FAQ: Firefox Hardening

A: I think i've been asked this question more than any other. My tl;dr answer is: don't bother with anything except the official Firefox browser from Mozilla, the Tor browser being the only exception.

I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using other browsers or Firefox forks, be it Waterfox, Pale Moon, etc.. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.

Our web browser may be the most important piece of software we use since it's usually our primary gateway to the www and all the attack vectors that come with that. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 24+ million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work often lags behind Mozilla, sometimes by many months, and they simply don't have the technical resources at their disposal that Mozilla does.

Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with the official Mozilla release, it just takes a bit more tweaking.

A: uMatrix is no longer actively developed, though you can still use it (personally i choose to use only uBlock Origin in advanced mode). Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempted to target different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.

Both can be used together, but because there is overlapping functionality they need to be configured to work together efficiently.

In the case where both are used, i suggest using uBO to handle the static filtering (the 3rd party filter lists used for ad blocking and such) and uMatrix to handle the dynamic filtering (JavaScript, cookies, frames, etc.). In this scenario you can essentially forget about uBO after installing and configuring it as most of your attention will be focused on uM.

At one time there was only a single extension and i think Raymond unnecessarily complicated matters for users when he split it, thus creating two with overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users. In practice however i found uM easier to use than uBO in it's advanced mode.

A: First of all, complete privacy on the web is a pipe dream. I think Michael's advice to use multiple browsers for different tasks is likely unnecessary for most users. If one is that privacy conscience (or paranoid) then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).

What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in other than just PB mode in Firefox when you employ the 'arkenfox' user.js and the suggested add-ons, one of them being Dynamic First Party Isolation (dFPI) which isolates web storage per domain so that data-slurping sites like Facebook, Twitter, Instagram, Twitter, etc., aren't able to track you nearly as effectively. Add to that uBlock Origin and some filter lists and you have some pretty powerful stuff happening under the hood.

That said, i think it really boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use one Firefox profile for almost everything except shopping, however i might spin up a new, default profile if i have trouble with a particular website or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream behavioral modification websites, aka "social media". For shopping i keep a very relaxed profile with uBlock Origin installed and set to "Easy" mode.

A: Containers are dead, as is First Party Isolation. The new kid in town is dFPI (Dynamic FPI). I don't use PB or containers at all since dFPI is a much better solution that is far more transparent to the user.

A: Certain preferences in the 'arkenfox' user.js could cause this as well as certain add-ons. Most often JavaScript and cookies must be allowed for logons to succeed, so if you're using uBlock Origin and/or uMatrix, you may need to alter their settings for specific domains.

Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case dFPI can break logons though there "shims" being added to Firefox to overcome common instances of this problem. One way to circumvent this is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded, then log on in the new tab and refresh the first tab, after which the tab you used to log on can be closed. One website that uses cross-domain login is addons.mozilla.org. If you click the 'Log in' link, you'll be forwarded to accounts.firefox.com and then back to addons.mozilla.org.

A: If JS is enabled, then potentially, yes, but it depends on what the script is looking for. If it were only checking whether you modified the <body> attribute, and you didn't modify that particular attribute, then no. I have no idea how widespread such scripts are that look for CSS or script injections, but i would guess not very and i would further guess that it may be more likely that they're looking at one, or maybe a few specific attributes.

A: Close your account with that jackass company after deleting everything you possibly can from their server, then remove the add-on and dump all history for your Firefox profile. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets this atrocious crap and they have the balls to beg for donations while they slurp up and sell your personal data. If you want to store personal data off-site so that it's accessible from your other devices, consider something like Nextcloud which is free, open source software. Better yet, don't store anything sensitive in the so-called "cloud". Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.

A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP (privacy.resistFingerprinting) in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique, but not totally. Hopefully this preference will be enabled by default in the near future.

There are a myriad of ways to fingerprint the browser and RFP tries to deal with a lot of them. Many metrics depend on JavaScript being enabled while some don't.

Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely and the problem seems to be getting worse.

Lastly, i don't pretend to understand all of the details of RFP or the methods used to fingerprint a web browser as a lot of it is very technical and over my head.

A: There shouldn't be a need to create a new profile. Remember that dFPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using the 'arkenfox' user.js or similar settings, most storage is automatically dumped as soon as you close Firefox.

A: I can't offer intelligent advice regarding the Tor browser or network because i'm simply not knowledgeable enough. That said, i'll offer my personal opinion at this particular time which is simply that i don't trust Tor and that lack of trust is the result, in part, of reading horror stories about some of the people that are, or were, involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown, but which we might speculate upon. Tor is funded in part by U.S. government agencies who use it to communicate secretly, or so we're told. So why then is Tor free, open source and available to the public you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.

As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and much of what has been learned by the Tor developers has been ported to Firefox as part of the Tor Uplift Project.

On the user experience end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial) so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive traffic, such as gaming, is out of the question and they also advise against torrenting. Even watching hi-def videos is sometimes not possible. Not being able to choose the exit node means you can't change locations as you can with a VPN and this can be problematic (imagine a YouTube video that's banned in Canada and your Tor exit note is in Canada).

Then there's the question of who's running exit nodes and what damage they may be able do. Anyone can run an exit node, including those in the "intelligence" community, their contractors, malicious hackers, etc.. Tor advocates have an answer for almost everything, but they don't convince me that Tor exit nodes can't be compromised in such a way as to identify where the traffic is coming from. Matter of fact, it is possible to simulate an entire Tor network on a single machine. That said, you cannot trust any VPN either, so take your pick (but do pick one). Using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that. Note however that Snowden isn't god, nor does he have intimate knowledge of all things technical.

The other thing to consider is who your foe is because the threat profile of a whistleblower or a journalist who is at risk of physical harm may be very different from your own. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it's the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might be somewhere between difficult and impossible since there's no way to know their capabilities. Our writing style alone is enough to fingerprint us, then there's backdoors in virtually all of our processors thanks to companies like Intel and AMD, the Unified Extensible Firmware Interface (UEFI) which boots most/all modern PC's, the baseband OS running in every phone, etc..

Also see: Tor versus a VPN - Which is right for you?

A: Be careful! Firefox has gotten much better at protecting against tracking and fingerprinting when ETP and RFP are enabled, and especially so when using the 'arkenfox' user.js. Add-ons like CanvasBlocker, user-agent switchers, JShelter, cookie/storage cleaners, container add-ons, etc., are largely or entirely unnecessary and in many cases they can interfere with Firefox's built-in privacy protections and/or raise entropy (do the opposite of protecting privacy). Other than uBlock Origin and Skip Redirect and, optionally, Privacy-Oriented Origin Policy (POOP), no other add-ons are needed. Any additional privacy related add-ons should be evaluated very carefully with a focus on how they interact with ETP and RFP.

A: I prefer ClearURLs because you can install it and forget it. Neat URL would be my 2nd choice, but it will probably break websites more often than the former. That said, i no longer use either and instead use ClearURLs for uBo.

A: Manipulating HTTP headers is useful in some cases, such as to force CSS/script injection when Content Security Policy (CSP) forbids it, but i don't think many people need this and it can be dangerous.

A: No! This would make your fingerprint more unique since very few people block the referrer. Instead you can spoof the referrer with the  network.http.referer.XOriginPolicy preferences so that it sends the referring website only when the host matches (already done in the 'arkenfox' user.js). For example, normally if you open your browser to 12bytes.org and then go to corbettreport.com, corbettreport.com will see that you came from 12bytes.org. If however you set network.http.referer.XOriginPolicyto '2', then corbettreport.com will see corbettreport.com as the referrer. On occasion this might break website functionality, such as for cross-domain logins.

A: Absolutely!!! Many fingerprinting and tracking techniques rely upon JavaScript being enabled, which is why i *strongly* suggest disabling JS globally, such as with uBlock Origin, then allowing it on a site-by-site basis as needed. Beyond the invasion of privacy there are serious security risks with JS as well. Also see the Changing how websites look or work section of the Firefox Tweaks and Fixes and Styles and Things page to learn how you can regain functionality without enabling JS in some cases.

A: Set it to "Strict" (the 'arkenfox' user.js will do this for you if you decide to employ it). There's a lot more going on when ETP is set to "Strict", including site/storage isolation.

A: Yes, for all sites except for those you want to keep such data for which you can add exceptions.

A: It can if JS is allowed to run.

A: Get! Rid! Of! Flash! Player! It's a proprietary, insecure, largely obsolete, privacy-hating piece of garbage. In my daily surfing i have yet to come across any video anywhere that requires Flash. You should dump the Adobe PDF Reader plugin also if it's installed, as well as any other proprietary browser plugins.

A: The built-in Firefox home/new tab page presents some privacy issues. It's hard to be more specific than that because Mozilla often changes the way they use the default home/new tab page, but there are always privacy issues. You could set the home/new tab page to about:blank if you wanted, or better yet, have a look at the Mark-It add-on on my extensions page.

A: Don't use DuckDuckGo, or the default Firefox new tab page, but yeah, you can set the new tab/home page to whatever you want as long as the resource is serious about protecting your privacy.

A: Content Security Policy is used, in part, to protect web browsers against malicious behavior. Basically it consists of HTTP headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.

Prior to Firefox v77 the CSP thing caused a significant problem with certain extensions, however this has been fixed... finally.

A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'arkenfox' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel warm and fuzzy, you can create a new profile, import what you need, then delete the old one, but this is probably unnecessary.

A: If you're using my user-overrides.js which is intended to be appended to the 'arkenfox' user.js, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'arkenfox' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little itty-bitty thing wrong in the user.js, it won't process anything after that point and thus the default settings will be loaded. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'arkenfox' user.js directly - all changes/additions need to be placed in a user-overrides.js).

A: See Troubleshooting Firefox preferences and Troubleshooting problems with add-ons.

A: No HTTP upgrade add-on is necessary since this functionality has been added to Firefox (see about:preferences#privacy) and i would recommend setting it to "Enable HTTPS-Only Mode in all windows".

A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use, nor recommend using Firefox's Sync because i only want me to be in control of my data. If you want to share bookmarks and other stuff between Firefox instances on different devices, look into setting up your own "cloud" server.