Following are some questions i've been asked regarding the hardening of the Firefox web browser as outlined in The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
Note that most answers given assume you have followed one of the aforementioned guides or otherwise incorporated the 'arkenfox' user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.
If you're looking for an answer to a particular question, try Ctrl + F.
- ESR: Extended Support Release
- FPI: First Party Isolation
- IDB: IndexedDB
- PB: Private Browsing
- RFP: Resist Fingerprinting
A: I think i've been asked this question more than any other. The tl;dr answer is: don't bother with any 3rd party build, the Tor browser being the only exception.
I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using a 3rd party build/fork of Firefox, be it Waterfox, Pale Moon, etc.. The only exception is the Tor Browser. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.
Our web browser is perhaps the most important piece of software we use since it's our primary gateway to the www and all the attack vectors that go with connecting to the Wide Area Network. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 20 million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work does indeed lag behind Mozilla, sometimes by many months, plus they simply don't have the technical resources at their disposal that Mozilla does.
Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with Mozilla Firefox, it just takes a bit more tweaking.
A: uMatrix is no longer developed, though you can still use it. Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempted to target two different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.
Both can be used together, but because there is overlapping functionality they need to be properly configured to work together efficiently. If you've followed the The Firefox Privacy Guide For Dummies! only uBlock is used whereas both are used in the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
At one time there was only a single extension and i think the developer unnecessarily complicated matters when he split it, thus creating two extensions with overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users only. In practice however i find uM easier to use than uBO in it's advanced mode.
A: I think Michael's advice to use multiple browsers for different tasks is unnecessary. If one is that privacy conscience (or paranoid), then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).
What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in Firefox when you employ the 'arkenfox' user.js and the suggested add-ons than just PB mode, one of them being First Party Isolation which isolates one domain (think Facebook) from being able to track you across other domains. Another defense against tracking and fingerprinting that is enabled in the 'arkenfox' user.js is resistance to browser fingerprinting (RFP). Add to that uBlock Origin and some of its filter lists options and/or uMatrix and the isolation becomes even more complete.
It boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use Firefox and one profile for almost everything, however i'll spin up a new default profile if i have trouble with a website which happens occasionally when making a purchase, or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream social behavioral modification websites, aka "social media".
Regarding purchases and banking, there's obviously not much reason to hide when you're providing accurate personal information, but creating a new and disposable profile for these kinds of things is certainly not a bad idea.
A: I think there's very little advantage to using containers over FPI (
). I don't use PB or containers at all because i think they're largely unnecessary given my configuration and requirements. The best container add-on i know of is Temporary Containers and i don't care for it because of its complexity and the fiddling it requires, plus it needs to be used with yet another add-on, Firefox Multi-Account Containers, to make using containers more transparent. FPI covers largely, though not quite exactly, what TC accomplishes and does so in a way that is far more transparent to the user. That said, if you still want to use the Temporary Containers add-on, then i would suggest that one profile for each major use case is enough (banking, casual browsing, etc.).
Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case storage cleaner add-ons, such as Cookie AutoDelete, can break logons because they will auto-delete storage for the first domain as soon as you are forwarded to the second. One way to circumvent this is to whitelist the first domain in the storage cleaner add-on. Another is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded. One website that uses cross-domain login is addons.mozilla.org. If you click the 'Log in' link, you'll be forwarded to accounts.firefox.com and then back to addons.mozilla.org.
(FPI) can also break cross-domain logons, however FPI is such an important item that disabling it in your primary Firefox profile should be avoided at all cost unless containers are used.
A: If JS is enabled, then potentially, yes, but it depends on what the script is looking for. If it were only checking whether you modified the
attribute, and you didn't modify that particular attribute, then no. I have no idea how widespread such scripts are, but i would guess not very and i would further guess that it may be more likely that they're looking at one, or maybe a few specific attributes.
A: Remove it immediately and either dump ALL history for your Firefox profile or create a new one and import only the essentials. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets FVD Speed Dial (and they have the balls to beg for donations). If you want to store personal data off-site so it's accessible using other devices, consider something like Nextcloud which is free, open source software. Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.
A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique.
Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely and the problem seems to be getting worse and worse.
Lastly, i don't pretend to understand all of the details of RFP as a lot of it is very technical and over my head. It is also incomplete at this time, but much has been done.
A: Don't think of fingerprinting as being something that's global or permanent. If you mess up and enable JS on a site where you didn't want to for example, you can ignore the mistake as long as you're using the 'arkenfox' user.js (or equivalent settings) and their recommended and properly configured extensions. As a precaution you can dump your entire history, including cookies, but there shouldn't be a need to create a new profile. Remember that FPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using a storage cleaner add-on, such as Cookie AutoDelete, most storage is automatically dumped as soon as you leave the domain (close all tabs loaded by the domain).
Lastly, your browser will be fingerprinted. The question is, how lasting that fingerprint is and with the 'arkenfox' user.js, you need now worry too much.
A: I can't offer intelligent advice regarding the Tor network because i'm simply not knowledgeable enough. That said, i'll offer my personal thoughts at this particular time which is simply that i don't trust it and that lack of trust is the result, in part, of reading horror stories about some of the people that are, or were, involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown, but which we might speculate upon. Also Tor is funded in part by U.S. government agencies who use it to communicate secretly. So why then is Tor free, open source and available to the public you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.
As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and some, and perhaps much of what has been learned is being ported to Firefox as part of the Tor Uplift Project.
On the user end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial), so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive gaming is totally out of the question and they also advise against torrenting. Even watching hi-def videos can be problematic. Not being able to choose the exit node means that, although you want to appear as coming from 'x' country, you don't have a choice and this can be problematic (imagine a YouTube video that's banned in Canada and your exit note is in Canada).
Then there's the question of who's running exit nodes and what damage they may be able do. Anyone can run an exit node, including those in the "intelligence" community. Tor advocates have an answer for almost everything, but they don't convince me. That said, you cannot fully trust any VPN either, so take your pick (but do pick one). That said, using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that. Note however that Snowden isn't as knowledgeable in certain areas as one might presume.
The other thing to consider is who your foe is because the needs of a whistleblower or a journalist who is at risk of physical harm or career suicide may be very different than your threat profile. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it's the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might just be somewhere between difficult and impossible. The way we write and form sentences alone is enough to fingerprint us, then there's technologies like Intel's and AMD's backdoors in virtually all of their processors, the baseband OS running in every phone, etc..
A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker is still a good addition to ones arsenal as long as you know how to un-break the sites that it breaks.
A: Don't use any user-agent spoofing add-ons since they may very well raise entropy. The answer is to enable RFP (
) instead. With RFP enabled, load a User-Agent test site and you'll see that your UA has been spoofed without any add-ons, plus there's a lot more going on with RFP than with the UA spoofing add-ons.
A: I think Request Control is a good add-on that fills the gaps in uBlock Origin and uMatrix, however it isn't entirely a replacement for them and it isn't worth the added hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn't bother you, have at it.
A: Cookie AutoDelete (CAD) and Site Bleacher are the only two storage cleaners i'm aware of at this time that remove indexedDB (iDB) storage automatically *while you surf*. Of the two i would definitely recommend CAD without hesitation. Forget Me Not should follow suit in the near future. In addition to iDB storage, CAD also addresses local storage, cache, plugin data, workers and cookies.
A: I think ETag Stoppa is a good add-on that helps to guard against object cache tracking and i really like the developer (he contributes heavily to the 'arkenfox' user.js project), however it isn't needed if FPI is enabled and you're dumping cache regularly with a storage cleaner add-on or if you're using ClearURLs with the ETag option enabled. Also check out 'claustromaniac's' other add-ons, particularly HTTPZ and POOP (Privacy-Oriented Origin Policy).
A: Manipulating HTTP headers is useful in some specialized cases but i don't think many people would gain much from it.
A: I don't use Smart Referer because there's settings in both uMatrix and Firefox for configuring when and what referrer is sent to a website, though i'm not sure they cover every bit of ground that Smart Referer does. If you use uMatrix i'd suggest enabling the option to spoof the referrer. Also uM has a switch so you can set it per-domain.
A: It's not supposed to, and if it did your fingerprint would be more unique since very few people block the referrer. If you have the option enabled then uMatrix will spoof the referrer by setting the referrer to the domain you're visiting as though it was the first one you visited after opening your browser. For example, if you visit 12bytes.org, uM will send 12bytes.org as the referrer, then if you go to corbettreport.com, instead of sending 12bytes.org as the referrer, it will send corbettreport.com. This can break website functionality in some cases, such as cross-domain logins, just so you're aware, but you can easily toggle it on/off per-domain in uM.
A: I think it would be the berries if there was one good, comprehensive add-on that could do it all, but Trace isn't it, not even close. Have a look at what 'Pants' of the 'arkenfox' user.js for Firefox project discovered after playing with Trace for a very short time.
A: If you're using the 'arkenfox' user.js and appropriate filter lists in uBlock Origin, then no. uBO with the appropriate filter lists enabled covers much more ground than the lists used by Firefox because Mozilla has to be super careful not to break anything, else they might have a few million irate users pounding down their door.
A: For all except that those you want to keep, sure, but you don't have to worry about it if you're using a proper storage cleaner such as Cookie AutoDelete or you adjusted the relevant preferences within the 'arkenfox' user.js. You can also allow all 1st party cookies globally in Firefox and let your storage cleaner crush them automatically if you want to avoid the hassle (actually you need to to do this for CAD to work). For those you want to keep, like maybe the settings for DuckDuckGo for example, you can whitelist their domains.
A: Good question. I don't know, but i doubt it, though it may depend on what you mean by zooming (with Ctrl + mouse wheel or with the
preference). My response would be to ask how much convenience you're willing to sacrifice in the name of privacy. Also i believe this would depend on JS being enabled.
A: Get! Rid! Of! Flash! Player! It's a proprietary, insecure, largely obsolete, privacy-hating piece of shit. In my daily surfing i have yet to come across any video anywhere on any video platform or website that requires Flash. You likely don't need the Adobe PDF Reader plugin either, nor any other proprietary browser plugins.
A: The built-in Firefox home/new tab page presents some privacy issues. It's hard to be more specific than that because Mozilla changes the way they use the default home/new tab page, but there are always privacy issues.
A: You can set the new tab/home page to whatever you want, it's just recommend to not use the default Firefox one or any other resource that isn't serious about protecting user privacy. Be aware that whatever resource you use as the home page may not be subject to filtering by add-ons like uBlock or uMatrix when you first start the browser, so please don't set your home page to 'malicious-hackers-on-acid.com' (or Facebook, Google, etc.).
A: Content Security Policy is used, in part, to protect you and your browser against malicious behavior. Basically it consists of HTTP headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.
Prior to Firefox v77 the CSP issue caused a significant problem with certain extensions, however this has been fixed... finally.
A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'arkenfox' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel comfy, you can create a new profile, import what you need, then delete the old one, but this is usually unnecessary in my opinion.
A: If you're using my user-overrides.js which is intended to be appended to the 'arkenfox' user.js, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'arkenfox' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little thing wrong in the user.js, it won't process anything after that point. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'arkenfox' user.js directly - all changes/additions need to be placed in a user-overrides.js).
A: HTTPZ is basically an install-it-and-forget-it add-on. It's small, simple to configure, and it just works. There may be an advantage with the EFF's HTTPS Everywhere when you visit a secure site that pulls content from a non-secure one (think images). In this case i believe HTTPS Everywhere will attempt to upgrade the 3rd party requests whereas i don't believe HTTPZ will. On the flip side, HTTPS Everywhere may not upgrade an insecure site at all if it's not in their database. It also consumes significantly more memory than HTTPZ. The other HTTP to HTTPS add-ons i wouldn't bother with.
A: Because "most" does not equal "all". Anyone in between you and your destination can potentially see *and manipulate* that traffic if it's not encrypted, starting with your ISP. This could include your neighbor if you're wireless. While this may be less of an issue if you're using a VPN, it's still an issue.
A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use nor recommend using Firefox's Sync. If you want to share bookmarks and other stuff between Firefox instances on different devices, look into setting up your own "cloud" server.