12bytes Mumble meet every Sat. night!
Coronavirus information & resources
Vaccines - What You Need To Know

FAQ: Firefox Hardening

Know-it-all

Following are some questions i've been asked regarding the hardening of the Firefox web browser as outlined in The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Note that most answers assume you have followed one of the aforementioned guides or otherwise incorporated the 'arkenfox' user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.

If you're looking for an answer to a particular question, try Ctrl + F.

Terms used:

Q: Any thoughts on [insert non-Firefox browser here]? I don't trust Mozilla.

A: I think i've been asked this question more than any other. My tl;dr answer is: don't bother with anything except the official Firefox browser from Mozilla, the Tor browser being the only exception.

I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using other browsers or Firefox forks, be it Waterfox, Pale Moon, etc.. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.

Our web browser may be the most important piece of software we use since it's usually our primary gateway to the www and all the attack vectors that come with that. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 24+ million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work often lags behind Mozilla, sometimes by many months, and they simply don't have the technical resources at their disposal that Mozilla does.

Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with the official Mozilla release, it just takes a bit more tweaking.

Q: What is the difference between uBlock and uMatrix? Can they be used together? Which one should i use?

A: uMatrix is no longer actively developed, though you can still use it (personally i choose to use only uBlock Origin in advanced mode). Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempted to target different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.

Both can be used together, but because there is overlapping functionality they need to be configured to work together efficiently.

In the case where both are used, i suggest using uBO to handle the static filtering (the 3rd party filter lists used for ad blocking and such) and uMatrix to handle the dynamic filtering (JavaScript, cookies, frames, etc.). In this scenario you can essentially forget about uBO after installing and configuring it as most of your attention will be focused on uM.

At one time there was only a single extension and i think Raymond unnecessarily complicated matters for users when he split it, thus creating two with overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users. In practice however i found uM easier to use than uBO in it's advanced mode.

Q: What do you think about browser compartmentalization as suggested in this article, Incognito mode won’t keep your browsing private. Do this instead? What do you think about using Firefox Quantum for everyday use and Firefox ESR for accounts?

A: First of all, complete privacy on the web is a pipe dream. I think Michael's advice to use multiple browsers for different tasks is likely unnecessary for most users. If one is that privacy conscience (or paranoid) then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).

What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in other than just PB mode in Firefox when you employ the 'arkenfox' user.js and the suggested add-ons, one of them being Dynamic First Party Isolation (dFPI) which isolates web storage per domain so that data-slurping sites like Facebook, Twitter, Instagram, Twitter, etc., aren't able to track you nearly as effectively. Add to that uBlock Origin and some filter lists and you have some pretty powerful stuff happening under the hood.

That said, i think it really boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use one Firefox profile for almost everything except shopping, however i might spin up a new, default profile if i have trouble with a particular website or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream behavioral modification websites, aka "social media". For shopping i keep a very relaxed profile with uBlock Origin installed and set to "Easy" mode.

Q: Do you think using different profiles and the multi-account containers/temporary containers within each browser would make things more secure/private?

A: Containers are dead, as is First Party Isolation. The new kid in town is dFPI (Dynamic FPI). I don't use PB or containers at all since dFPI is a much better solution that is far more transparent to the user.

Q: After following your Firefox guide I can't log on to 'x' website.

A: Certain preferences in the 'arkenfox' user.js could cause this as well as certain add-ons. Most often JavaScript and cookies must be allowed for logons to succeed, so if you're using uBlock Origin and/or uMatrix, you may need to alter their settings for specific domains.

Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case dFPI can break logons though there "shims" being added to Firefox to overcome common instances of this problem. One way to circumvent this is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded, then log on in the new tab and refresh the first tab, after which the tab you used to log on can be closed. One website that uses cross-domain login is addons.mozilla.org. If you click the 'Log in' link, you'll be forwarded to accounts.firefox.com and then back to addons.mozilla.org.

Q: Will modifying the CSS of a site make fingerprinting the browser easier?

A: If JS is enabled, then potentially, yes, but it depends on what the script is looking for. If it were only checking whether you modified the <body> attribute, and you didn't modify that particular attribute, then no. I have no idea how widespread such scripts are that look for CSS or script injections, but i would guess not very and i would further guess that it may be more likely that they're looking at one, or maybe a few specific attributes.

Q: I followed your privacy guide and now my FVD Speed Dial add-on doesn't work right.

A: Close your account with that jackass company after deleting everything you possibly can from their server, then remove the add-on and either dump all history for your Firefox profile. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets it and they have the balls to beg for donations while they slurp up and sell your personal data. If you want to store personal data off-site so that it's accessible from your other devices, consider something like Nextcloud which is free, open source software. Better yet, don't store anything sensitive in the so-called "cloud". Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.

Q: I read somewhere that enabling RFP would make the browser more unique.

A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP (privacy.resistFingerprinting) in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique, but not totally. Hopefully this preference will be enabled by default in the near future.

There are a myriad of ways to fingerprint the browser and RFP tries to deal with a lot of them. Many metrics depend on JavaScript being enabled while some don't.

Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely and the problem seems to be getting worse.

Lastly, i don't pretend to understand all of the details of RFP or the methods used to fingerprint a web browser as a lot of it is very technical and over my head.

Q: If I run one of those fingerprint tests and I’m fingerprinted on FF, will I be tracked even if I create a new profile afterwards?

A: There shouldn't be a need to create a new profile. Remember that dFPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using the 'arkenfox' user.js or similar settings, most storage is automatically dumped as soon as you close Firefox.

Q: For what use case would you recommend using Tor browser? What's your thoughts on it?

A: I can't offer intelligent advice regarding the Tor browser or network because i'm simply not knowledgeable enough. That said, i'll offer my personal opinion at this particular time which is simply that i don't trust Tor and that lack of trust is the result, in part, of reading horror stories about some of the people that are, or were, involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown, but which we might speculate upon. Tor is funded in part by U.S. government agencies who use it to communicate secretly, or so we're told. So why then is Tor free, open source and available to the public you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.

As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and much of what has been learned by the Tor developers has been ported to Firefox as part of the Tor Uplift Project.

On the user experience end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial) so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive traffic, such as gaming, is out of the question and they also advise against torrenting. Even watching hi-def videos is sometimes not possible. Not being able to choose the exit node means you can't change locations as you can with a VPN and this can be problematic (imagine a YouTube video that's banned in Canada and your Tor exit note is in Canada).

Then there's the question of who's running exit nodes and what damage they may be able do. Anyone can run an exit node, including those in the "intelligence" community, their contractors, malicious hackers, etc.. Tor advocates have an answer for almost everything, but they don't convince me that Tor exit nodes can't be compromised in such a way as to identify where the traffic is coming from. Matter of fact, it is possible to simulate an entire Tor network on a single machine. That said, you cannot trust any VPN either, so take your pick (but do pick one). Using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that. Note however that Snowden isn't god, nor does he have intimate knowledge of all things technical.

The other thing to consider is who your foe is because the threat profile of a whistleblower or a journalist who is at risk of physical harm may be very different from your own. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it's the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might be somewhere between difficult and impossible since there's no way to know their capabilities. Our writing style alone is enough to fingerprint us, then there's backdoors in virtually all of our processors thanks to companies like Intel and AMD, the Unified Extensible Firmware Interface (UEFI) which boots most/all modern PC's, the baseband OS running in every phone, etc..

Also see: Tor versus a VPN - Which is right for you?

Q: What do you think about CanvasBlocker?

A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker may still be a worthwhile addition to your arsenal as long as you know how to un-break the sites that it breaks. Personally i no longer use it.

Q: What do you think about add-ons that alter the browsers User Agent?

A: Don't! Don't use any user-agent spoofing add-ons for privacy reasons since they may very well raise entropy. The answer is to enable RFP and dFPI. With RFP enabled, load a User-Agent test site and you'll see that your UA has been spoofed without any add-ons, plus there's a lot more going on under the hood than any UA spoofing add-on provides.

Q: What do you think about ClearURLs/Neat URL?

A: I prefer ClearURLs because you can install it and forget it. Neat URL would be my 2nd choice, but it will probably break websites more often than the former. That said, i no longer use either. I use ClearURLs for uBo instead.

Q: What do you think about Request Control?

A: I think Request Control is a good add-on that fills the gaps in uBlock Origin and uMatrix, however it isn't entirely a replacement and it isn't worth the additional hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn't bother you, have at it.

Q: What do you think about cookie/storage cleaners like Cookie AutoDelete, Self-Destructing Cookies, SecretAgent and Site Bleacher?

A: The most recent versions of Firefox, along with version 96+ of the 'arkenfox' userj.js which employs Dynamic First Party Isolation (dFPI/network partitioning), makes storage cleaners largely obsolete.

Q: What do you think about ETag Stoppa?

A: I think ETag Stoppa served a purpose prior to Enhanced Tracking Protection was added to Firefox, but i think it's less useful since. The developer is a good egg though so do check out his other add-ons, particularly POOP (Privacy-Oriented Origin Policy).

Q: What do you think about Header Editor?

A: Manipulating HTTP headers is useful in some cases, such as to force CSS/script injection when Content Security Policy (CSP) forbids it, but i don't think many people need this and it can be dangerous.

Q: What about Smart Referer?

A: I don't use Smart Referer because the functionality to configure when and what referrer is sent to a website is available in Firefox, though i'm not sure it covers every bit of ground that Smart Referer does.

Q: Should I be blocking the referrer?

A: No. This would make your fingerprint more unique since very few people block the referrer. Instead you can spoof the referrer with the  network.http.referer.XOriginPolicy preferences so that it sends the referring website only when the host matches (already done in the 'arkenfox' user.js). For example, normally if you open your browser to 12bytes.org and then go to corbettreport.com, corbettreport.com will see that you came from 12bytes.org. If however you set network.http.referer.XOriginPolicyto '2', then corbettreport.com will see corbettreport.com as the referrer. On occasion this might break website functionality, such as for cross-domain logins.

Q: Trace seems to cover a lot of what the several extensions you recommend do. Would you recommend it?

A: I think it would be the berries if there was one good, comprehensive, super-add-on that could do it all, but Trace isn't it, not even close. Have a look at what 'Pants' of the 'arkenfox' user.js for Firefox project discovered after playing with Trace for a very short time.

Q: Is the browser easier to fingerprint if JS is allowed?

A: Absolutely!!! Many fingerprinting and tracking techniques rely upon JavaScript being enabled, which is why i *strongly* suggest disabling JS globally, such as with uBlock Origin, then allowing it on a site-by-site basis only if you need it. Beyond the invasion of privacy there are serious security risks with JS as well. Also see the Changing how websites look or work section of the Firefox Tweaks and Fixes and Styles and Things page to learn how you can regain functionality without enabling JS in some cases.

Q: In my Firefox preferences I see Enhanced Tracking Protection is set to "Standard". Is this OK?

A: Set it to "Strict" (the 'arkenfox' user.js will do this for you if you decide to employ it). There's a lot more going on when ETP is set to "Strict", including site/storage isolation.

Q: Should I delete cookies and site data on close?

A: Yes, for all sites except for those you want to keep such data for which you can add exceptions.

Q: Will zooming a webpage make me more trackable/fingerprintable?

A: It can if JS is allowed to run.

Q: Is there a way to block font enumeration through flash player?

A: Get! Rid! Of! Flash! Player! It's a proprietary, insecure, largely obsolete, privacy-hating piece of garbage. In my daily surfing i have yet to come across any video anywhere that requires Flash. You should dump the Adobe PDF Reader plugin also if it's installed, as well as any other proprietary browser plugins.

Q: Is it not safe/private to have my most visited sites and search from Firefox home screen?

A: The built-in Firefox home/new tab page presents some privacy issues. It's hard to be more specific than that because Mozilla often changes the way they use the default home/new tab page, but there are always privacy issues. You could set the home/new tab page to about:blank if you wanted, or better yet, have a look at the Mark-It add-on on my extensions page.

Q: If I set a search engine like DuckDuckGo as my homepage, would that be OK?

A: Don't use DuckDuckGo, or the default Firefox new tab page, but yeah, you can set the new tab/home page to whatever you want as long as the resource is serious about protecting your privacy.

Q: What is this CSP/Content Security Policy thing mentioned in the arkenfox wiki and how does it relate to Firefox?

A: Content Security Policy is used, in part, to protect web browsers against malicious behavior. Basically it consists of HTTP headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.

Prior to Firefox v77 the CSP thing caused a significant problem with certain extensions, however this has been fixed... finally.

Q: I accidentally opened a website before installing all of the recommended extensions, so what should I do? Reinstall FF?

A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'arkenfox' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel warm and fuzzy, you can create a new profile, import what you need, then delete the old one, but this is probably unnecessary.

Q: So I verified the integrity of user.js and the first one to show on about:config is _user.js.parrot SUCCESS! USER SETTINGS LOADED, so it must have loaded correctly.

A: If you're using my user-overrides.js which is intended to be appended to the 'arkenfox' user.js, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'arkenfox' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little itty-bitty thing wrong in the user.js, it won't process anything after that point and thus the default settings will be loaded. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'arkenfox' user.js directly - all changes/additions need to be placed in a user-overrides.js).

Q: What settings should I change on the arkenfox to be able to access 'x' website?

A: See Troubleshooting Firefox preferences and Troubleshooting problems with add-ons.

Q: I read that you recommend HTTPZ instead of HTTPS Everywhere because it just works without a list and human intervention so less prone to error, what about HTTPS by default and Smart HTTPS?

A: No HTTP upgrade add-on is necessary since this functionality has been added to Firefox (see about:preferences#privacy) and i would recommend setting it to "Enable HTTPS-Only Mode in all windows".

Q: What about bookmarks? Do those get sent to Firefox or only stored locally?

A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use, nor recommend using Firefox's Sync because i only want me to be in control of my data. If you want to share bookmarks and other stuff between Firefox instances on different devices, look into setting up your own "cloud" server.

19 thoughts on “FAQ: Firefox Hardening”

  1. I forgot to delete those default *.xpi in system files. What should I do now? Should I reinstall and delete again? What are the implications if I do reinstall and if I do not. Can you please explain in detail.

    1. don’t sweat it – you should never have to reinstall Firefox to solve such an issue – just go ahead and delete the system add-ons *if you wish* – you don’t have to, i just personally prefer to given some of the shit Mozilla has pulled in the past with these system add-ons, plus i have no use for any of them

  2. Hello, good day, I’m having problems when logging into a website through my google account, which redirects me to google login. I Disabled the privacy.firstparty.isolate option to false but I still have the same problem. That i’m stuck at the window “wait a moment”

  3. What is your opinion on Firefox’s setting: “Query OCSP responder servers to confirm the current validity of certificates”?
    From my understanding, OCSP request is not encrypted if the site didn’t respond with OCSP Stapling. Should i turn it off for privacy or should i leave it on for the perceived security?

    1. personally i think security.OCSP.enabled should probably not be disabled unless one is well aware of the risks – i disable it in my overrides js to avoid the query (added latency) and for privacy reasons, but i don’t do anything like on-line banking either

      like it says in the ‘arkenfox’ user.js, “It’s a trade-off between security (checking) and privacy (leaking info to the CA)”

      sorry i’m not able to offer a more concrete answer

  4. I’ve heard that turning off Javascript actually makes you more identifiable, much like turning on DNT. Is this true? Can a web server know if you have Javascript turned off (maybe by detecting no javascript ping response sent or something), and thus flag/profile you as a potential ‘advanced user/privacy paranoid user’, which in turn puts you in some sort of ‘user to track’ watchlist?

    1. that’s a really good question

      if you disable JavaScript (JS) then, yes, the website absolutely *can* (but not always) know that you’ve disabled it and indeed very few people disable JS, so yes, overall your browser is more fingerprint-able

      on the other hand, a huge part of websites being able to fingerprint your browser relies on JS being enabled … so there’s the conundrum

      so ignoring all other fingerprinting techniques, if you disable JS, i would think that you fall into a small bucket of people, however if you leave it enabled, you fall into a potentially much smaller bucket, meaning that your browser is even more unique because of all the data that can be harvested by JS, not that every website is looking at all the possible metrics, but some are looking at more than others

      so… i absolutely recommend that JS be disabled GLOBALLY and then allowed *only where it’s needed*

      on top of that i recommend using a VPN

      DNT is useless – there’s no obligation for websites to honor this preference – and again, if it’s enabled, you may fall into a smaller bucket, but it still doesn’t make you unique

    2. ps: all that said, if you allow JS globally and use the ‘arkenfox‘ user.js, along with some recommended extensions (uBlock Origin especially, and/or uMatrix), than your browser is far less fingerprint-able than if you weren’t using them

      there are a myriad of ways to fingerprint a browser and enabling RFP (privacy.resistFingerprinting) in Firefox is a huge part of combating this (this is enabled by default in the ‘arkenfox’ user.js, along with FPI (privacy.firstparty.isolate))

      really though, there is no way to avoid being fingerprinted in my opinion – see this or this for instance

      i fall into a very small bucket, at best, because of my writing style – i don’t generally capitalize and i use hyphens instead of periods, plus there are several other nuances that i’ve noticed with the way i write and who knows how many others that could be recognized by an algorithm

      the point is, what precautions you need to take depend largely upon the threat you wish to mitigate – if it’s an ISP or an advertiser, the solution is simple, but if it’s the government or the “intelligence” community you wish to avoid, good f’n luck with that

  5. A noob question about FPI. If I open several sites on the same tab they will be isolated or does the FPI work like the containers where each tab/container has its own isolated content?

    Does enabling the history offer any risk to privacy?

    Note: Sorry if I made any English mistake, I’m using a translation tool to convert Brazilian Portuguese > English.

    1. FPI isolates storage by domain, so if you open site ‘a’ in a tab, then site ‘b’ in the same tab, the storage for both sites is isolated from one another, thus FPI works differently than Firefox’s built-in containers

      the Temporary Containers add-on enhances the built-in container functionality to achieve domain level isolation very similar to what FPI does which is why i personally don’t use containers or the Temporary Containers add-on which, in my view, just add an unnecessary layer of complexity

      as for history, if you enable the option to color visited links (layout.css.visited_links_enabled) it is possible for a website to use some CSS and JS to see if you have visited a link(s) before – to my knowledge this exploit depends on having JS enabled – personally i enable the option to color visited links differently

          1. Perhaps I misunderstood, thought you were using a different method, this is what I was referring to in a previous comment:

            “as for history, if you enable the option to color visited links ( layout.css.visited_links_enabled ) it is possible for a website to use some CSS and JS to see if you have visited a link(s) before – to my knowledge this exploit depends on having JS enabled – personally i enable the option to color visited links differently

Leave a Reply to abqplvym Cancel reply

Your email address will not be published. Required fields are marked *