists in uBlock Origin, then no. uBO with the appropriate filter lists enabled covers much more ground than the Firefox lists because Mozilla has to be super careful not to break anything, else they'll have a few million irate users pounding down their door.

Q: Should I delete cookies and site data on close?

A: For all except those you want to keep, sure, but you don't have to worry about it if you're using Site Bleacher or you adjusted the relevant preferences within the 'ghacks' user.js. You can also allow all 1st party cookies globally in Firefox and let Site Bleacher crush them automatically if you want to avoid the hassle. For those you want to keep, like maybe the settings for DuckDuckGo for example, you can whitelist the domains in SB.

Q: Will zooming a webpage make me more trackable/fingerprintable?

A: Good question. I don't know, but i doubt it, though it may depend on what you mean by zooming (with Ctrl + mouse wheel or with the layout.css.devPixelsPerPx preference). My response would be to ask how much convenience you're willing to sacrifice in the name of privacy. Also this would depend on JS being enabled.

Q: Is there a way to block font enumeration through flash player?

A: Get. Rid. Of. Flash. Player! It's a proprietary, insecure and nearly useless privacy-hating plugin. In my daily surfing i have yet to come across any video anywhere on any video platform or website that requires Flash. You likely don't need the Adobe PDF Reader plugin either, nor any other proprietary browser plugins.

Q: Is it not safe/private to have my most visited sites and search from Firefox home screen?

A: The built-in Firefox home/new tab page presents a privacy issue, though i don't recall the details.

Q: So I should not use Firefox home screen, but what if I set a search engine like Duck Duck Go as my homepage, would that be OK?

A: You can set the new tab/home page to whatever you want, it's just recommend to not use the default Firefox one or any other resource that isn't serious about protecting user privacy. Be aware that whatever resource you use as the home page may not be subject to filtering (think uBlock/uMatrix) when you first start the browser, so don't set your home page to malicious-hackers-on-acid.com (or Facebook, Google, etc.).

Q: What is this CSP/Content Security Policy thing mentioned in the ghacks wiki and how does it relate to Firefox?

A: Content Security Policy is used, in part, to protect you and your browser against malicious behavior. Basically it consists of document headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.

Prior to Firefox v77 the CSP issue caused a significant problem with certain extensions, however since v77 it is a non-issue.

Q: I accidentally opened a website before installing all of the recommended extensions, so what should I do? Perhaps reinstall FF?

A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'ghacks' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel comfy, you can create a new profile, import what you need, then delete the old one, but this is usually unnecessary in my opinion.

Q: So I verified the integrity of user.js and the first one to show on about:config is _user.js.parrot SUCCESS! USER SETTINGS LOADED, so it must have loaded correctly.

A: If you're using my user-overrides.js in addition to the 'ghacks' one, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'ghacks' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little thing wrong in the user.js, it won't process anything after that point. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'ghacks' user.js directly).

Q: What settings should I change on the ghacks to be able to access 'x' website? Q: I read that you recommend HTTPZ instead of HTTPS Everywhere because it just works without a list and human intervention so less prone to error, what about these other options: HTTPS by default and Smart HTTPS?

A: HTTPZ is basically an install-it-and-forget-it add-on. It's small, simple to configure, and it just works. There may be an advantage with the EFF's HTTPS Everywhere when you visit a secure site that pulls content from a non-secure one (think images). In this case i believe HTTPS Everywhere will attempt to upgrade the 3rd party requests whereas i don't believe HTTPZ will. On the flip side, HTTPS Everywhere may not upgrade an insecure site at all if it's not in the database. It also consumes significantly more memory than HTTPZ. The other HTTP to HTTPS add-ons i wouldn't bother with.

Q: Also why should we use any HTTPS add-on when pretty much most sites today are already HTTPS?

A: Because "most" <> "all". Anyone in between you and your destination can potentially see *and manipulate* that traffic if it's not encrypted, starting with your ISP if you're not using a VPN or Tor. This could include your neighbor if you're wireless.

Q: What about the bookmarks? Do those get sent to Firefox or only stored locally?

A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use Sync.

6 thoughts on “FAQ: Firefox Hardening”

  1. A noob question about FPI. If I open several sites on the same tab they will be isolated or does the FPI work like the containers where each tab/container has its own isolated content?

    Does enabling the history offer any risk to privacy?

    Note: Sorry if I made any English mistake, I’m using a translation tool to convert Brazilian Portuguese > English.

    1. FPI isolates storage by domain, so if you open site ‘a’ in a tab, then site ‘b’ in the same tab, the storage for both sites is isolated from one another, thus FPI works differently than Firefox’s built-in containers

      the Temporary Containers add-on enhances the built-in container functionality to achieve domain level isolation very similar to what FPI does which is why i personally don’t use containers or the Temporary Containers add-on which, in my view, just add an unnecessary layer of complexity

      as for history, if you enable the option to color visited links (layout.css.visited_links_enabled) it is possible for a website to use some CSS and JS to see if you have visited a link(s) before – to my knowledge this exploit depends on having JS enabled – personally i enable the option to color visited links differently

Leave a Reply

Your email address will not be published. Required fields are marked *