See the revision history at the end ... if you make it that far :)
Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not bother with this guide.
The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.
You're aware that unethical companies such as Facebook, Instagram, Google, YouTube, advertisers, your ISP and governments are spying on your activities and buying and selling the data they harvest, even if you may not be aware of how they're doing it. You're concerned about this invasion of your privacy, but you're wondering 'yeah, but what can a tech-challenged dummy like me actually DO about it wise guy???'.
Welcome to the 'dummies' edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!
The goal here is to provide a simple guide, to the extent that's possible, which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".
Catching the Fox
You want the standard release version of Mozilla Firefox, even if you think you don't. No Pale Moon, no Waterfox, no whatever, so if you don't have it, get it. If you run a GNU/Linux-based operating system (we're already in love), look in your package manager. Since it's privacy we're interested in, we're way too smart to be screwing around with Google Chrome (un-Googled or otherwise), Microsoft Edge, etc., though if you have an
inferior alternative browser you could retain it as a backup.
Profiling the Fox
Start Firefox and enter
in the address bar. You can call it the "location bar" or the "awesome bar" or the "mega bar" but i call it the address bar. Press your 'Enter' key to load that address and you'll see where Firefox keeps your profiles. Profiles are where most of your settings, bookmarks and other junk gets stored.
You can have as many profiles as you want, but by default there will be just one named 'default'. We need another, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now else you'll lose valuable internet points.
After creating your new privacy profile, set it as the default profile.
There are many
pages in Firefox, but not all are accessible from the various menus. To see some of those that aren't, load
in the address bar, but be careful what you mess with in there!
Training the Fox
If you're running Windows you've just lost 100 internet points, plus you'll need to un-hide file extensions and i might suggest keeping them un-hidden.
With Firefox up and running, load
in the address bar or click the Hamburg icon on the toolbar, then 'Settings'. Click the 'Search' menu item on the left and under where it says 'Search Bar', click 'Add search bar in toolbar'. Trust me. Reasons.
Next, go to the arkenfox/user.js GitHub repository. We need their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' button, then press Ctrl+S to save the files to your desktop. Failing to heed my advice can cause the file to get messed up which will surely result in Russia nuking us. If you want to avoid those steps, here's the direct links to the files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Just right-click those links and then 'Save as...'. Now if you're one of those wiz kids, you may have deduced that we're going to need that user.js file too but we'll grab that baby another way in just a bit. Patience is a virtue, so we're told.
Next, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org, click the user-overrides.js file, then click the 'Raw' button and press Ctrl+S to save the file in the same place as the others (here's the direct link to the raw file).
You'll need a decent code editor for this next step (no, not Notepad!), preferably one with syntax highlighting. If you're running Wintendo (that's one of my several derogatory names for Winblows), PSPad is nice, simple and free. If you're running Linux you've surely got something installed already.
What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little tiny thing you could ever possibly want to know about everything in that file, is in that file (except whatever i forgot to put in it).
Now that you've sifted through that convoluted mess (go you!), load Firefox's
page again. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled 'Root Directory' under your 'privacy' profile, click the 'Open Directory' button and then kill Firefox.
If you don't want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the 'Don't ask at startup' option, but don't do that yet! Another way is to create a shortcut to load any profile you want.
For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.
For more about ticklish penguins, go here.
In your file manager you may notice that the folder containing your 'privacy' profile actually has a longer name with a bunch of gobbledygook preceding 'profile'. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper. Next, grab those files from your desktop you pirated earlier and stick 'em in your 'privacy' profile folder where the prefs.js file is.
Now we need to run that updater script. How to do that depends on whether...
...you're running Linux
You will need to make those .sh files executable. You could try meditation or sacrificing a small mammal, but it'd probably be quicker to just right-click on each of them to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, open a terminal in your privacy profile directory and run
chmod +x *.sh
, or, failing that, see How do I run .sh files?.
We need to run that updater.sh script from a terminal, so open one and change the directory to your privacy profile directory where the updater.sh file is. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder:
Now run the updater.sh script by preceding the file name with a dot and a slash:
To run that updater.bat script, navigate to your Firefox profile directory, hold down the Shift key and right-click in an empty space where the file is, then select "Open Command Window Here". Enter
and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).
The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed all the directions you didn't read, the script will download a fresh copy of the 'arkenfox' user.js file to your privacy profile folder in your Firefox profile directory and then append the contents of your user-overrides.js to it just like it says on the tin.
Pestering the Fox
The 'arkenfox' user.js is updated frequently so you'll need to check for updates regularly. One simple way to to do that is by running the 'arkenfox' updater script.
If you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification when:
- the 'arkenfox' user.js is updated
- my user-overrides.js is updated
- this guide is updated
You can add the script to your startup programs so it runs each time you log-on to your desktop (make sure it's executable). Instructions for implementing the script are contained within the script. Open the file with your code/text editor, read the instructions and edit the options.
To check for a new user.js if you're running Windows, kill Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my user.js-version-checker.sh script, you should run the updater script every week or so in order to check for a new version, but don't get ahead of yourself. You always want the user.js version that corresponds to your major version of Firefox, so if the updater script says
Available online: * version 80-alpha
and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79 (unless you're "woke" in which case all bets are off).
Each time you run the updater script, and with Firefox closed, be sure to follow it up by running the prefsCleaner script using the same method you used to run the updater script. The prefsCleaner script will reset any depreciated/removed/inactive preferences and it's important that you do this.
updater script Pro Tip
If you use Linux you can run the updater script with the
) which will create a 'diff' file that will list all the differences between the old and the new user.js.
To see all the options for running the updater script for both Linux and Windows, see the Updater Scripts article on the 'arkenfox' wiki.
Fattening the Fox
Next we're going to the Firefox Add-ons website to install uBlock Origin (uBO) by Raymond Hill. We want uBlock Origin specifically and not any derivatives, copies, forks, fakes or imposters.
Why does he say 'WE' and 'WE'RE' when 'I' am the one doing all the f'n work?!
Plausible deniability. If i screw something up that causes your computer to explode, it's your fault. LOL
Regarding add-ons, more = more bad, generally speaking. It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly. The more you install, the more likely things will break and that your privacy will be compromised, so don't go overboard with add-ons.
Firefox has fairly comprehensive built-in mechanisms to thwart browser fingerprinting and tracking and safeguard your privacy (these are activated in part by the 'arkenfox' user.js). While they alone are not quite enough for us privacy geeks, which is why you fell into this pit of despair, they do cover a lot of important ground. If you install additional "privacy" related add-ons beyond those suggested here that you *think* will enhance privacy, you could very easily wind up doing the opposite.
Now it's on to uBlock...
I know, this is supposed to be the 'for dummies' guide and all, but you really must learn how to use uBlock Origin (uBO). The good news is that it too has a 'dummy' mode and it's enabled by default! To begin, configure uBO according to my uBlock Origin Suggested Settings guide using the 'dummy guide' settings.
Of particular importance, DO NOT select the 'I am an advanced user' option! Don't look at it. Don't think about it. Don't think about looking at it ... at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to use it, and how easy it is to break the entire interwebs if you screw up.
Now it's really important that you read this and this and this, but only up to the 'Medium mode' part for the last one. Once you complete that you'll be a Semi-Certified uBlock Origin Web Filter Engineer Apprentice.
Training the Foxineer
With all that done and Firefox running, close all tabs and click the Hamburger button again to open the Preferences window, then click the Privacy & Security menu item (or load
in the address bar). Scroll down to the Cookies and Site Data section and click the Manage Data button. In the Manage Cookies and Site Data window that opens, click Remove All. This will remove (almost) all of the gunk that Firefox has accumulated thus far. We may as well start clean, plus now you know one way to scrap much of Firefox's storage.
If you've used the Fox before there's going to be some changes, one of them being that you'll be searching from the search bar (or a web page that isn't f'n Google hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it's a privacy/security thing. Live search suggestions will be disabled because it's also creepy.
Now for some really important stuff...
Here's an excerpt from PrivacyTests.org if you care to read it...
Why web browsers are critical to online privacy
Once private data has leaked from your computer, phone or tablet, there is not much you can do to control it. But how does data leave your device in the first place?
Your web browser is a likely route: browsers commonly leak data to third parties, revealing what web pages you have visited. This information lets tracking companies know what you read, what you write, where you are located, what you search for, and what you buy. And this highly personal information is assembled by those companies into detailed individual profiles of every person on the internet, containing data on your ethnicity, religious views, political views, sexual orientation, gender, family, friends, colleagues, health history, habits, relationships, educational records, income, and so on. These companies often retain your data for years or decades, and sometimes share it with third parties, including other companies or governments.
Now do you see why we disabled JS globally for the entire interwebs??? Thing is, it's very easy to enable again For Those Specific Websites Where You Really Need It To Be Enabled. "Need", i said. Not "like" or "want", but "need".
Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and…… well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there’s an icon that looks like a
OK, now repeat after me...
Importing stuff from an old profile
If you're not a first-time Firefox user and you have important bookmarks or other junk you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.
What to do when the Fox bites
To make a broken website un-broken again, you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes with uBlock, you can always spin-up a fresh, empty profile to load the site and delete it afterwards, but understand that you will be at the mercy of a completely default Firefox configuration devoid of our extra privacy protections. For websites you don't trust, why are you visiting them? Porn? Warez? Facebook? Instagram? Google? If you value your privacy and digital integrity in the least, forget that stuff. Seriously. If you want to learn more about alternative search engines, read Alternative Search Engines That Respect Your Privacy.
Another 'gotchya' that will likely creep up at some point is a website not saving settings that you wanted to save, such as your log-on credentials or search engine settings. To save such data you'll need to edit the permissions for the domain and there's two easy ways to access them; you can click the padlock icon in the address bar, then the right-facing arrow, then "More information", or simply hit Ctrl + I (that's an eye, not an el). In the window that opens, click the "Permissions" icon and scroll down until you see the "Set Cookies" item. Finally, deselect the "Use Default" preference and select "Allow" if you want to save the the data for that domain across restarts, or "Allow for Session" if you want to dump the data after you close the browser.
I would not suggest permanently allowing cookies for any mainstream, privacy-hating social media or search engine website such as Google, Yahoo, Bing, Facebook, Instagram, Twitter, eBay, etc..
The Fox hole
Even with everything we've accomplished you're still vulnerable to being tracked and profiled, however you're in a much better position then when we started out ... except for one little problem: Your Internet Service Provider!
At the very least your ISP can see what websites you visit, how long and how often you're visiting, and when you're surfing the web and when you're not. They may even inject ads, malware or other garbage in your data stream. The solution: Hijack your neighbors unprotected WiFi and... Kidding! Listen, you and i have gotten to know each other throughout this long and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than
One solution to the problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?
A VPN works by routing all of your internet traffic through an encrypted tunnel between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT AIN'T YOU! The kitty video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know where the hell you really are and so far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to an ameba. Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff. Any remotely decent VPN provider will maintain many exit nodes throughout the world and switching between them is usually as simple as a mouse click or two.
Now, listen up...
There are truck loads of VPN service providers and it seems the vast majority do not take customer privacy seriously. In particular i would strongly advise avoiding any VPN add-on on the Mozilla add-ons website for a few reasons, one of them being that they often suck from a privacy perspective and another being that they are unnecessary. Lastly, NEVER trust any "free" VPN provider!
Currenty AzireVPN. You can read about Azire here and here and here. OVPN seems like it may be an even better choice and more suited to those who are less technically inclined. Both own and secure their own hardware rather than leasing it and both services can be purchased anonymously using crypto. Mullvad is another and they seem to be even more transparent about their services, but they do not own all of their servers. Tor (The Onion Router) is another way to go and using it is free but there are several caveats. For more, see Tor versus a VPN – Which is right for you?.
WHAT THE FOX!
So now you're all smitten thinking you're invincible and ready to hack the NASA to see if aliens really built mind control machines on the back side of the moon (they did, sorta, pretty sure). You're not, but you've taken one, small step for man, and.....
Truth is, there are far more vectors for attack than you and i (and many of the so-called "experts") may ever know about, so don't get all uppity. Perfect privacy on the web, as in real life, is a pipe dream and it wasn't the goal here anyway. We've covered several important bases that will help prevent nasty corporations and your ISP from spying on you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.
If you have a hard time swallowing all this and getting used to a hardened Firefox, don't sweat it. Make another default Firefox profile and use it whenever you feel like punching someone (me).
After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode.
Be safe. Be ethical. And if you need help (after you've tried to help yourself), leave a comment or check the FAQ: Firefox Hardening page.
IMPORTANT: If you incorporate suggestions made in this guide, please check back often for changes or, better yet, subscribe to my main RSS feed or the feed for the Tech or Firefox categories. If you need a news feed reader, see Firefox Extensions - My Picks.
Click to expand...
- several edits and clarifications but nothing really important
- minor edits and clarifications
- trivial edits - nothing to worry about
- removed CSS Exfil Protection add-on
- removed Clear URLs add-on - it's unnecessary given the 'arkenfox' user.js and updated suggested settings for uBlock Origin
- a year late, i learned that Waterfox was sold to an advertising company - yet another reason to avoid 3rd party builds/forks of Firefox
- added an excerpt from PrivacyTests.org
- language updates - minor stuff
- removed Cookie AutoDelete ('cause dFPI, ya know?)
- removed HTTPZ - not needed
- removed much of the VPN info since it's included in the VPN-Tor article
- several small edits, corrections, deletions
- very minor edit
- minor edits, typos
- added a link to unixsheikh.com
- added more info about the user.js-notify.sh script
- reversed the order of this change log so newest changes are at the top
- well, that didn't last long - after more testing i reinstated Cookie AutoDelete because i think it's easier to use it than it is to be adding cookie exceptions all the time, plus no CAD breaks session restore with the 'arkenfox' user.js and there are other quibbles as well
- removed Privacy-Oriented Origin Policy - given its limited usefulness, non-noob friendly filter syntax and potential to break a site on rare occasions, i decided it wasn't needed
- minor edits
- removed all Cookie AutoDelete add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
- removed all LocalCDN add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
- added instructions for keeping storage items (log-on credentials, settings) for websites
- minor edits
- split off part of the 'Fattening the Fox' section into a new section, 'Pestering the Fox', which includes new info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only)
- replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
- minor edits
- added more info about the 'arkenfox' updater script regarding keeping the user.js version in sync with the major Firefox version
- minor edit
- removed the 'Don't touch my tabs!' add-on (obsolete since Firefox v79)
- replaced Decentraleyes with LocalCDN
- added the video, Prof Shoshana Zuboff on surveillance capitalism
- updated the URL for the uBlock Origin Suggested Settings Guide
- removed ETag Stoppa since ClearURLs covers eTag storage filtering
- added settings details for CLearURLs
- added more info about circumventing website logon problems due to Site Bleacher add-on
- minor edits
- removed 'Font Fingerprint Defender' add-on - i got word that the extensions may be problematic
- removed 'First Party Isolation' add-on
- added 'Font Fingerprint Defender' add-on
- minor edits
- added ETag Stoppa to extensions section
- added link to 'FAQ: Firefox Hardening' page
- minor edits throughout
- minor edit
- added a more extensive warning about installing add-ons in addition to those recommended herein
- misc. edits and clarifications, nothing too drastic
- stuck the uBlock config stuff on its own page
- rewrote several bits of the guide in an attempt to clarify things and make it a bit shorter
- edited some content to bring it up to date with the newest version of Firefox
- adjusted settings for uBO
- added a warning about using this guide with Tor
- added a resources section
- added instructions for enabling the search bar in the navigation bar since setting the preference alone in user.js doesn't work for some reason
- minor edits
- added HTTPZ
- added Site Bleacher and associated information
- removed temporary profile info
- lots of minor edits
- minor edit
- added better description and screen-caps for how to download user-overrides.js
- minor edit
- clarified info regarding the downloading of the configuration files
- clarified a lot of stuff that may not have been clarified clearly enough
- eliminated the 'relaxed_user-overrides.js' file - the user-overrides.js is now used for both the advanced and dummy guides
- updated the user-overrides.js file
- lots of minor edits, corrections
- polishing, clarifications
- added more info about using the user.js updater and prefsCleaner scrips
- many small changes and polishing
- first (pre) release
Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.