Coronavirus information & resources
Treating effects of COVID-19 vax
Vaccines - What You Need To Know

The Firefox Privacy Guide for Dummies!

Facebook created same day Pentagon kills similar project

See the revision history at the end ... if you make it that far :)

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not bother with this guide.

Introduction

The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.

Video: Prof Shoshana Zuboff on surveillance capitalism

You're aware that unethical companies such as Facebook, Instagram, Google, YouTube, advertisers, your ISP and governments are spying on your activities and buying and selling the data they harvest, even if you may not be aware of how they're doing it. You're concerned about this invasion of your privacy, but what can you do abut it?

Welcome to the 'for dummies' edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!

The goal here is to provide a simple guide, to the extent that's possible, which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little bit more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".

WARNING: This guide is not intended for use with the Tor browser which is an already hardened version of Firefox. Configuring the Tor browser as outlined here would likely result in DOOM!

Catching the Fox

You want the standard release version of Mozilla Firefox, even if you think you don't. No Pale Moon, no Waterfox, no whatever, so if you don't have it, get it. If you run a Linux-based operating system (we're already in love), look in your package manager. Since it's privacy we're interested in, we're way too smart to be screwing around with Google Chrome or Microsoft Edge, though if you have an inferior alternative browser installed you could retain it as a backup.

Profiling the Fox

Start Firefox and enter about:profiles in the address bar -- you can call it the "location" bar or the "awesome" bar. I call it the address bar. Press your 'Enter' key to load that address and you'll see where Firefox keeps a list of all your profiles. Profiles are where most of your settings, bookmarks and other junk gets stored.

Firefox Profile Manager
click me

You can have as many profiles as you want, but by default there will be just one named 'default'. We need another one, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now else i'll deduct from your internet points. Once you're done, exit Firefox.

Firefox will now annoy you (and let it keep annoying you for the duration of these next few months we'll be spending together) by asking which profile you want to load every damned time you start it and you should (almost) always choose your 'privacy' profile.

Pro Tip

There are many 'about:' pages in Firefox, but not all are accessible from the various menus. To see some of those that aren't, enter about:about in the address bar, but be careful what you mess with in there!

Training the Fox

Firefox Profile Manager 2
click me

Restart Firefox and this time you should see the Choose User Profile window. Load your privacy profile but don't visit any web pages just yet, other than this one if you want. Firefox may load some default pages when it starts and that's something we'll fix later.

Profile Tip

If you don't want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the 'Don't ask at startup' option, but don't do that yet! Another way is to create a shortcut to load any profile you want.

For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.

For more about ticklish penguins, go here.

If you're running Windows you will need to un-hide file extensions, and i suggest you keep them un-hidden.

With Firefox up and running, load about:preferences in the address bar or click the Hamburg icon on the toolbar, then 'Settings'. Click the 'Search' menu item on the left and under where it says 'Search Bar', click 'Add search bar in toolbar'. Trust me, there's reasons for this.

Next, go to the arkenfox/user.js GitHub repository. We need their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' button, then press Ctrl+S to save the files to your desktop. Failing to heed my advice can cause the file to get messed up which will surely result in Russia nuking us. If you want to avoid those steps, here's the direct links to the files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Now if you're one of those wiz kids, you may have deduced that we're going to need that user.js file too but we'll grab that another way.

Next, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org, click the user-overrides.js file, then click the 'Raw' button and press Ctrl+S to save the file (here's the direct link to the raw file).

Next you'll need a decent code editor (no, not Notepad!) with syntax highlighting. If you're running Wintendo (that's one of my several derogatory names for Winbows), PSPad is nice, simple and free. If you're running Linux you've surely got something installed already.

What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little tiny thing you could ever possibly want to know about every single option in that file is in there (except whatever i forgot to put in there).

Now that you've sifted through that convoluted mess (go you!), load Firefox's about:profiles page again. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled 'Root Directory' under your 'privacy' profile, click the 'Open Directory' button and then kill Firefox.

In your file manager you may notice that the folder containing your 'privacy' profile actually has a longer name with a bunch of gobbledygook in front of 'profile'. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper. Next, grab those files from your desktop you pirated earlier and stick 'em in your 'privacy' profile folder where the prefs.js file is.

Now we need to run that updater script. How to do that depends on whether...

...you're running Linux

You will need to make those .sh files executable. You could try meditation or sacrificing a goat, but it'd probably be quicker to just right-click on each of them to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, you can open a terminal in your privacy profile directory and run chmod +x *.sh, or, failing that, see How do I run .sh files?.

We need to run that updater.sh script from a terminal, so open one and change the directory to your privacy profile directory where the updater.sh file is. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder:

cd ~/.mozilla/firefox/gobbledygook.privacy/

Now run the updater.sh script by preceding the file name with a dot and a slash:

./updater.sh

...or Windows

To run that updater.bat script, navigate to your Firefox profile directory, hold down the Shift key and right-click in an empty space where the file is, then select "Open Command Window Here". Enter updater.bat and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed all the directions you didn't read, the script will download a fresh copy of the 'arkenfox' user.js file to your profile directory and append the contents of your user-overrides.js to it just like it says on the tin.

Pestering the Fox

The 'arkenfox' user.js is updated frequently and so you'll need to check for updates regularly. There's a couple ways you can do that if you're running Linux and one if you're running Windows, however there's only one (easy) way to actually update the user.js and that's by using the 'arkenfox' updater script.

user.js-notify script message (Linux)If you're using a Linux-based OS you can, if you want, use my user.js-notify.sh script to be automatically notified via a desktop notification when:

  • the 'arkenfox' user.js is updated
  • my user-overrides.js is updated
  • this guide is updated

You can add the script to your startup programs so it runs each time you log-on to your desktop (make sure it's executable). Instructions for implementing the script are contained within the script. Open the file with a code/text editor, read the instructions and edit a few options.

To check for a new user.js if you're running Windows, or to actually update the file, kill Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my user.js-version-checker.sh script, you should run the updater script every week or so in order to check for a new version. You always want the user.js version that corresponds to the major version of Firefox, so if the updater script says Available online: * version 80-alpha and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79, unless you're "woke" in which case all bets are off.

Each time you run the updater script, be sure to follow it up by running the prefsCleaner script using the same method as described earlier for your operating system. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this!

updater script Pro Tip

If you use Linux you can run the script with the -c switch (./updater.sh -c) which will create a 'diff' file that will list all the differences between the old and the new user.js.

To see all the options for running the updater script for both Linux and Windows, see the Updater Scripts article on the 'arkenfox' wiki.

Fattening the Fox

Next we're going to go to the Firefox Add-ons website and install uBlock Origin (uBO) by Raymond Hill. We want uBlock Origin specifically and not any derivatives, copies, forks or fakes.

Why does he say 'WE' and 'WE'RE' when 'I' am the one doing all the f'n work?!

Plausible deniability. If i screw something up that causes your computer to explode, it's your fault. LOL

Regarding add-ons, more = more bad (generally speaking).

It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly! The more you install, the more likely things will break and that your privacy will be compromised, so don't go overboard with add-ons.

Firefox has comprehensive built-in mechanisms to thwart browser fingerprinting and tracking and safeguard your privacy. While they alone are not quite enough for us geeks, which is why you fell into this pit of despair, they do cover a lot of important ground. If you install additional privacy related add-ons beyond those suggested here that you *think* will enhance privacy, you could very easily wind up doing the opposite.

For more on the subject and what to look for when considering add-ons, see Firefox Extensions – My Picks.

I know, this is supposed to be the 'for dummies' guide and all, but you really must learn how to use uBlock Origin (uBO). The good news is that it's got a 'dummy' mode and, like your girlfriend/boyfriend, it's enabled by default! Now you need to configure uBO and in that vein i suggest reading my uBlock Origin Suggested Settings guide.

Of particular importance, DO NOT select the 'I am an advanced user' option! Don't look at it. Don't think about it. Don't think about looking at it ... at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to configure it, and how easy it is to break the entire interwebs if you screw up.

Now it's really important that you read this and this and this, but only up to the 'Medium mode' part for the last one. Once you complete that you'll be a Semi-Certified uBlock Origin Web Filter Engineer Apprentice.

Break time...

Training the Foxineer

With that all done and Firefox running, close all tabs and click the Hamburger button again to open the Preferences window, then click the Privacy & Security menu item (or load about:preferences#privacy in the address bar). Scroll down to the Cookies and Site Data section and click the Manage Data button. In the Manage Cookies and Site Data window that opens, click Remove All. This will remove (almost) all of the gunk that Firefox has accumulated thus far. We may as well start clean by nuking anything that we accumulated thus far, plus now you'll know one way to scrap Firefox storage.

If you've used Firefox before there's going to be some changes, one of them being that you'll be searching from the search bar (or a web page that isn't f'n Google hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it's a privacy/security thing. Live search suggestions will be disabled because it's also creepy.

Now for some really important stuff...

Remember last week when you started reading this where i said we'd be "breaking as few websites as possible"? Kek! Since we disabled JavaScript globally with uBO, every other website you visit is going to be broken, and for good reason too!

There's a few things you need to know about JavaScript: 1), it's awesome-ish, 2) it's a privacy and security nightmare, 3) almost every website on Planet Earth uses it unnecessarily (even this one, but i'm working on that).

JavaScript (JS) can be used to do all kinds of cool (and creepy) things like make web pages interactive, make dull things look un-dull, animate stuff, etc.. It's used a lot for making navigation menus work and displaying images and interactive content, as well as for annoying the bejeezes out of you with ads and pop-ups and other such garbage. Unfortunately it's almost always necessary to enable it when shopping. Of primary importance is the fact that JS is also leveraged heavily for distributing malware, tracking and profiling you, learning about your bathroom habits and much, much more (and believe me when i tell you that i'm exaggerating far less than you might think!).

Here's an excerpt from PrivacyTests.org if you care to read it...

Why web browsers are critical to online privacy

Once private data has leaked from your computer, phone or tablet, there is not much you can do to control it. But how does data leave your device in the first place?

Your web browser is a likely route: browsers commonly leak data to third parties, revealing what web pages you have visited. This information lets tracking companies know what you read, what you write, where you are located, what you search for, and what you buy. And this highly personal information is assembled by those companies into detailed individual profiles of every person on the internet, containing data on your ethnicity, religious views, political views, sexual orientation, gender, family, friends, colleagues, health history, habits, relationships, educational records, income, and so on. These companies often retain your data for years or decades, and sometimes share it with third parties, including other companies or governments.

If you want to beat yourself up even more, read Stop pushing JavaScript! by a guy who knows what he's talkin' 'bout and/or watch this video:

Disable JavaScript Tutorial Online Security | The Hated One

Now do you see why we disabled JS globally for the entire web??? Thing is, it's very easy to enable again For Those Specific Websites Where You Really Need It To Be Enabled. "Need", i said. Not "like" or "want", but "need".

Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and…… well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there’s an icon that looks like a </>, except it has a red ‘X’ through it. That icon is secret code for [CENSORED]. Click it to remove the ‘X’ and you will have enabled JavaScript for that particular domain after which you’ll see a new button appear right outta thin air that has circlely arrows on it. Clicking that (or pressing F5) will refresh the page at www.w3schools.com and this time your browser will allow JS to run for the entire w3schools.com domain. That color swatch page will now look very different and this time when you click the colors, awesome things will appear that will surely dazzle you for hours on end (like that damned triangle puzzle-peg thingy in every Cracker Barrel).

The point of that intensely interesting exercise was to demonstrate the power of JavaScript by showing you how different it can make a website look and work, as well as how necessary it is in some, but not all cases. For example, if you're reading this nail-biting novel with your Firefox privacy profile loaded and JS disabled, it wouldn't make much of a difference because the place looks and works pretty much the same, thus you should never enable it where it isn't needed. Kapish?

Now you're going to take the JavaScript Oath. DON'T LAUGH! This is important shit! OK, repeat after me...

EYE SHALL NOT ENABLE JAVASCRIPT FOR ANY WEBSITE UNLESS A) THE WEB DEVELOPER IS AN ETHICAL BLOOD RELATIVE WHOM I TRUST WITH MY GIRLFRIENDS VIRGINITY AND B) IT MUST BE ENABLED IN ORDER TO PROVIDE REQUIRED FUNCTIONALITY THAT WOULD OTHERWISE NOT BE AVAILABLE (AND NO, LOOKING AT BOOBS DON'T COUNT).

Importing stuff from an old profile

If you're not a first-time Firefox user and you have important bookmarks or other junk you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.

What to do when the Fox bites

It's inevitable that you're going to have trouble with some websites. Keep calm. Breeeeath! You've already gotten a taste of how a website can be rendered useless with JavaScript disabled and although i let you enable it for the site given in the example earlier, i only did so because it's a trustworthy place. The next website you visit may not be. You're here aren't you?

To make a broken website function again, you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes in uBlock, you can always spin-up a fresh, empty profile, but understand that you will be at the mercy of a completely default Firefox configuration with all of our extra privacy protections removed. For websites you don't trust, why are you visiting them? Porn? Warez? Facebook? Instagram? If you value your privacy and digital integrity in the least, forget that stuff. Seriously.

Another 'gotchya' that will likely creep up at some point is a website not saving settings that you wanted to save, such as your log-on credentials or search engine settings (If you want to learn more about alternative search engines, read Alternative Search Engines That Respect Your Privacy). To save this data you will need to edit the permissions for the domain and there's two easy ways to access them; you can click the padlock icon in the address bar, then the right-facing arrow, then "More information", or simply hit Ctrl + I <- that's an eye, not an el. In the window that opens, click the "Permissions" icon and scroll down until you see the "Set Cookies" item. Finally, deselect the "Use Default" preference and select "Allow" if you want to save the the data for that domain across restarts, or "Allow for Session" if you want to dump the data after you close the browser.

I would not suggest permanently allowing cookies for any privacy-hating social media or mainstream search websites such as Google, Yahoo, Bing, Facebook, Instagram, Twitter, eBay, etc., but that's me.

Lastly, read the 'arkenfox' wiki. Seriously!

The Fox hole

Even with everything you and i have accomplished, you're still vulnerable to being tracked and profiled, however you're in a much better position then when we started out, except for one little problem: Your Internet Service Provider!

At the very least your ISP can see what websites you visit, how long and how often you're visiting, when you're surfing the web and when you're not. They may even inject ads, malware or other garbage in your data stream. The solution: Hijack your neighbors unprotected WiFi and... Kidding! Listen, you and i have gotten to know each other throughout this long and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than mine that!

One solution to the problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?

A VPN works by encrypting the traffic between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT AIN'T YOU! YOU FOOLS! The kitty video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know where the hell you really are and so far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to a blind tuna. Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff.

There are truck loads of different VPN service providers and it seems the vast majority do not take customer privacy seriously. In particular i would strongly advise exercising caution regarding any VPN add-on on the Mozilla add-ons site for a few reasons, one of them being that they very likely suck from a privacy perspective and another being that it may only be your browser that benefits and not the rest of your OS and other devices on your network. Lastly, NEVER trust any "free" VPN provider. Full Stop!

If you want to check out the provider i use, it's AzireVPN. Yes, that's a referral link, but you can bet your sweet ass i wouldn't be using them if i didn't have some trust in them (read here and here and here).

WHAT THE FOX!

So now you're all smitten thinking you're invincible and ready to hack NASA to see if aliens really built Taco Bell's on the back side of the moon (they did, sorta, pretty sure). You're not, but you've taken one, small step for man, and..... Truth is, there are far more vectors for attack than you and i and many of the so-called "experts" may ever know about, so don't get all uppity. Perfect privacy on the web, as in real life, is a pipe dream and it wasn't the goal here anyway. We've covered some important bases that will help prevent nasty corporations and ISP's from spying on you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.

If you have a hard time swallowing all this and getting used to a hardened Firefox, don't sweat it. Make another default Firefox profile and use it if you feel like you're wanting to punch the crap out of someone (me).

After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode.

Be safe. Be ethical. And if you need help (after you've tried to help yourself), leave a comment or check the FAQ: Firefox Hardening page.

IMPORTANT: If you incorporate suggestions made in this guide, please check back often for changes or, better yet, subscribe to my RSS feed.

Further resources

Revisions

Click to expand...

25-Feb-2022

  • removed CSS Exfil Protection add-on

18-Feb-2022

  • removed Clear URLs add-on - it's unnecessary given the 'arkenfox' user.js and updated suggested settings for uBlock Origin

4-Feb-2022

  • a year late, i learned that Waterfox was sold to an advertising company - yet another reason to avoid 3rd party builds/forks of Firefox

2-Feb-2022

  • added an excerpt from PrivacyTests.org

28-Jan-2022

  • language updates - minor stuff

22-Jan-2022

  • removed Cookie AutoDelete ('cause dFPI, ya know?)
  • removed HTTPZ - not needed
  • removed much of the VPN info since it's included in the VPN-Tor article
  • several small edits, corrections, deletions

14-Dec-2021

  • very minor edit

13-Jun-2021

  • minor edits, typos

20-Oct-2020

7-Oct-2020

  • added more info about the user.js-notify.sh script

27-Sep-2020

  • reversed the order of this change log so newest changes are at the top

26-Sep-2020

  • well, that didn't last long - after more testing i reinstated Cookie AutoDelete because i think it's easier to use it than it is to be adding cookie exceptions all the time, plus no CAD breaks session restore with the 'arkenfox' user.js and there are other quibbles as well
  • removed Privacy-Oriented Origin Policy - given its limited usefulness, non-noob friendly filter syntax and potential to break a site on rare occasions, i decided it wasn't needed
  • minor edits

24-Sep-2020

  • removed all Cookie AutoDelete add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
  • removed all LocalCDN add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
  • added instructions for keeping storage items (log-on credentials, settings) for websites
  • minor edits

12-Sep-2020

  • split off part of the 'Fattening the Fox' section into a new section, 'Pestering the Fox', which includes new info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only)

25-Aug-2020

  • replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
  • minor edits

18-Aug-2020

  • added more info about the 'arkenfox' updater script regarding keeping the user.js version in sync with the major Firefox version

16-Aug-2020

  • minor edit

31-Jul-2020

  • removed the 'Don't touch my tabs!' add-on (obsolete since Firefox v79)

26-Jul-2020

  • replaced Decentraleyes with LocalCDN

5-Jul-2020

  • added the video, Prof Shoshana Zuboff on surveillance capitalism

24-Apr-2020

  • updated the URL for the uBlock Origin Suggested Settings Guide

21-Mar-2020

  • removed ETag Stoppa since ClearURLs covers eTag storage filtering
  • added settings details for CLearURLs

24-Jan-2020

  • added more info about circumventing website logon problems due to Site Bleacher add-on
  • minor edits

23-Jan-2020

  • removed 'Font Fingerprint Defender' add-on - i got word that the extensions may be problematic

22-Jan-2020

  • removed 'First Party Isolation' add-on
  • added 'Font Fingerprint Defender' add-on
  • minor edits

4-Jan-2020

  • added ETag Stoppa to extensions section
  • added link to 'FAQ: Firefox Hardening' page
  • minor edits throughout

3-Dec-2019

  • minor edit

15-Nov-2019

  • added a more extensive warning about installing add-ons in addition to those recommended herein

13-Nov-2019

  • misc. edits and clarifications, nothing too drastic

6-Nov-2019

  • stuck the uBlock config stuff on its own page

5-Nov-2019

  • rewrote several bits of the guide in an attempt to clarify things and make it a bit shorter
  • edited some content to bring it up to date with the newest version of Firefox
  • adjusted settings for uBO

27-May-2019

  • added a warning about using this guide with Tor
  • added a resources section

23-May-2019

  • added instructions for enabling the search bar in the navigation bar since setting the preference alone in user.js doesn't work for some reason
  • minor edits

29-Apr-2019

  • added HTTPZ
  • added Site Bleacher and associated information
  • removed temporary profile info
  • lots of minor edits

29-Feb-2019

  • minor edit

22-Jan-2019

  • added better description and screen-caps for how to download user-overrides.js
  • minor edit

12-Jan-2019

  • clarified info regarding the downloading of the configuration files

6-Jan-2019

  • clarified a lot of stuff that may not have been clarified clearly enough
  • eliminated the 'relaxed_user-overrides.js' file - the user-overrides.js is now used for both the advanced and dummy guides
  • updated the user-overrides.js file
  • lots of minor edits, corrections

29-Dec-2018

  • polishing, clarifications

27-Dec-2018

  • added more info about using the user.js updater and prefsCleaner scrips
  • many small changes and polishing

26-Dec-2018

  • first (pre) release

Comments

Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.

108 thoughts on “The Firefox Privacy Guide for Dummies!”

  1. I previously used this guide and it worked perfectly. But since then it has been updated and for whatever reason is breaking my use of firefox on linux.

  2. Hi, I can’t thank you enough for this detailed and super helpful guide! There is hardly any useful information out there on how to set your browser to actually protect you!

    I followed this guide and successfully made a new Privacy profile, but I am having one small problem. I cannot log in to the Bitwarden password manager extension. I am able to log in to their webpage after I enabled Javascript for it in uBlock. I made a fresh profile and put a default user.js file in it, and in that profile I can log in, it shows a captcha and then works fine. I don’t get the captcha in the Privacy profile, wondering if something is blocking captchas, and that’ s why I can’t get in?

    Thanks!

    1. i don’t use bitwarden, but i searched it on the arkenfox issue tracker and came up with this:

      user_pref("signon.management.page.fileImport.enabled", true); // enable logins import from file (Bitwarden, KeePass)

      always check their issue tracker when you have an issue – just delete the “is:issue is:open” text before searching

      if that pref doesn’t help you, you could either open an issue and ask, or you can troubleshoot yourself using the process of elimination

      1. Wow, thank you for the super prompt reply! I tried adding that line to the updater file and then updating it with the script, but it didn’t seem to solve the problem. I will have to follow the steps in the troubleshooting. Thanks also for referring me to the arkenfox issue tracker. If I don’t post back I either fixed it or found a way to live with it. Thanks again!

  3. Your Add-ons recommendations include ‘ClearURLs’, which removes tracking parameters from URLs. That is no longer needed with ‘uBlocks’ removeparam feature. See also: https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#removeparam

    I’d suggest to activate the ‘AdGuard URL Tracking Protection’ – filter list and adding the ‘Actually Legitimate URL Shortener Tool list’: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/LegitimateURLShortener.txt

    This makes the extension redundant.

    1. i’m *all for* getting rid of extensions, however i’m not sure the solution you propose makes ClearURLs redundant

      assuming arkenfox is in play (so no need for ClearURLs eTag protection, etc.), ClearURLs still provides

      * Adds an entry to the context menu so that links can be copied quickly and cleanly
      * Prevents tracking injection over history API (see also: The replaceState() method)

      not sure exactly what “tracking injection over history API” is or whether this is covered by the AdGuard list, but i would guess that a), it isn’t, but b), this might depend on JS being enabled???

      if “tracking injection over history API” simply means changing the URL of history items (to include tracking params), then i would assume the AdGuard list would protect the user when the link is clicked

      thoughts?

      1. To quote the arkenfox wiki:
        ‘Neat URL, ClearURLs
        Redundant with uBlock Origin’s removeparam and added lists. Any potential extra coverage provided by additional extensions is going to be minimal’ – They changed that part recently.

        Maybe you can ask them what additional features, they’re talking about?

        1. apparently I was a bit too hasty with the suggestion.
          uBO only removes the query parameters and cannot, for example, rewrite parts of the path
          See also:
          https://www.reddit.com/r/uBlockOrigin/comments/pg8dze/comment/hmzv2mp/?utm_source=share&utm_medium=web2x&context=3
          and
          https://www.reddit.com/r/PrivacyGuides/comments/r7dodd/comment/hn2assa/?utm_source=share&utm_medium=web2x&context=3

          Maybe it’s good enough for mobile though because it’s not compatible?

          1. > Maybe it’s good enough for mobile…

            i don’t use FF on mobile so i don’t wanna offer any advice on that in the guides

            as much as i’d like to dump it, so far i think i’ll stick with suggesting ClearURLs

            on a side note, some people have griped about it not being updated in a long time, however the filters it uses are not hard-coded and the filter list has been updated as recently as 08 Oct 2021

            1. I didn’t use firefox on my phone before either, but with the upcoming change with manifestv3 I can’t reconcile it with my conscience to continue using a chrome based browser. Mozilla is also a monster, but not quite at Google yet. What other alternatives do you have? Exactly…..

              Where I must say that I mean the ‘Mull’ browser, which uses Firefox as a base and then the developer hardened the whole thing with arkenfox. You can find it at F-Droid.

                1. The problem with this and many other browsers is that do not have their own engine, which are then all based on androids (in the worst case directly Google’s), Webview:
                  Android WebView is a system component powered by (Google-) Chrome that allows Android apps to display web content. This component is pre-installed on your device (…) …….

                  If you install custom roms the part is usually replaced by a hardened variant – which is essential… not only for security, but also for privacy reasons…
                  but ok mobile is a whole other topic, let’s leave it at that :)

                  Back to topic:
                  Let’s keep ClearURLs for now ;-) It’s not like it isn’t working just fine. The lists are up-to-date as well, as you mentioned.

                  1. i wasn’t sure if Privacy Browser used Webview or not but i do always root&ROM my phones, however if i ever get another one it might be Librem or PINEPhone

                    thing is with phones, and the same is true for PCs far as i know, they all have some kind of potential back-door, the baseband OS in the case of phones and i’m not entirely convinced that it’s totally isolated in the privacy-branded phones even with dedicated memory for the user-facing OS

    1. i would imagine that the guide can be applied to Mac as well – the changes are made to Firefox, not the system, and i would guess that the same version of Firefox is used on Mac, so there shouldn’t be any problem

      also you can always create a new profile to modify, thus leaving your current one untouched (enter about:profiles in the address bar)

      1. Yeah, struggling with the part of turning the .sh files into executables on Mac. I’ve been reading various guides and found some, but for some reason my Mac cannot find the privacy folder. Do I need to be running terminal as the admin to find it?

        1. > Do I need to be running terminal as the admin …

          unlikely – on Linux that folder is in the /home directory where all user documents/data typically exist

          what sh files are you working with? the updater.sh script from the arkenfox repo should work on Mac without issue – if not, either open an issue or tell me exactly what’s broke and i’ll open one for you

  4. Thank you for this guide.
    I found that after implementing this I had to start using a usercontent css for the likes of lifewire as the cookie notice relys on javascript to dissappear and also to block an add in yahoo mail that would always appear on the top of my emails.
    here is a nice guide on creating a custom user css https://superuser.com/questions/318912/how-can-i-override-the-css-of-a-site-in-firefox-with-usercontent-css
    just make sure to restart firefox to see any changes and to also create a userChrome.css file in the same folder with the code “@namespace url(“http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul”);”

    and here is the code needed for lifewire
    @-moz-document domain(lifewire.com) {
    #onetrust-banner-sdk, .onetrust-pc-dark-filter
    {display:none !important;}
    }

  5. Thank you so much man, keep it up!
    It helps a lot and after some testing, coveryourtracks from eef. says still that my fingerprint is nearly unique but i guess, thats just a misstake becouse of good privacy? I am not that well known in all that, but still care for privacy and fear google amazon etc.

    So thanks!

  6. First of all I want to thank you very, very, very much, for writing these guides and helping us privacy noobs to bolster and ground us against the exploatators. The pinch of humor in the article helps digest the subject matter better and again I’m very grateful for your effort.

    But! there is a little problem I run into and I’m kinda clueless how and what to do.
    For our classes we have to use Cisco Webex and sometimes Zoom, the problem is I’m not able to connect via audio to the session. Now I tried tweaking it in the user.js and prefs.js files by disabling some user prefs like:
    (“media.getusermedia.audiocapture.enabled”, false)
    (“dom.webaudio.enabled”, false) and setting the cam and mic permissions to 0; and I did really come further, in the way that Webex recognises and offers me to not connect via dialing the number, but to click and connect audio on my computer. Now the problem is that when I do that I’m shown that the connection is in progress, but nothing more happens, so I’m kinda in a connection loop.
    I tried inspect Element and looking after some hint where the problem is, but honestly I have no idea what to look after… So I’m asking for some help, at best you tell me what user_pref should I change, to make it work.

    Sorry for bothering you with such long comment and again thanks for such comprehensive guide! I was long time trying to understand and handle my privacy online and your was that little-big that I needed. Keep it up!

    1. thanks much for the kind words

      the first step to solving your problem is to determine whether the issue is caused by an extension or the user.js – create a fresh profile and copy a default user.js to it and see if the issue is solved, in which case you’ll know an extension is causing the problem (i don’t know if you’re running uBlock and/or uMatrix)

      if the issue is not solved then the user.js is a likely cause – if you search for ‘zoom’ on the arkenfox repo issues you’ll find this – maybe that will solve both problems??? i don’t know as i don’t use either of those programs

      if that doesn’t help you, let me know and we’ll go to the next step

      1. I was kinda busy and forgott to respond and I just came back to say thanks for the provided link and help, since the problem was indeed caused by the modifications in the user.js file.
        Now I’m not 100% sure which one was it, but Zoom and Webex now allow me to listen to the classes and watch the shared screen presentations, even though in Zoom my own webcam appears having some issues (if someone got the problem, you can find more about it on the provided link), but for myself this comes handy, since I dont like being showing myself online anyways…

        Cheers and Godspeed with this project!

  7. I now have multiple profiles for various purposes but every time I start Firefox it always loads my default one, that fancy profile manager of yours is nowhere to be seen. This happens both on Windows and on Debian actually, how do I make enable it?

    1. > that fancy profile manager of yours is nowhere to be seen

      not sure what you mean – i never created a profile manager

      to have Firefox ask which profile you want to use when it starts, add -P to the command – see here for more – if you need more help, let me know

Leave a Reply to 7sillyeaters Cancel reply

Your email address will not be published. Required fields are marked *