Following are some questions i've been asked regarding the hardening of the Firefox web browser as outlined in The Firefox Privacy Guide For Dummies! and the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.
Note that most answers assume you have followed one of the aforementioned guides or otherwise incorporated the 'arkenfox' user.js (or similar) for Firefox along with the suggested extensions and other advice provided in their wiki.
If you're looking for an answer to a particular question, try Ctrl + F.
- ESR: Extended Support Release
- dFPI: Dynamic First Party Isolation
- IDB: IndexedDB
- PB: Private Browsing
- RFP: Resist Fingerprinting
A: I think i've been asked this question more than any other. My tl;dr answer is: don't bother with any 3rd party build/fork, the Tor browser being the only exception.
I can understand your mistrust of Mozilla and indeed they are deserving of criticism, however there's several key reasons for not using a 3rd party build/fork of Firefox, be it Waterfox, Pale Moon, etc.. What follows is a compilation of 'pants' thoughts and my own after i brought up Waterfox in conversation, which i was using at the time.
Our web browser may be the most important piece of software we use since it's usually our primary gateway to the www and all the attack vectors that come with that. Trusting the integrity of something as crucial and deeply complex as a web browser (currently more than 24+ million lines of code for Firefox) to a tiny team or a one-man show is potentially a really bad idea for several reasons, one being that critical security patches may not be applied in a timely manner. I have nothing against the Waterfox or other 3rd party developers, but their work often lags behind Mozilla, sometimes by many months, and they simply don't have the technical resources at their disposal that Mozilla does.
Lastly, there is little or nothing one can achieve with regard to privacy that you can't achieve with the official Mozilla release, it just takes a bit more tweaking.
A: uMatrix is no longer developed, though you can still use it (personally i choose to use only uBlock Origin in advanced mode). Although they perform similar functions in that they essentially filter content much like a software firewall, the developer attempted to target different audiences, plus they work somewhat differently. uBlock Origin (uBO) is intended to be easier to use, while uMatrix (uM) offers more granular control.
Both can be used together, but because there is overlapping functionality they need to be configured to work together efficiently.
At one time there was only a single extension and i think Raymond unnecessarily complicated matters for users when he split it, thus creating two with overlapping functionality. uBO is apparently targeted toward novices, yet includes an advanced mode option which has led to confusion and frustration for users who don't RTFM (read the f'ing manual), while uM is targeted toward advanced users. In practice however i found uM easier to use than uBO in it's advanced mode but, as mentioned earlier, uM is no longer developed and so i use uBO exclusively.
A: First of all, complete privacy on the web is a pipe dream. I think Michael's advice to use multiple browsers for different tasks is unnecessary for most users. If one is that privacy conscience (or paranoid) then essentially the same degree of isolation can be achieved by simply creating multiple Firefox profiles dedicated to different tasks (social media, purchases, banking, casual browsing, etc.).
What Michael calls "incognito mode" is "private browsing" mode in Firefox and he's right; PB isn't a complete solution to prevent tracking, leaking, etc., however there's a whole lot more going on in Firefox when you employ the 'arkenfox' user.js and the suggested add-ons than just PB mode, one of them being Dynamic First Party Isolation (dFPI) which isolates web storage per domain so that data-slurping sites like Facebook, Twitter, Instagram, Twitter, etc., aren't able to track you nearly as effectively. Add to that uBlock Origin and some of its filter list options and you have some pretty powerful stuff happening under the hood.
I think it really boils down to how much convenience you are willing to sacrifice in the interest of privacy. In my case, i use one Firefox profile for almost everything except shopping (i don't bank on the web), however i might spin up a new, default profile if i have trouble with a particular website or when i need to troubleshoot a problem with a preference or extension. Note however that i do not do online banking, nor am i a member of any of the mainstream behavioral modification websites, aka "social media". For shopping i keep a very relaxed profile with uBlock Origin installed and set to "Easy" mode.
A: Containers are dead, as is First Party Isolation. The new kid in town is dFPI (Dynamic FPI). I don't use PB or containers at all since dFPI is a much better solution that is far more transparent to the user.
Some websites also use a cross-domain logon system where the browser is forwarded to a different domain for the purpose of logging-on, then back to the original domain. In this case dFPI can break logons though there "shims" being employed by Firefox to overcome common instances of this problem. One way to circumvent this is to simply open the link for the logon domain in a new tab if possible so that both domains remain loaded, then log on in the new tab and refresh the first tab, after which the tab you used to log on can be closed. One website that uses cross-domain login is addons.mozilla.org. If you click the 'Log in' link, you'll be forwarded to accounts.firefox.com and then back to addons.mozilla.org.
A: If JS is enabled, then potentially, yes, but it depends on what the script is looking for. If it were only checking whether you modified the
attribute, and you didn't modify that particular attribute, then no. I have no idea how widespread such scripts are that look for CSS or script injections, but i would guess not very and i would further guess that it may be more likely that they're looking at one, or maybe a few specific attributes.
A: Close your account with that jackass company after deleting everything you possibly can from their server, then remove the add-on and either dump ALL history for your Firefox profile or create a new one and import only the essentials. FVD Speed Dial is a privacy-hating data collection vacuum and it's collecting a lot of it. Nimbus Web, Inc., located in Ohio and incorporated in Delaware, is the company that markets it and they have the balls to beg for donations while they slurp up and sell your personal data. If you want to store personal data off-site so that it's accessible from your other devices, consider something like Nextcloud which is free, open source software. Also see the guidelines for choosing extensions in Firefox Extensions – My Picks.
A: Yes and no. When you test your browser fingerprint at one of the many test sites, you can usually disregard the results. One of the goals of RFP in Firefox, as with the Tor browser, is to make everyone look the same. Because few people use Firefox compared to Google Chrome, and fewer still enable RFP, you're going to look somewhat unique, but not totally.
Unless you're using the Tor browser in its default configuration with no additional extensions installed, i'm not sure it's possible to prevent fingerprinting entirely and the problem seems to be getting worse and worse.
Lastly, i don't pretend to understand all of the details of RFP as a lot of it is very technical and over my head. It is also incomplete at this time, but much has been done.
A: Don't think of fingerprinting as being something that's global or permanent. If you mess up and enable JS on a site where you didn't want to for example, you can ignore the mistake as long as you're using the 'arkenfox' user.js (or equivalent settings). As a precaution you can dump your entire history, including cookies, but there shouldn't be a need to create a new profile. Remember that dFPI isolates nearly all website storage on a per-domain basis, so storage set by one domain cannot be accessed by another. Furthermore, if you're using the 'arkenfox' user.js or similar settings, then most storage is automatically dumped as soon as you close Firefox.
A: I can't offer intelligent advice regarding the Tor browser or network because i'm simply not knowledgeable enough. That said, i'll offer my personal thoughts at this particular time which is simply that i don't trust Tor and that lack of trust is the result, in part, of reading horror stories about some of the people that are, or were, involved in the project and leaked emails between them and the MiB (the NSA or CIA as i recall) about known vulnerabilities and what appears to be a deliberate decision to not patch them in a timely manner for reasons unknown, but which we might speculate upon. Also Tor is funded in part by U.S. government agencies who use it to communicate secretly, or so we're told. So why then is Tor free, open source and available to the public you ask? My understanding is that the more people that use it, the more "noise" there is in the system, thus the harder it is for someone to identify who's communicating with whom.
As for the web browser the Tor project recommends, it's a hardened fork of Mozilla Firefox and much of what has been learned by the Tor developers has been ported to Firefox as part of the Tor Uplift Project.
On the user end, i personally think Tor is limiting and annoying because you're not supposed to use any browser extensions (uniformity among users is crucial) so you can kiss all your fav add-ons goodbye. Also you have little control over what exit node you connect to and bandwidth and latency are crap given 3 layers of encryption, potentially long hops and a less than stable network. Latency sensitive traffic, such as gaming, is out of the question and they also advise against torrenting. Even watching hi-def videos is sometimes not possible. Not being able to choose the exit node means you can't change locations as you can with a VPN and this can be problematic (imagine a YouTube video that's banned in Canada and your exit note is in Canada).
Then there's the question of who's running exit nodes and what damage they may be able do. Anyone can run an exit node, including those in the "intelligence" community or their contractors. Tor advocates have an answer for almost everything, but they don't convince me that Tor exit nodes can't be compromised in such a way as to identify where the traffic is coming from. That said, you cannot trust any VPN either, so take your pick (but do pick one). Using Tor and the Tor Browser is entirely free and Snowden promotes it, so there's that. Note however that Snowden isn't god, nor does he have intimate knowledge of all things technical.
The other thing to consider is who your foe is because the threat profile of a whistleblower or a journalist who is at risk of physical harm may be very different from your own. If it's your ISP and cannibalistic corporations like Google and Facebook and other lower level players (i.e. not the NSA, CIA, etc.) that you're worried about, then a good VPN should be enough. If it's the 3-letter agencies that concern you, well, good luck because hiding from them for any length of time might be somewhere between difficult and impossible since there's no way to know their capabilities. Our writing style alone is enough to fingerprint us, then there's backdoors in virtually all of our processors thanks to companies like Intel and AMD, the Unified Extensible Firmware Interface (UEFI) which boots most/all modern PC's, the baseband OS running in every phone, etc..
A: Firefox is getting better at protecting against fingerprinting through the Canvas API, however i think CanvasBlocker might still be a good addition to ones arsenal as long as you know how to un-break the sites that it breaks. Personally i no longer use it.
A: Don't! Don't use any user-agent spoofing add-ons since they may very well raise entropy. The answer is to enable RFP and dFPI. With RFP enabled, load a User-Agent test site and you'll see that your UA has been spoofed without any add-ons, plus there's a lot more going on under the hood than any UA spoofing add-on provides.
A: I think Request Control is a good add-on that fills the gaps in uBlock Origin and uMatrix, however it isn't entirely a replacement and it isn't worth the additional hassle for me personally, but if spending a whole lot of time fiddling with its settings doesn't bother you, have at it.
A: The most recent versions of Firefox, along with version 96+ of the 'arkenfox' userj.js which employs Dynamic First Party Isolation (dFPI/network partitioning), makes storage cleaners largely obsolete. That said, if you still think you need one for some reason, Cookie AutoDelete would be my recommendation.
A: I think ETag Stoppa is a good add-on that helps to guard against object cache tracking and i really like the developer (he contributes heavily to the 'arkenfox' user.js project), however it isn't needed if dFPI is enabled or if you're using ClearURLs with the ETag option enabled. Also check out 'claustromaniac's' other add-ons, particularly POOP (Privacy-Oriented Origin Policy).
A: Manipulating HTTP headers is useful in some specialized cases, such as to force CSS/script injection when Content Security Policy (CSP) forbids it, but i don't think many people need this and it can be dangerous.
A: I don't use Smart Referer because the functionality to configure when and what referrer is sent to a website is available in Firefox, though i'm not sure it covers every bit of ground that Smart Referer does.
A: No. This would make your fingerprint more unique since very few people block the referrer. Instead you can spoof the referrer with the
preferences so that it sends the referring website only when the host matches (already done in the 'arkenfox' user.js). For example, normally if you open your browser to 12bytes.org and then go to corbettreport.com, corbettreport.com will see that you came from 12bytes.org. If however you set
to '2', then corbettreport.com will see corbettreport.com as the referrer. On occasion this might break website functionality, such as for cross-domain logins.
A: I think it would be the berries if there was one good, comprehensive, super-add-on that could do it all, but Trace isn't it, not even close. Have a look at what 'Pants' of the 'arkenfox' user.js for Firefox project discovered after playing with Trace for a very short time.
A: If you're using the 'arkenfox' user.js and appropriate filter lists in uBlock Origin, then no. uBO with the appropriate filters covers much more ground than the lists used by Firefox because Mozilla has to be super careful not to break anything, else they might have a few million irate users pounding down their door, not that that would be anything new.
A: Yes, for all sites except for those you want to keep such data.
A: Good question. I don't know, but i doubt it, though it may depend on what you mean by zooming (with Ctrl + mouse wheel or with the
preference). My response would be to ask how much convenience you're willing to sacrifice in the name of privacy. Also this would depend on JS being enabled.
A: Get! Rid! Of! Flash! Player! It's a proprietary, insecure, largely obsolete, privacy-hating piece of shit. In my daily surfing i have yet to come across any video anywhere that requires Flash. You likely don't need the Adobe PDF Reader plugin either, nor any other proprietary browser plugins.
A: The built-in Firefox home/new tab page presents some privacy issues. It's hard to be more specific than that because Mozilla often changes the way they use the default home/new tab page, but there are always privacy issues. In my case i set the home/new tab page to about:blank.
A: You can set the new tab/home page to whatever you want, it's just recommend to not use the default Firefox one or any other resource that isn't serious about protecting user privacy.
A: Content Security Policy is used, in part, to protect web browsers against malicious behavior. Basically it consists of HTTP headers that instruct the browser what it can and cannot to do with a webpage and its contents and how it should interact with it.
Prior to Firefox v77 the CSP thing caused a significant problem with certain extensions, however this has been fixed... finally.
A: You never have to reinstall Firefox because everything that websites store is deposited outside of it's installation directory, mostly in your profile directory, and its cache is kept in RAM if you're using the 'arkenfox' user.js. If you want to refresh your profile, and thus Firefox, you can just delete your history (cache, cookies, site preferences, etc.) for the time range of 'Everything' and if that doesn't make you feel warm and fuzzy, you can create a new profile, import what you need, then delete the old one, but this is usually unnecessary in my opinion.
A: If you're using my user-overrides.js which is intended to be appended to the 'arkenfox' user.js, then yes, that's what you'll see if there were no syntax errors in either one, however if you're using only the 'arkenfox' user.js, you should see "SUCCESS: No no he's not dead, he's, he's restin'!". Don't forget to do the browser console check as well. This is important because if Firefox finds one little itty-bitty thing wrong in the user.js, it won't process anything after that point and thus the default settings will be loaded. Note that you only need to do these checks after you apply an update to the user.js or user-overrides.js, or you edit either file (and you should never be editing the 'arkenfox' user.js directly - all changes/additions need to be placed in a user-overrides.js).
A: Actually i personally don't recommend either anymore since the functionality to forward HTTP sites to HTTPS has been incorporated into Firefox, though some folks still prefer HTTPZ over the in-built functionality. HTTPZ is basically an install-it-and-forget-it add-on. It's small, simple to configure, and it just works. There may have been advantages with the EFF's HTTPS Everywhere when you visit a secure site that pulls content from a non-secure one (think images). In this case i believe HTTPS Everywhere will attempt to upgrade the 3rd party requests whereas i don't believe HTTPZ will. On the flip side, HTTPS Everywhere may not upgrade an insecure site at all if it's not in their database. It also consumes significantly more memory than HTTPZ. In the end though, both are obsolete in my opinion.
A: Because "most" != "all". Anyone in between you and your destination can potentially see *and manipulate* traffic if it's not encrypted, starting with your ISP (and don't think they don't). This could include your neighbor if you're wireless. While this may be less of an issue if you're using a VPN, it's still an issue.
A: Both bookmarks and their accompanying site icons/favicons are stored locally unless you enable Firefox Sync in which case they're stored locally and remotely. I don't use, nor recommend using Firefox's Sync because i only want me to be in control of my data. If you want to share bookmarks and other stuff between Firefox instances on different devices, look into setting up your own "cloud" server.