Firefox Search Engine Cautions, Recommendations

Firefox Search Engine Monetization

See the revision history at the end of this document.

Contents show

When 'free' software isn't

Have you ever wondered how Mozilla gets paid by the privacy-hating mega-monopolies like Google? Simple; when you use the default search engine plugins that are packaged with the browser, parameters similar to these are added to your search query:

client=firefox
name="appid" value="ff"
name="hspart" value="mozilla"

These parameters inform the search engine that you're using a Firefox/Mozilla product and that, in part, is how Mozilla is able to rake in millions annually. I would have no problem whatsoever with Mozilla making money were it an ethical company, but it isn't. If you do not wish to support Mozilla for partnering with highly unethical companies like Google or want to punish them for the many other stupid things they've done, read on.

Types of search engines

The two primary types of search engines are meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example use software "robots" called "crawlers" to discover and index web content. In other words these companies actively seek out updated and fresh content to store in their databases so it's ready for you to find. On the other hand, meta search engines do not index the web and instead rely upon third parties such as Google and/or Bing to provide their search results (most use Bing). When you use these so-called "alternative" search engines, such as DuckDuckGo, Startpage, Searx, etc., you are still subject to the filter bubbles and censorship that is practiced by the corporate giants. That said, privacy-respecting meta search engines may still have value because they offer a method to access the data-harvesting corporate giants without the privacy violations that accessing them directly would incur. Understand though that they are not true alternatives as they are often described, but more like proxies. These "alternative" search engines are also subject to local laws, such as secret surveillance requests issued by a government.

Indexing the web involves storing massive amounts of data and having the bandwidth to deliver the search results and this is an incredibly difficult and expensive proposition that requires significant resources and infrastructure. This is why meta search companies like DuckDuckGo, Startpage, Qwant and others rely heavily upon corporations like Alphabet's Google and Microsoft's Bing. There are better alternatives that both respect your privacy and are censorship resistant however. Ever hear of a peer-to-peer distributed search engine? Imagine a free, open-source, decentralized search engine where the web index is created and distributed by ordinary people using personal computers, each storing a piece of the whole. This is what the developers behind YaCy have done with their search engine and i think it's a great way to escape the filter bubbles created by big tech, however YaCy is not yet a viable search engine as of this writing. Mojeek, although it's a centralized search engine, is very focused on privacy, maintains it's own index, and is quite usable. For a list of alternative search engines, see Alternative Search Engines That Respect Your Privacy.

Adding search engines to Firefox

To mitigate potential risks to your anonymity posed by the default Firefox search engines, simply disable all of them and use alternatives. One easy way to add a search engine to Firefox is to find one you like and then right-click the address bar and click the "Add..." menu item. Most search engines can be added to Firefox in the same way, but there are additional methods also.

Another easy way to add a custom search engine to Firefox is with the Search Engines Helper add-on by Soufiane Sakhi.

Yet another way to add custom search engines is by using the mozlz4-edit add-on by 'serj_kzv'. This extension allows you to edit the search.json.mozlz4 search engine plugin file directly from within Firefox, though a browser restart is necessary before the changes are realized. This file is located in your Firefox profile directory and it is here that Firefox stores the code for all of its search engine plugins. If you use this tool, be careful not to touch the default search engines in the file, else Firefox will discard all your changes. Instead you can create copies of the default engines and edit the copies if you want to use them.

Manually editing search.json.mozlz4

If you would rather avoid the hassle of manually editing the default Firefox search engine plugins, see the 'Download preconfigured search plugins' section below where you can download my search.json.mozlz4file.

If you don't want to manually edit the default Firefox search engine plugins you should at least use something like the ClearURLs add-on or the ClearURLs for uBo list which requires uBlock Origin and which strips the tracking parameters from the search result links. You should also disable JavaScript for all mainstream search engine websites where possible, especially Google and Bing. For this i would again recommend uBlock Origin by Raymond Hill.

If you have already added custom search engines to Firefox, create a copy of search.json.mozlz4 and work with the copy, reason being that if you mess up, Firefox will will delete all of your modifications and restore the default search plugins. If you don't want to see or use the default engines, simply disable them in the search preferences of Firefox. And no, as far as i know you cannot remove the default search engine plugins. If you don't know where your Firefox profile is located, load about:profiles in the address bar and you'll figure it out.

To edit the search engines contained in the search.json.mozlz4 file using the mozlz4-edit extension, just click it's tool bar icon, then 'Open file' and point it to your search.json.mozlz4file after you've made a backup copy. I'm not sure it's possible to sanitize the default search engine plugins which are packaged with Firefox any longer because the URL parameters discussed earlier are no longer contained in the file, but if you want to modify them in any way you must copy them and edit the copies being sure to give the copies different names since no two search plugins can share the same name.

Download preconfigured search plugins

If you'd rather avoid editing the search engine plugins, you can download a copy of my personal search.json.mozlz4 file that should work for Firefox version 57 and up ("up" meaning until the next time Mozilla decides to break everything again). The download contains the default engines which come with the U.S. English version of Firefox along with a pile of additional search engines i use. All in all there's around 35 search engine plugins.

Download: search.json.mozlz4.zip

Install: Backup your existing search.json.mozlz4 file(!), then extract the the one from the archive to your Firefox profile directory and restart Firefox.

When you use the search engines you'll notice that all the non-default ones are tagged as follows:

[I] = indexing search engines that actively crawl the web in order to build their own index. These engines are essential for thwarting the censorship practiced by Google and Bing which is then passed on to all the meta engines that use their results including DuckDuckGo, Startpage, Qwant, Swisscows, Searx, MetaGer, etc..

[H] = hybrid search engines which rely upon both 3rd parties (usually Bing) and index their own content.

[M] = meta search engines which rely only upon 3rd parties, usually Bing.

[S] = special purpose search engines which serve a specific purpose, such as for searching for scientific documents.

Any engines which are not tagged are the default search engines, all of which you can/should disable in Firefox's preferences (about:preferences#search).

You'll probably want to rearrange the search plugins from Firefox's preferences so each type is grouped together.

Removing Firefox system add-ons

In addition to search engine plugins, Mozilla also packages system add-ons with Firefox, installs them without your permission, and doesn't provide an easy way to remove or disable all of them. These system add-ons have been used for controversial purposes in the past. To remove them, see the 'System add-ons' section of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Resources

Special mention goes to 'Thorin-Oakenpants' (aka 'Pants') as well as the 'arkenfox' crew and their GitHub repository where they host an excellent privacy-centric user.js for Firefox and its derivatives, as well as an extensive Wiki full of valuable information.

Resources at 12bytes.org:

External resources:

Recent changes

18-Nov-2022

  • uploaded a fresh search.json.mozlz4 file
  • corrected some links
  • minor edits

33 thoughts on “Firefox Search Engine Cautions, Recommendations”

  1. Excellent article 12bytes. Really well done mate :)

    Some items for thought:
    – users should note some engines will require stripping tracking of search *results* (eg utms on google)
    – Firefox has a system add-on called Follow On Search, you should kill that (see arkenfox user.js)
    – XML Search Engines Exporter/Importer is not Web Extension (yet?) so for FF57+ users, I guess we can use a portable legacy FF to create the file(s)?

    Reply to 'Pants'

    1. Also remember that in a lot of cases it is better in the first place to use a site specific search engine as well. For example, I have added an iTunes search engine so no-one but iTunes knows I search for Taylor Swift .. #GoTayTay :)

      Reply to 'Pants'

    2. thanks for your input Pants! much appreciated – i updated the article to address this stuff and added a section “Removing the ‘Follow On Search’ system add-on”

      Q: do you know how these system add-ons are loaded – are they loaded dynamically each time FF starts like other add-ons, or are they actually installed/cached some place? i’m wanting to be sure that deleting them is sufficient

      Reply to '12Bytes'

      1. System add-ons are listed under about:support>”Firefox Features” – they act just like normal extensions AFAIK (except no disable/uninstall options). Delete the xpi and restart FF and you’re good to go.

        System add-ons are packaged with each Firefox application update (full updates at least). I use portable FF, so I am not sure about installed version behavior re dot releases. If I try to update and I have deleted some system add-on xpi files, the update fails and FF prompts for a full package instead (although the last update from 55.0->55.0.3 didn’t? Can’t remember! Dot releases may vary.). Anyway, I keep an eye on my system add-ons directory, and I only do updates now by downloading the portableapps.com packages (yes they include all the system add-ons too – both 32+64bit app/dirs)

        One of the reasons system add-ons exist, is so that patches/changes can be pushed without an app update. But the update check and update settings can have an effect. See: https://github.com/arkenfox/user.js/issues/172 . The arkenfox user.js checks for app updates but lets you decide when to apply them – so until this bug is resolved, you won’t get system add-ons re-added or updated without your knowledge.

        You could also try 0505: “extensions.systemAddon.update.url” – if the system doesn’t know where to go, what can it do :) The only reason this is inactive in the js, is because this mechanism was initially designed to PUSH fixes – I think it was spurred on by a critical vulnerability in pdfjs a few years ago (Yes, pdfjs is a system add-on, but seems to be a special case compared to how/where it is stored)

        Reply to 'Pants'

        1. thanks for the clarification

          in my case, with Linux, no system add-ons were displayed in about:support and, actually, there wasn’t even a section called ‘Firefox Features’ – the ‘follow-on search’ add-on wasn’t present either, though others were

          Reply to '12Bytes'

      1. I got the message, that it couldn’t be removed as the file/ filecatalog did not exist. english is not my first language, so i’ve translated the message. tech terms may not be correct. I’m no savvy myself, so I’m only familiar with the most common terminal commands. I do attend a local community. they might know about alternatives. yet, I’m the only one pro privacy. off subject: this is a great blog. very user friendly and in depth. thank you @pants for linking at arkenfox

        Reply to 'b'

  4. (XML Search Engines Exporter/Importer developer here)

    Nice text. I want to add that the list of search plugins included by default in Fx is highly dependent of the build installed: that given list is for the en-US build, I think, and it changes for other locales, according to regional deals done by Mozilla, between other things.

    Now, given that no WebExtensions add-ons interacting with your search engines can be written yet, that leaves us for Fx57+:

    * First, you can get easily the original XML opensearch definition of all the engines included by default navigating to the “resource://search-plugins/” uri. From here, you can inspect them and save them to disk for manual sanitizing.
    * I adapted from the add-on some scripts to import/export engines via Scratchpad; it’s a bit awkward to use, but it should help:
    https://gist.github.com/nohamelin/8e2e1b50dc7d97044992ae981487c6ec
    https://gist.github.com/nohamelin/6af8907ca2dd90a9c870629c396c9521

    Also, be aware that Firefox dropped recently the support for adding engines from the searchplugins/ folder after deleting search.jzon.mozlz4; it will aply since Fx58:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1405670

    Reply to 'nohamelin'

  5. I realize that this page is somewhat dated, but Linux Mint limits default installed search addons in Firefox to those who have supported their distro’s development, but grudgingly gives a link to a somewhat larger set. I tried to use Scratchpad to install the sanitized search engines downloaded from the included link, but Scratchpad looks for HTML files and doesn’t recognize the sanitized search addons, even if the zip file is unpacked. Maybe I am doing something wrong, but I followed the instructions to the letter, and tried several times. Maybe it doesn’t work in Linux?

    Reply to 'DD Lang'

    1. I realize that this page is somewhat dated

      actually i updated it today and yesterday

      you don’t have to install the search.json.mozlz4 file – just unpack the .zip and copy the file to your profile directory – if you downloaded the file yesterday, download it again – i changed them

      let me know if you have further problems and, in the mean time, i’ll update the guide with better instructions

      Reply to '12Bytes'

  6. Thanks for the useful article;
    how can we detect to which servers/IPs Firefox is sending our information to? so we can block that specific address in windows host file…

    Reply to 'Hamed'

    1. if you mean with regard to search engines, you don’t have to – just use alternatives to the default search plugins that ship with Firefox

      if you’re worried about other stuff being sent, i’m not knowledgeable enough to know for certain what Firefox is sending where – you’d have to do your own research – also there are very legitimate reasons for Firefox to be calling home, such as grabbing lists of malicious add-ons, websites, security stuff, etc., so if you block anything, be careful what you block – that said, one of my guides might be of use – another thing you can do is search prefs.js (about:config) for ‘http’

      Reply to '12Bytes'

  7. Sweet! I do find that using DuckDuckGo lite is just too much of an inconvenience for me though, no image search and such. Also is there a way to make firefox highlight the searchbar instead of address bar on startup and new tabs?

    Reply to '512Kb'

        1. i wouldn’t advise that others do this without being aware of the very real risk to privacy – everything you enter in the address bar will be sent to the search engine

          also, just in case you don’t already know, if by chance you’ve edited the ‘arkenfox’ user.js directly, that’s a mistake that will cost you when there’s an update which will overwrite all your changes – instead, add your changes to a user-overrides.js file and use the ‘arkenfox’ updater script to update the user.js and append user-overrides to it

          for those that are wiling to risk their privacy for whatever reason, the pref is “keyword.enabled

          Reply to '12Bytes'

          1. I noticed a few more things I didn’t see before, search engines below the location bar for the one-click search also no longer work and dns over https and disabling restore previous session don’t retain settings on restart. I managed to get the searches back beneath the location bar with the setting “browser.urlbar.oneOffSearches” and got dns over https with both “network.trr.mode” (1 for cloudflare, 2 for custom) and “network.trr.uri” & “network.trr.custom_uri” (url for custom provider). Still haven’t figured out what the deal is with the restore session on start always being on.

            Reply to '512Kb'

            1. if i understand you correctly, you do not want to restore the previous session on restart – if that’s the case, look at “browser.startup.page”

              here’s a handy trick if you’re trying to figure out which preference is tied to a setting in the Firefox preferences UI –
              either use a text/code editor that can monitor file changes and then display the difference, or a ‘diff’ program – in the case of the latter, create a copy of prefs.js, then change the setting in Firefox, then ‘diff’ the 2 prefs files

              Reply to '12Bytes'

              1. You know I discovered Thunderbird has it’s own search.json.mozlz4, not sure how relevant it is to security though.
                Also I’ve found some use from the following search engines in addition to the ones you provided:
                Amazon
                Github
                Google Translate
                Invidious (multiple hosts)
                Nitter (multiple hosts)
                PCGamingWiki (only useful if you play video games like me)
                Youtube
                Yandex translate

                Reply to '512Kb'

                1. for the purpose of security/privacy i treat Thunderbird strictly as an email client, not a web browser – i kind of wish the developers would also

                  i appreciate suggestions, but as for the other engines you list i want to stick to general search engines – if i started listing specialized engines i might spend the rest of my life on this one page :)

                  off-topic, but on a political/privacy note, i would discourage anyone from buying anything from Amazon

                  Reply to '12Bytes'

  8. Hi
    regarding default search engines : I only checked off duckduckgo. However when I enter about:support, I notice that ebay appears as a default search engine classified as true just like the rest. it seems strange as it doesn’t appear as an option in preferences ( 80.0, ubuntu 18.04)

    Reply to 'jane'

    1. hello back
      i’m not sure what the reasoning is here, but apparently ‘disabling’ the search plugin really means ‘hide it from the UI’, not disable … you know, kinda like Macro$haft did with IE; you could hide its icons, but you couldn’t remove the damned thing

      Reply to '12Bytes'

  9. Hello,
    “Sanitizing the prefs.js search engine preferences

    Another item you should check is whether prefs.js in your Firefox profile directory contains any browser.search.param preferences. To sanitize these, load about:config in the browser address bar and enter browser.search.param in the search field. If none are found, great, but at the time i originally wrote this article there were two preferences found; browser.search.param.yahoo-fr and browser.search.param.yahoo-fr-ja. The default values may be different in your case, but in mine they were data:text/plain,browser.search.param.yahoo-fr=linuxmint and an empty string, respectively. What you should do is create a custom user.js file to store your modified preferences if you don’t already have one, then copy the following code to it:

    user_pref(“browser.search.param.yahoo-fr”, “”); // sanitize Yahoo
    user_pref(“browser.search.param.yahoo-fr-ja”, “”); // sanitize Yahoo

    It doesn’t work, I still have (screenshot): https://i.imgur.com/b7hazY0.png

    Thank you.

    Reply to 'Damien'

    1. thanks for bringing this up because this article needs updating

      > It doesn’t work, I still have (screenshot): https://i.imgur.com/b7hazY0.png

      yes, the pref is there, but it has no value – in other words it’s not doing anything, however, it looks like these ‘browser.search.param.yahoo’ prefs have been removed at some point – in your screen cap you have a garbage can icon on the right – click that for both of the ‘browser.search.param.yahoo’ prefs and they will be deleted

      Reply to '12Bytes'

  11. Thank you very much for providing your pre-sanitized search.json.mozlz4, i have been using it for a long time.

    Can you clarify something for me. If i add a new engine to the list with mozlz-edit there is a “order”: numerical value that dictates where in the list it shows up. If i want to add an engine in the middle for example must i edit each entries below it “order” value manually +1?

    Reply to 'InTheMiddle'

Leave a Reply

Your email address will not be published. Required fields are marked *