The Firefox Privacy Guide for Dummies!

Facebook created same day Pentagon kills similar project

See the revision history at the end ... if you make it that far :)

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not bother with this guide.

Contents show

Introduction

The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.

Video: Prof Shoshana Zuboff on surveillance capitalism

You're aware that unethical companies such as Facebook, Instagram, Google, YouTube, advertisers, your ISP and governments are spying on your activities and buying and selling the data they harvest, even if you may not be aware of how they're doing it. You're concerned about this invasion of your privacy, but you're wondering 'yeah, but what can a tech-challenged dummy like me actually DO about it wise guy???'.

Welcome to the 'dummies' edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!

The goal here is to provide a simple guide, to the extent that's possible, which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".

WARNING: This guide is not intended for use with the Tor browser which is an already hardened version of Firefox. Configuring the Tor browser as outlined here would likely result in DOOM!

Catching the Fox

You want the standard release version of Mozilla Firefox, even if you think you don't. No Pale Moon, no Waterfox, no whatever, so if you don't have it, get it. If you run a GNU/Linux-based operating system (we're already in love), look in your package manager. Since it's privacy we're interested in, we're way too smart to be screwing around with Google Chrome (un-Googled or otherwise), Microsoft Edge, etc., though if you have an ~~inferior~~ alternative browser you could retain it as a backup.

Actually i lied. There is in fact one other browser you might want to consider and it's... Firefox! Except it's a modified version of Firefox called LibreWolf. LibreWolf already has some of the privacy features discussed here baked right in and thus using it will reduce the trauma you'll be subjected to in this guide, however if you decide to use it, you will probably want to avoid adding the 'arkenfox' user.js mentioned here since LibreWolf already implements a lot of the enhancements provided by the 'arkenfox' project. You can also skip the 'profiles' parts of this guide. Just be aware that you will need to manually update LibreWolf since it has no auto-update mechanism (if you're running a Linux distro then update notifications may come by way of your package manager).

Profiling the Fox

Start Firefox and enter about:profiles in the address bar. You can call it the "location bar" or the "awesome bar" or the "mega bar" or whatever else Mozilla is calling it these days, but i call it the address bar. Press your 'Enter' key to load that address and you'll see where Firefox keeps your profiles which is where most of your settings, bookmarks, browsing history and other junk gets dumped.

You can have as many profiles as you want, but by default there will be just one named '[blah-blah].default'. Well, we need another, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now else you'll make me mad and lose 10 internet points.

After creating your new privacy profile, set it as the default profile.

Pro Tip

There are many about:pages in Firefox, but not all are accessible from the various menus. To see some of those that aren't, load about:about in the address bar, but be careful what you mess with in there!

Training the Fox

If you're running Windows you've just lost 100 internet points, plus you'll need to un-hide file extensions and i might suggest keeping them un-hidden.

With Firefox up and running, load about:preferences in the address bar or click the Hamburg icon on the toolbar, then 'Settings'. Click the 'Search' menu item on the left and under where it says 'Search Bar', click 'Add search bar in toolbar'. Trust me. Reasons.

Next, go to the arkenfox/user.js GitHub repository. We need their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' label, then press Ctrl+S and save the files in your Firefox 'privacy' profile folder where the prefs.js file is. Failing to heed my advice can cause the file to get messed up which will surely result in Russia nuking us. If you want to avoid those steps, here's the direct links to the files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Just right-click those links and then 'Save as...'. Now if you're one of those wiz kids, you may have deduced that we're going to need that user.js file too but we'll grab that baby another way in just a bit.

Next, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org, click the user-overrides.js file, then click the 'Raw' label and press Ctrl+S to save the file in the same place as the others (here's the direct link).

You'll need a decent code editor for this next step (not Notepad!), preferably one with syntax highlighting. If you're running Wintendo (that's one of my several derogatory names for Winblows), PSPad is nice, simple and free. If you're running Linux (which sucks more than i'm letting on but not nearly as much as Windoze) you've surely got something installed already.

What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little itsy-bitsy thing you could ever possibly want to know about everything in that file, is in that file... except whatever i forgot to add.

Now that you've sifted through that convoluted mess (go you!), load Firefox's about:profiles page again. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled 'Root Directory' under your 'privacy' profile, click the 'Open Directory' button and then kill Firefox.

Profile Tip

If you don't want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the 'Don't ask at startup' option, but don't do that yet! Another way is to create a shortcut to load any profile you want.

For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.

For more about ticklish penguins, go here.

In your file manager you may notice that the folder containing your 'privacy' profile actually has a longer name with a bunch of gobbledygook preceding 'profile'. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper.

Now we need to run that updater script. How to do that depends on whether...

...you're running Linux

You will need to make those .sh files executable. You could try meditation or sacrificing a small mammal, but it'd probably be quicker to just right-click on each of them to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, open a terminal in your privacy profile directory and run chmod +x *.sh, or, failing that, see How do I run .sh files?.

We need to run that updater.sh script from a terminal, so open one and change the directory to your privacy profile directory where the updater.sh file is. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder:

cd ~/.mozilla/firefox/gobbledygook.privacy/

Now run the updater.sh script by preceding the file name with a dot and a slash:

./updater.sh

...or Windoze

To run that updater.bat script, navigate to your Firefox profile directory, hold down the Shift key and right-click in an empty space where the file is, then select "Open Command Window Here". Enter updater.bat and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed all the directions you didn't read, the script will download a fresh copy of the 'arkenfox' user.js file to your Firefox 'privacy' profile directory and then append the contents of your user-overrides.js to it just like it says on the tin.

Pestering the Fox

The 'arkenfox' user.js is updated frequently so you'll need to check for updates regularly. One simple way to to do that is by running the 'arkenfox' updater script, or if you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification. You can add the script to your startup programs so it runs each time you log-on to your desktop (make sure it's executable). Instructions for implementing the script are contained within the script.

If you're not doing automatic update checks then you should run the 'arkenfox' updater script every week or so as well as check my Codeberg repo for a new version of my user-overrides.js if you're using it, but don't get ahead of yourself; you always want the user.js version that corresponds to your major version of Firefox, so if the updater script says Available online: * version 80 and you're running Firefox version 79, you'll want to cancel the update because 80 doesn't equal 79 (unless you're "woke" in which case all bets are off).

Each time you run the updater script, and with Firefox closed, be sure to follow it up by running the prefsCleaner script using the same method you used to run the updater script. The prefsCleaner script will nuke any depreciated/removed/inactive preferences and it's important that you do this.

updater script Pro Tip

If you use Linux you can run the updater script with the -c switch (./updater.sh -c) which will create a 'diff' file that will list all the differences between the old and the new user.js.

To see all the options for running the updater script for both Linux and Windows, see the Updater Scripts article on the 'arkenfox' wiki.

Fattening the Fox

Next we're going to the Firefox Add-ons website to install uBlock Origin (uBO) by Raymond Hill. We want uBlock Origin specifically and not any derivatives, copies, forks, fakes or imposters.

Why does he say 'WE' and 'WE'RE' when 'I' am the one doing all the f'n work?!

Plausible deniability. If i screw something up that causes your computer to explode, it's your fault. LOL

Regarding add-ons, more = more bad, generally speaking. It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly. The more you install, the more likely things will break and that your privacy will be compromised, so don't go overboard with add-ons.

Firefox has fairly comprehensive built-in mechanisms to thwart browser fingerprinting and tracking and safeguard your privacy (these are activated in part by the 'arkenfox' user.js). While they alone are not quite enough for us privacy geeks, which is why you fell into this pit of despair, they do cover a lot of important ground. If you install additional "privacy" related add-ons that you *think* will enhance privacy, you could very easily wind up doing the opposite.

Back to uBlock...

I know, this is supposed to be the 'for dummies' guide and all, but you really must learn how to use uBlock Origin (uBO). The good news is that it too has a 'dummy' mode and it's enabled by default! To begin, configure uBO according to my uBlock Origin Suggested Settings guide using the 'dummy guide' settings.

Of particular importance, DO NOT select the 'I am an advanced user' option! Don't look at it. Don't think about it. Don't think about looking at it ... at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to use it, and how easy it is to break the entire interwebs if when you screw up.

Now it's really important that you read this and this and this, but only up to the 'Medium mode' part for the last one. Once you complete that you'll be a Semi-Certified uBlock Origin Web Filter Engineer Apprentice!

Break time...

Training the Foxineer

With all that done and Firefox running, close all tabs and click the Hamburger button again to open the Preferences window, then click the Privacy & Security menu item (or load about:preferences#privacy in the address bar). Scroll down to the Cookies and Site Data section and click the Manage Data button. In the Manage Cookies and Site Data window that opens, click Remove All. This will remove (almost) all of the gunk that Firefox has accumulated thus far. We may as well start clean, plus now you know one way to scrap much of Firefox's storage.

If you've used the Fox before there's going to be some changes, one of them being that you'll be searching from the search bar (or a web page that isn't Google hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it's a privacy/security thing. Live search suggestions will be disabled because that's also creepy.

Now for some really important stuff...

Remember last week when you started reading this and i said we'd be "breaking as few websites as possible"? Kek! Since we disabled JavaScript globally with the uBO settings i suggested, every other website you visit is gonna be busted, and for good reason too!

There's a few things you need to know about JavaScript: 1), it's awesome-ish, 2) it's a privacy and security nightmare, 3) almost every website on Planet Earth uses it unnecessarily (even this one, but i'm working on that).

JavaScript (JS) can be used to do all sorts of cool and creepy things like make web pages interactive, make dull things look un-dull, animate stuff, etc.. It's used a lot by morons (the modern web developer) for making navigation menus work and displaying images and interactive content, as well as for annoying the crap out of you with ads, pop-ups and other such garbage. It's almost always necessary to enable JS when shopping. Of primary importance here is the fact that JS is leveraged heavily for distributing malware, tracking your journey across the web-o-sphere, profiling you, learning about your bathroom habits and much, much more (and believe me when i tell you that i'm exaggerating far less than you might think with the "bathroom habits" thing). The 'arkenfox' user.js and uBO provide powerful countermeasures to address such threats, but they don't compensate for stupidity.

Here's an excerpt from PrivacyTests.org if you care to read it...

Why web browsers are critical to online privacy

Once private data has leaked from your computer, phone or tablet, there is not much you can do to control it. But how does data leave your device in the first place?

Your web browser is a likely route: browsers commonly leak data to third parties, revealing what web pages you have visited. This information lets tracking companies know what you read, what you write, where you are located, what you search for, and what you buy. And this highly personal information is assembled by those companies into detailed individual profiles of every person on the internet, containing data on your ethnicity, religious views, political views, sexual orientation, gender, family, friends, colleagues, health history, habits, relationships, educational records, income, and so on. These companies often retain your data for years or decades, and sometimes share it with third parties, including other companies or governments.

If you want to beat yourself up even more, read Stop pushing JavaScript! by a guy who knows what he's talkin' 'bout and/or watch this video:

Disable JavaScript Tutorial Online Security | The Hated One

Now do you see why we disabled JS globally for the entire interwebs??? Thing is, it's very easy to enable again For Those Specific Websites Where You Really Need It To Be Enabled. "Need", i said. Not "like" or "want", but "need".

Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and…… well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there’s an icon that looks like a </>, except it has a red ‘X’ through it. That icon is secret code for [CENSORED]. Click it to remove the ‘X’ and you will have enabled JavaScript for that particular domain (w3schools.com) after which you’ll see a new button appear on the uBO dashboard right outta thin air that has circlely arrows on it. Clicking that (or pressing F5) will refresh the page at www.w3schools.com and this time your browser will allow JS to run for the entire w3schools.com domain. That color swatch page will now look very different and this time when you click the colors, awesome things will appear that will surely dazzle you for hours on end like that damned triangle puzzle-peg thingy in every Cracker Barrel.

The point of that nail-biting exercise was to demonstrate the power of JavaScript by showing you how different it can make a website look and function, as well as how necessary it is in some, but not all cases. For example, if you're reading this intensely interesting novel with your Firefox privacy profile loaded and JS disabled for 12bytes.org, it wouldn't make much difference because thus place looks and works pretty much the same, thus you should never enable it where it isn't needed, kapish?

Now you're going to take the JavaScript Oath. DON'T LAUGH! This is important shit!

OK, now repeat after me...

EYE SHALL NOT ENABLE JAVASCRIPT FOR ANY WEBSITE UNLESS A) THE WEB DEVELOPER IS AN ETHICAL BLOOD RELATIVE WHOM I TRUST WITH MY SISTERS VIRGINITY AND B) IT MUST BE ENABLED IN ORDER TO PROVIDE REQUIRED FUNCTIONALITY THAT WOULD OTHERWISE NOT BE AVAILABLE (AND NO, LOOKING AT BOOBS DON'T COUNT).

The "HELP! I accidentally allowed JavaScript for xyz.com!!! Am I doomed???" Pro Tip

Several victims of this guide have asked whether they should reinstall Firefox after they've messed something up, such as unintentionally allowing JavaScript for a crappy website. The answer is no. Reinstalling Firefox is unnecessary and doing so will not touch your profiles where most of the data accumulated during web browsing resides. As long as you haven't been infected with some malware there's little to worry about. The default settings provided by the 'arkenfox' user.js enables settings that keep the data for every website you visit separate from every other website, plus these settings dump all this data when the browser is closed. Also you can always dump the browser cache any time you want. If you're still shaking uncontrollably you could create a new privacy profile, import the stuff you need, and nuke the old one, but this is pretty extreme.

Importing stuff from an old profile

If you're not a first-time Firefox user and you have important bookmarks or other junk you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.

What to do when the Fox bites

It's inevitable that you're going to have trouble with some websites. Keep calm. Breeeeath! You've already gotten a taste of how a website can be rendered useless with JavaScript disabled and although i let you enable it for the site given in the example earlier, i only did so because it's a trustworthy place. The next website you visit may not be. You're here aren't you?

To make a broken website un-broken you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes with uBlock, you can always spin-up a fresh, empty profile to load the site and delete it afterwards, but understand that you will be at the mercy of a completely default Firefox configuration. You could also create dedicated profiles, such as for shopping or banking for instance. For websites you don't trust, why are you visiting them? Porn? Warez? Facebook? Instagram? Google? If you value your privacy and digital integrity at all, forget that stuff! Seriously.

Another 'gotchya' that will likely creep up at some point is a website not saving settings that you wanted to save, such as your log-on credentials or search engine settings. To save such data you'll need to edit the permissions for the domain and there's two easy ways to access them; you can click the padlock icon in the address bar, then the right-facing arrow, then "More information", or simply hit Ctrl + I (that's an eye, not an el). In the window that opens, click the "Permissions" icon and scroll down until you see the "Set Cookies" item. Finally, deselect the "Use Default" preference and select "Allow" if you want to save the the data for that domain across restarts, or "Allow for Session" if you want to dump the data after you close the browser. I would not suggest permanently allowing cookies for any mainstream, privacy-hating Big Tech website such as Google, Yahoo, Bing, Facebook, Instagram, Twitter, eBay, etc..

The Fox hole

Even with everything you and i have accomplished you're still vulnerable to being tracked and profiled, however you're in a much better position then when we started out... except for one little problem: your Internet Service Provider!

At the very least your ISP can see what websites you visit, how long and how often you're visiting, and when you're on-line and when you're not. They may even inject ads, malware or other garbage in your data stream. The solution: Hijack your neighbors unprotected WiFi and... Kidding! Listen, you and i have gotten to know each other throughout this long and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than ~~mine~~ that!

One solution to this problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?

A VPN works by routing all of your internet traffic through an encrypted tunnel between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT ISN'T YOU! The kitty video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know where the hell you are and so far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to an ameba (actually that may be a lie but we're not going to dig that deep, k?). Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff. Any remotely decent VPN provider will maintain many exit nodes throughout the world and switching between them is usually as simple as a mouse click or two.

Now, listen up...

There are truck loads of VPN service providers and the vast majority of them are unethical jackasses. In particular i would strongly advise avoiding any VPN add-on on the Mozilla add-ons website or which advertises its service as being "free".

Currently i use AzireVPN which you can read about here and here and here, however Mullvad seems like it may be the better choice for those who are less technically inclined. Azire owns and secures all of its servers while Mullvad owns and secure a small portion of their servers. Both accept cryptocurrency as payment and do not require any personal information, but they still know your IP address of course.

WHAT THE FOX!

So now you're all smitten thinking you're invincible and ready to hack NASA to see if aliens really built secret underground bases on the back side of the moon (they did, sorta, i think). You're not, but you've taken one, small step for man, and.....

Truth is, there are far more vectors for attack than you and i (and many of the so-called "experts") will ever know about, so don't get all uppity. Perfect privacy on the web, as in real life, is a pipe dream and it wasn't the goal here anyway. We've covered several important bases that will help prevent nasty corporations and your ISP from spying on you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.

After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode.

Be safe. Be ethical. And if you need help (after you've tried to help yourself), leave a comment or check the FAQ: Firefox Hardening page.

IMPORTANT: If you incorporate suggestions made in this guide, please check back often for changes or, better yet, you can subscribe to the following news feeds (if you need a news feed reader, see Firefox Extensions - My Picks):

12bytes.org main RSS feed
12bytes.org Tech category
12bytes.org Firefox category
12bytes code repository for my 'firefox-user.js-suppliment' (if you're using it)

The last word (i promise!)

One of the problems i think many people face when they become concerned about on-line privacy is overcoming the technical hurdles in order to achieve the desired result. This can lead to frustration and reverting back to their old ways. Digital privacy is not easy, but it's a lot easier to achieve if you progress in small increments rather than huge hurdles and Naomi Brockwell's videos are a fantastic resource in that regard. If you have a hard time swallowing this guide and getting used to a hardened Firefox, don't sweat it and don't give up. Make another default Firefox profile and use it whenever you feel like punching someone (me).

Further resources

Revisions

Click to expand...

25-May-2023

add a mention of LibreWolf

16-May-2023

trivial edits/corrections
add link to Alicia's Personal Security Checklist

11-May-2023

removed recommendation for OVPN
added recommendation for Mullvad VPN

17-Apr-2023

added a link to 'Wrongthink's' article, Addon Conflicts and Data Leaks

15-Mar-2023

fixed broken links

25-Feb-2023

made a bunch of non-crucial edits

1-Nov-2022

several edits and clarifications but nothing really important

21-Jul-2022

minor edits and clarifications

6-Jul-2022

trivial edits - nothing to worry about

25-Feb-2022

removed CSS Exfil Protection add-on

18-Feb-2022

removed Clear URLs add-on - it's unnecessary given the 'arkenfox' user.js and updated suggested settings for uBlock Origin

4-Feb-2022

a year late, i learned that Waterfox was sold to an advertising company - yet another reason to avoid 3rd party builds/forks of Firefox

2-Feb-2022

added an excerpt from PrivacyTests.org

28-Jan-2022

language updates - minor stuff

22-Jan-2022

removed Cookie AutoDelete ('cause dFPI, ya know?)
removed HTTPZ - not needed
removed much of the VPN info since it's included in the VPN-Tor article
several small edits, corrections, deletions

14-Dec-2021

very minor edit

13-Jun-2021

minor edits, typos

20-Oct-2020

added a link to unixsheikh.com

7-Oct-2020

added more info about the user.js-notify.sh script

27-Sep-2020

reversed the order of this change log so newest changes are at the top

26-Sep-2020

well, that didn't last long - after more testing i reinstated Cookie AutoDelete because i think it's easier to use it than it is to be adding cookie exceptions all the time, plus no CAD breaks session restore with the 'arkenfox' user.js and there are other quibbles as well
removed Privacy-Oriented Origin Policy - given its limited usefulness, non-noob friendly filter syntax and potential to break a site on rare occasions, i decided it wasn't needed
minor edits

24-Sep-2020

removed all Cookie AutoDelete add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
removed all LocalCDN add-on info - given the intended audience for this guide, as well as first-party isolation and resist fingerprinting being enabled in the 'arkenfox' user.js, it isn't needed
added instructions for keeping storage items (log-on credentials, settings) for websites
minor edits

12-Sep-2020

split off part of the 'Fattening the Fox' section into a new section, 'Pestering the Fox', which includes new info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only)

25-Aug-2020

replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
minor edits

18-Aug-2020

added more info about the 'arkenfox' updater script regarding keeping the user.js version in sync with the major Firefox version

16-Aug-2020

minor edit

31-Jul-2020

removed the 'Don't touch my tabs!' add-on (obsolete since Firefox v79)

26-Jul-2020

replaced Decentraleyes with LocalCDN

5-Jul-2020

added the video, Prof Shoshana Zuboff on surveillance capitalism

24-Apr-2020

updated the URL for the uBlock Origin Suggested Settings Guide

21-Mar-2020

removed ETag Stoppa since ClearURLs covers eTag storage filtering
added settings details for CLearURLs

24-Jan-2020

added more info about circumventing website logon problems due to Site Bleacher add-on
minor edits

23-Jan-2020

removed 'Font Fingerprint Defender' add-on - i got word that the extensions may be problematic

22-Jan-2020

removed 'First Party Isolation' add-on
added 'Font Fingerprint Defender' add-on
minor edits

4-Jan-2020

added ETag Stoppa to extensions section
added link to 'FAQ: Firefox Hardening' page
minor edits throughout

3-Dec-2019

minor edit

15-Nov-2019

added a more extensive warning about installing add-ons in addition to those recommended herein

13-Nov-2019

misc. edits and clarifications, nothing too drastic

6-Nov-2019

stuck the uBlock config stuff on its own page

5-Nov-2019

rewrote several bits of the guide in an attempt to clarify things and make it a bit shorter
edited some content to bring it up to date with the newest version of Firefox
adjusted settings for uBO

27-May-2019

added a warning about using this guide with Tor
added a resources section

23-May-2019

added instructions for enabling the search bar in the navigation bar since setting the preference alone in user.js doesn't work for some reason
minor edits

29-Apr-2019

added HTTPZ
added Site Bleacher and associated information
removed temporary profile info
lots of minor edits

29-Feb-2019

minor edit

22-Jan-2019

added better description and screen-caps for how to download user-overrides.js
minor edit

12-Jan-2019

clarified info regarding the downloading of the configuration files

6-Jan-2019

clarified a lot of stuff that may not have been clarified clearly enough
eliminated the 'relaxed_user-overrides.js' file - the user-overrides.js is now used for both the advanced and dummy guides
updated the user-overrides.js file
lots of minor edits, corrections

29-Dec-2018

polishing, clarifications

27-Dec-2018

added more info about using the user.js updater and prefsCleaner scrips
many small changes and polishing

26-Dec-2018

first (pre) release

Comments

Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.

116 thoughts on “The Firefox Privacy Guide for Dummies!”

Murali Madhavan says:

December 31, 2018 at 8:37 am

I read about using ‘user.js’for configuring Firefox browser in a German blog (in English translation) and a book (German, translated into English). Then I read about it in arkenfox.net and finally in 12bytes.o rg. This quest was the continuation of my fascination with rooting my Android smartphone.

This particular section of 12bytes.org titled “The Firefox Privacy Guide For Dummies!” is intended to help novices (dummies) like me. But, the sad truth is that dummies rarely seek help, because they don’t know that they need help. Help for what? For safeguarding themselves on Internet. The greatest impediment is the attitude that “I don’t have anything to hide from anybody”. In fact, it’s the height of ignorance.

As long as common man views Google, Microsoft, Facebook, Twitter, etc., as knights on a mission to save humanity from ignorance, laziness and loneliness, there’s no way to help him see the the truth. For example, I stopped using WhatsApp and asked all my contacts who mattered to me to give it up and adopt Telegram instead. (I can see the author of 12bytes.org laughing at me for the folly of my choice). Very little success.

Fortunately, the author of “The Firefox Privacy Guide For Dummies!” has taken all these facts into account. Otherwise why should he painstakingly do “The Firefox Privacy Guide For Dummies!” section? The section “Firefox Configuration Guide for Privacy Freaks and Performance Buffs” would have been sufficient.

I read both these sections a couple of times before deciding that I was not a dummy (because I’ve been using Firefox browser for so long)! So, I took “Firefox Configuration Guide for Privacy Freaks and Performance Buffs” as my guide and proceed to tame my Fox.

Everything went fine. The browser (a new installation after uninstalling and deleting all traces of the previous one) configuration amazed me because it was super fast now and had very few add-ons. The web pages looked clean as if I was reading printed content on white paper. No shenanigans. Nothing!

But suddenly trouble cropped up: No Google domains opened (and some other sites). I cross checked the configuration. Everything was fine. And that was the real problem: Everything worked as they should but I lacked knowledge and skill to tweak things when necessary. My prejudices (I’ve been using Firefox for so long, after all) had prevented me from beginning from the beginning: The Firefox Privacy Guide For Dummies!

The author of 12bytes.org was gracious enough to help me identify the problem and solve it. Did he solve it for me? Not really. He showed me how to solve it by leading me back to “The Firefox Privacy Guide For Dummies” section.

Now you know where to begin. From the very beginning itself.

Why should people like the author of this blog take the pain to offer their knowledge, skill, time and effort to us unasked? He and I are hemispheres apart.

Maybe, because they know the true meaning of the trite saying: Sharing is caring. And they have commitment.

Reply to 'Murali Madhavan'
1. 12Bytes says:
  
  December 31, 2018 at 4:45 pm
  
  The greatest impediment is the attitude that “I don’t have anything to hide from anybody”. In fact, it’s the height of ignorance.
  
  very well said!!!
  
  Why should people like the author of this blog take the pain to offer their knowledge, skill, time and effort to us unasked? He and I are hemispheres apart.
  
  we’re all human beings sharing one tiny planet and from that perspective you’re just around the corner :)
  
  thanks much for your kind comments Murali, and i’m glad you persevered
  
  for the record, the problem in this case was the pref security.cert_pinning.enforcement_level having a value of ‘2’ (strict), which is the current default in the ‘arkenfox’ user.js – i don’t understand this pref fully, but apparently that caused a problem with this persons anti-virus
  
  Reply to '12Bytes'
  1. Pants says:
    
    January 2, 2019 at 12:23 am
    
    > the problem in this case was the pref security.cert_pinning.enforcement_level having a value of ‘2’
    
    No, the problem was the end user allows AV to act as a MitM and slurp up all his browser traffic. Personally, browsers are some of the most secure and protected pieces of software on the planet (by default: e.g among others, Safe Browsing lists curated by Google, which has the resources to do this right – e.g constantly adding protections for xss and other mechanisms, and MOAR), not to mention if you have Tracking Protection and/or uBlock Origin (and/or uMatrix) with blocklists and hosts lists and controlling JS etc – that forget about the tracking – the ATTACK surface is massively reduced
    
    At the end of the day, most damage is done by the end users (social engineering, visiting suspect websites, falling for BS), and the real solution here is to cut out the middle man – configure that AV to not interfere with web traffic.
    
    PS: “Don’t touch my tabs” vs earthlng’s “window opener be gone”
    – xpi is here: https://github.com/earthlng/testpages/ )
    – see https://github.com/arkenfox/user.js/issues/401#issuecomment-385262334
    
    Reply to 'Pants'
    1. 12Bytes says:
      
      January 2, 2019 at 8:05 am
      
      i realize that completely and it wasn’t my intention to imply that the problem was with the user.js – perhaps i should have worded it better – what i meant was that this pref caused a problem in this case for this user
      
      the guy is a good guy and he’s trying, but no one is born knowledgeable – i politely scolded him in emails we exchanged about running Windows and 2 AV’s and now he’s interested in giving Linux a spin
      
      and thanks much for the window.opener info – i didn’t realize earthing’s worked differently
      
      Reply to '12Bytes'
      1. Pants says:
        
        January 6, 2019 at 3:59 am
        
        relevant info:
        https://techdows.com/2019/01/firefox-65-to-show-mozilla_pkix_error_-mitm_detected-when-av-interferes-with-ssl-connections.html
        reddit thread:
        https://old.reddit.com/r/firefox/comments/ad2gkq/firefox_65_to_show_mozilla_pkix_error_mitm/
        
        Reply to 'Pants'
        
        12Bytes says:
        
        January 6, 2019 at 10:12 am
        
        these AV “suites” ARE a virus! the only proper way to uninstall some/many/all of them is to reinstall the OS – i learned long ago in my Windows days that a resident AV scanner is largely unnecessary, at best, provided the user is smart about what they do on-line and they use a decent on-demand scanner
        
        as i’ve said in this article, trusting your AV to keep you safe is like trusting guard rails to keep your car on the road
        
        thanks for the info – it reinforces my decision to keep ‘security.cert_pinning.enforcement_level’ at ‘1’, at least for now
        
        Reply to '12Bytes'
Murali Madhavan says:

January 4, 2019 at 2:09 am

@Pants; @12Bytes

Exactly. The problem was with pref “security.cert_pinning.enforcement_level” having a value of ‘2’ (strict). I solved it by changing the value to ‘1’ in “user-overrides.js” by 12bytes.org.

When I read these comments and thought about it, I decided to follow it up in good faith.

Uninstalled Adguard ad blocker from the system. I had a lifetime license to use it two PCs and three smartphones/tabs. Frankly speaking, I uninstalled it reluctantly. It was my money sitting in the system tray and the browser doing its thing. Then I disabled these components in Kaspersky:

1) Mozilla Firefox and Thunderbird
Scan secure traffic in Mozilla applications
If secure traffic scan is enabled, access to websites via the HTTPS protocol may be blocked. (This setting is buried inside somewhere. If you disable only 2-5 below, it doesn’t help as far as Firefox is concerned).

2) Safe Money
Protects your data on websites of banks and payment systems.

3) Traffic processing
Inject script into web traffic to interact with web pages.

4) Private Browsing
Protects against collection of information about your activities on websites.

5) Anti-Banner
Blocks banners on websites and in some applications.

Went back to “user-overrides.js” by 12bytes.org and deleted the added line: user_pref(“security.cert_pinning.enforcement_level”, 1); // 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict. And updated the user.js by using updater.bat and prefsCleaner.bat.

Firefox is blazing fast without issues (barring Invalid request. Err 2034C). The UI of uMatrix is different now. It doesn’t display any Adguard or Kaspersky elements. Using uMatrix and uBlock Origin is pleasant and straight forward. Web sites load faster and cleaner.

Now, is there a solution for this: Invalid request. Err 2034C. It happens when I try to login to a site using my Google id.

Thank you guys for your invaluable help.

Reply to 'Murali Madhavan'
1. 12Bytes says:
  
  January 4, 2019 at 10:41 am
  
  Went back to “user-overrides.js” by 12bytes.org and deleted the added line: user_pref(“security.cert_pinning.enforcement_level”, 1);
  
  that’s a mistake, and maybe i need to make it clearer in the ‘dummy’ guide; you never edit any existing prefs in prefs.js, user.js or user-overrides.js (assuming you’re using mine) – any pref you want to change you need to copy to the appropriate section of user-overrides.js (near the bottom) where you can then change it’s value
  
  or if you just want to test something, you can change the value using about:config without editing any files but of course it will be changed back upon restart (which is what you experienced earlier because user.js had a different value)
  
  in this case you’re ok because you deleted a pref in user-overrides that exists in user.js and so Firefox reset the value to ‘2’ upon restart as you probably expected it would, but if you make a habit messing with the default prefs in any of the aforementioned files, you’ll make updating them far more difficult
  
  as for your new error, had you poked around on the web you might have come across a potential clue: CSRF – and if you search the user.js (the arkenfox one) for ‘csrf’ you might find more clues
  
  are you spoofing the http referrer? perhaps with an add-on? or did you change that pref?
  
  there’s several things you can do to troubleshoot – one is to spin up a new, default FF profile (about:profiles) and connect to the site you have trouble with – if you can then connect, this will tell you there’s an issue in your other profile and so the hunt is on – to solve these issues yourself, see this.
  
  this can be frustrating at first, but once you get the kinks worked out things will go much smoother
  
  let me know how you made out
  
  Reply to '12Bytes'
  1. Murali Madhavan says:
    
    January 4, 2019 at 11:28 pm
    
    Went back to “user-overrides.js” by 12bytes.org and deleted the added line: user_pref(“security.cert_pinning.enforcement_level”, 1);
    
    that’s a mistake, and maybe i need to make it clearer in the ‘dummy’ guide; you never edit any existing prefs in prefs.js, user.js or user-overrides.js (assuming you’re using mine) – any pref you want to change you need to copy to the appropriate section of user-overrides.js (near the bottom) where you can then change it’s value
    
    But it was not a line that existed in your user-.js, no? I added it as a solution to the ‘2’(strict) problem I had because of the AV. And I deleted it as it deemed fit to my uninformed thinking. Please clarify.
    
    I’ll follow up the other hints and post. Regards.
    
    Reply to 'Murali Madhavan'
    1. 12Bytes says:
      
      January 5, 2019 at 11:08 am
      
      i think i confused you because i’m not explaining things clearly – let’s see if this helps…
      
      you should NEVER edit/delete/comment out any of the existing prefs in prefs.js OR user.js IF you are using the ‘arkenfox’ user.js
      
      you should NEVER edit/delete/comment out any of the existing prefs in user-overrides.js IF you are using mine with the following exception: if you need to change anything in the ‘arkenfox’ user.js, or my user-overrides.js, you should COPY the entire line you want to change to the USER CUSTOMIZATION section near the end of my user-overrides.js where you can then change the preference value
      
      if you are NOT using my user-overrides, but you still have one, then you can edit it all you want
      
      if you are using the ‘arkenfox’ user.js, then, unless you do not want to change anything in it, you should be using a user-overrides.js (mine or otherwise) along with their updater.sh/updater.bat script
      
      does that clear things up? :)
      
      Reply to '12Bytes'
      1. 12Bytes says:
        
        January 5, 2019 at 11:19 am
        
        perhaps i should also add to that that having multiple instances of the same preference in any of the config files does not present any problem – Firefox reads the config files from the top down (prefs.js, then user.js), so if there’s duplicate prefs, the value for the last one will be applied
        
        user.js (or user-overrides.js):
        user_pref("this", true); user_pref("this", true); user_pref("this", false);
        
        Firefox:
        this=false
        
        Reply to '12Bytes'
        
        Murali Madhavan says:
        
        January 10, 2019 at 2:24 am
        
        “Invalid request. Err 2034C” remains a thorny issue which I’m unable to resolve.
        
        Reply to 'Murali Madhavan'
        
        12Bytes says:
        
        January 10, 2019 at 12:52 pm
        
        don’t know what to say about that – seems it’s usually attributed to google, though possibly not always
        
        i would create a new, empty profile for testing and then copy into it everything from your privacy profile EXCEPT prefs.js and user.js – if you still have the problem, then it may be an add-on – if you don’t, then it’s likely something in user.js in which case i’d then copy that to the testing profile and do this
        
        Reply to '12Bytes'
        
        12Bytes says:
        
        January 10, 2019 at 1:27 pm
        
        also try setting (about:config) ‘privacy.firstparty.isolate.restrict_opener_access’ to ‘false’ and see what happens
        
        Reply to '12Bytes'
      2. Murali Madhavan says:
        
        January 5, 2019 at 11:29 am
        
        “if you are using the ‘arkenfox’ user.js, then, unless you do not want to change anything in it, you should be using a user-overrides.js (mine or otherwise) along with their updater.sh/updater.bat script”.
        
        Very clear. No doubts about it now. Thank you.
        
        Reply to 'Murali Madhavan'
Jezza says:

January 12, 2019 at 12:53 pm

Does anyone get this error when running the updater.sh?

./updater.sh: line 7: syntax error near unexpected token `newline’
./updater.sh: line 7: `’

… and does anyone know what to do about this?

I have tried running dos2unix on the file, after of course having made it executable, but this doesn’t make the error disappear. Thank you for any help!

Reply to 'Jezza'
1. 12Bytes says:
  
  January 12, 2019 at 1:07 pm
  
  line 7 is a comment
  
  if you did anything to the file other than making it executable before running it, try grabbing a fresh copy and if that fails, tell the arkenfox boys about it – i haven’t heard of this before, sorry
  
  Reply to '12Bytes'
  1. Jezza says:
    
    January 12, 2019 at 1:30 pm
    
    [SOLVED]
    https://github.com/arkenfox/user.js/issues/325 might be of help.
    Turns out that I needed the RAW file which I have now pasted into a new updater.sh file and which runs flawlessly. (‘Save as…’ gave me an html file.)
    
    Reply to 'Jezza'
    1. Jezza says:
      
      January 12, 2019 at 1:35 pm
      
      N.b.: The same applies to the prefsCleaner.sh file!
      
      Reply to 'Jezza'
    2. 12Bytes says:
      
      January 12, 2019 at 1:42 pm
      
      thanks for getting back – i’ll make this clear in the guides
      
      Reply to '12Bytes'
Jezza says:

January 12, 2019 at 1:10 pm

Alright, I will contact the arkenfox boys. Thank you for the swift reply!

Reply to 'Jezza'
infestedcats says:

December 3, 2019 at 1:17 pm

I am enjoying your write ups on achieving privacy and setting reasonable standards and expectations when browsing the web.

I’ve applied the arkenfox user.js and your overrides successfully but am missing one feature: the search from URL bar. I know you recommend using the dedicated search bar, but my muscle memory always has me attempting to use the url bar first.

I’ve tried setting the appropriate flags in your user-overrides and reapplying, but to no avail. What are the proper flags I should be resetting?

Thanks very much.

Reply to 'infestedcats'
1. 12Bytes says:
  
  December 3, 2019 at 1:31 pm
  
  i suggest retraining your muscle memory :)
  
  honestly i’m not entirely sure what the repercussions of using the address bar to search are any longer, but i know this was a major privacy and security risk in the past – i should probably refresh my knowledge on this because i’m not certain it’s still an issue, though it probably depends on some Firefox preferences regarding searching – if anything you type gets sent over the net, then it’s certainly still an issue
  
  that said, if you still don’t want to use the search bar, then in your user-overrides.js…
  
  browser.urlbar.oneOffSearches = true browser.search.widget.inNavBar = false
  
  there’s a couple other ‘search’ prefs in user-overrides you might want to look at – in your code editor, Ctrl+F and search for: search
  
  don’t forget to run the updater script when your done
  
  Reply to '12Bytes'
dumdum says:

January 9, 2020 at 10:48 am

Hello. I’m probably too big of a dummy (read: noob) but how do I make Firefox stop asking me if I want to save login credentials every time I log in on a website?
Thank you for you time.

Reply to 'dumdum'
1. dumdum says:
  
  January 9, 2020 at 10:57 am
  
  I know it can be disabled in the preferences tab but it gets overwritten every time I close the browser and I can’t seem to find what and where I need to make modifications.
  
  Also while I’m at it, is there any way to avoid making the search box to prompt that annoying green ‘+’ when there’s an available search engine?
  
  I hope my english is not that bad.
  
  Reply to 'dumdum'
  1. 12Bytes says:
    
    January 9, 2020 at 11:08 am
    
    1st Q was answered i think?
    
    2nd Q: yes – you can start here:
    https://github.com/Aris-t2/CustomCSSforFx
    
    if you don’t want to use that whole package, look for the ‘search’ files here and maybe you can incorporate only the fix you need:
    https://github.com/Aris-t2/CustomCSSforFx/tree/master/classic/css/generalui
    
    if you dont want to do any of that, search for something like: userchrome.css hide green plus
    
    Reply to '12Bytes'
2. 12Bytes says:
  
  January 9, 2020 at 11:03 am
  
  search about:config for: signon. – i think you’ll find the pref among those – you can add it to your user.js/user-overrides.js if you’re using one of those
  
  Reply to '12Bytes'
  1. dumdum says:
    
    January 9, 2020 at 11:11 am
    
    Thanks for the fast replies, you are great. I’ll see if I can manage to make things work and if not I’ll bother you again! :p
    
    Reply to 'dumdum'
    1. 12Bytes says:
      
      January 9, 2020 at 4:06 pm
      
      CustomCSSforFx was updated today and i happened to come across the style you’re looking for to hide the Glass + thingy in the search bar…
      
      /* remove search indicators '+' sign */ .searchbar-search-button[addengines=true]::after, .searchbar-search-button[addengines=true] > .searchbar-search-icon-overlay { visibility: hidden !important; }
      
      stick that in /chrome/userChrome.css in your Firefox profile (create the folder and file if necessary) and make sure ‘toolkit.legacyUserProfileCustomizations.stylesheets’ is ‘true’ in about:config
      
      Reply to '12Bytes'
      1. dumdum says:
        
        January 11, 2020 at 3:40 pm
        
        Thank you, worked like a charm. I have another dumdum question: after a lot of trial and error, I had to set network.http.referer.XOriginPolicy to 0 because I was having issues on a site I use everyday. I see there’s a network.http.referer.XOriginTrimmingPolicy too. On the ghack user.js it is left at the default value but now that I have the other entry set at 0 too, should I change it or it’s pointless/redundant?
        Sorry if I don’t make sense and thank you again for your time.
        
        Reply to 'dumdum'
        
        12Bytes says:
        
        January 11, 2020 at 5:39 pm
        
        if you’re using uMatrix, you can set network.http.referer.XOriginPolicy = 0 and enable ‘Spoof Referrer header’ in uM in the global scope (can also do this by adding referrer-spoof: * true in ‘My Rules’ tab), then you can toggle the setting per-domain with uM (the 3 dots button)
        
        Reply to '12Bytes'
question1 says:

January 13, 2020 at 2:47 am

Is it possilbe to have a master firefox profile on one computer, update adn manage that on one computer only and then copy and paste the profile on several other computers rather than running all the scipts etc on each computer? I don’t really want to use the firefix sync accounts method and would rather just do my own copy and paste. Wondered whether there were any problems build into the firefox file system that would stop you copying one profile onto another?

Reply to 'question1'
1. 12Bytes says:
  
  January 13, 2020 at 7:53 am
  
  i’m 99% sure it’s possible to copy a profile to another computer, however i don’t know whether they can be synchronized regarding things like add-on settings and i’m pretty sure user.js can’t – i think you’d have to roll your own solution for that
  
  the only 2 files i know of that you probably don’t want to transfer are .parentlock and times.json – also make sure Firefox is not running if you copy a profile manually
  
  Reply to '12Bytes'
AK47 says:

May 23, 2020 at 9:44 am

Great article, thank you for sharing your knowledge.

Ok so one has to use Firefox, I assume this is because of the highly customized user.js file and your personal user-overrides.js customization. Because all of the extensions listed in your guide can be installed in Waterfox as well.

Would one be significantly better off using Firefox with the customized user.js with all of the extensions mentioned installed, compared to using Waterfox as is with the extensions mentioned installed in Waterfox? If so, why? Just because of the customized user.js?

Reply to 'AK47'
1. 12Bytes says:
  
  May 23, 2020 at 9:59 am
  
  the recommendation to use only Firefox is, in part, due to the ‘arkenfox’ user.js which is specifically tailored to the current version of Mozilla Firefox – i have no idea what issues may arise if it were used in conjunction with any other version/fork of Firefox
  
  if you haven’t already discovered through articles here, i am not a huge fan of Mozilla, however it is my opinion that Mozilla’s Firefox is the best suited, capable, mainstream browser for privacy hardening
  
  i totally get the desire to switch to a fork that may be more privacy-centric out of the box, however in my, and others’ opinions, there is little or nothing that can be achieved with any of them that cannot be achieved with vanilla Firefox
  
  there are other reasons as well to use only Mozilla’s version (security patches being one of them)
  
  i would love to see more competition in the privacy enhanced browser market, but it’s just not there at the moment i don’t think (this includes WF, Brave, etc.)
  
  Reply to '12Bytes'
  1. AK47 says:
    
    May 23, 2020 at 3:40 pm
    
    Funny, uBlock prevents me from leaving a reply I had to disable it for this site to leave my reply.
    
    In saying that ‘arkenfox’ user.js file is tailored specifically to the current release of Firefox, can you please advise on Firefox upgrade strategies?
    
    Also, I have installed most of the addons and followed your recommended configurations for each. I am still to implement ‘arkenfox’ user.js file and run the scripts, I am currently doing a config in Waterfox, the reason I have not implemented user.js or run the scripts. However after installing uBlock YouTube no longer works, is that because of JavaScript? I am running YouTube inside a container to separate it out from any other website data, cookies, etc. Would it still be unwise to allow JavaScript? I know Google is the enemy and all but I do a lot of research on YouTube as well.
    
    Reply to 'AK47'
    1. 12Bytes says:
      
      May 23, 2020 at 4:43 pm
      
      i would suggest you read thoroughly the uBlock wiki or you’re going to have a lot of problems :)
      
      far as upgrading Firefox, just stay with the current release of both Firefox and the ‘arkenfox’ user.js – i usually check for a user.js update when Firefox updates
      
      you say you’re running YouTube in a container – how so? if you’re using the Temporary Containers add-on, or any other container add-on, or the built-in Firefox containers, they aren’t necessary as long as you have FPI (first party isolation) enabled in Firefox (privacy.firstparty.isolate) which does essentially what containers do, less the hassle (it works completely transparently)
      
      for YouTube, yes, you need to allow scripts to run – allowing scripts for most any mainstream site often presents a risk to privacy, but if you want to use them you have no choice – scripts must be allowed for many sites to work
      
      you can however use something like Privacy Redirect which can access YouTube videos via a sort of proxy – it also covers Twitter and Instagram
      
      and of course for searching with Google, you can use DuckDuckGo, Startpage, etc.
      
      seriously though, make SURE to read the uBO wiki and learn how to use it well to avoid many headaches
      
      i’m guessing you’re new to all this, so my next piece of advice is to take it slowly – don’t go overboard and try to lock down every little thing at once
      
      also, you can use a valid mail address if you want to be notified of comment replies – i do not send any unsolicited mail here
      
      Reply to '12Bytes'
      1. AK47 says:
        
        May 25, 2020 at 4:20 am
        
        Yes I use Temporary Containers for opening new links or just a new tab, but I also use Multi-Account Containers, https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?src=search, which gives you more control over Containers. I do it because Containers separate/isolate things. Cookies, Logins, etc, created in Container A cannot be seen/accessed in Container B. Therefor if you do enable Java Script for example on your YouTube Container, or even a temporary container you opened to check out a new link, then that Java Script, or any other data/metric that may be collected and sent back, can only go as far as the container. Isn’t that more that what FPI does?
        
        I do search with DuckDuckGo (I have read and am busy digesting your search engine cautions and recommendations). I have a question regarding this if it is ok. If you do a search with DDG then it takes a while to get redirected to the non-Java Script, https://duckduckgo.com/html/, webpage. I have tried to edit the default search page by editing “search.json.mozlz4” with the mozlz4-edit addon, changing
        
        “__searchForm”: “https://duckduckgo.com/?q={searchTerms}”
        
        to
        
        “__searchForm”: “https://duckduckgo.com/html?q={searchTerms}”
        
        and
        
        “template”: “https://duckduckgo.com/html”
        
        But that does not seem to do the trick. I thought I would be able to change it here to make the DDG/html page my default search option. Can it not be done or am I missing soemthing?
        
        I am new to hardening Firefox yes, but not new to IT or things technical. I just headed your advice and decided to start with the “for dummies” guide to first familiarize myself with the new information and tools.
        
        Reply to 'AK47'
        
        12Bytes says:
        
        May 25, 2020 at 9:20 am
        
        containers offer little more than FPI – FPI isolates all the things you mentioned (cookies, JS, logins) as well as indexedDB storage, DOM storage, cache, shared workers and more, so i personally see containers as an added hassle rather than a benefit since FPI works transparently, however containers will allow you to log on to multiple accounts simultaneously – you can read more here
        
        there are (or were) 1 or 2 things that containers handled that FPI doesn’t/didn’t and i don’t recall what that was or if that’s still true
        
        i’ll also be dropping (hopefully) Canvas Blocker from the list in the advanced guide shortly since the built-in canvas protections in Firefox cover almost all of the relevant stuff that CB does (i stopped using it myself)
        
        i’ll get back to you on implementing the non-JS version of DDG
        
        Reply to '12Bytes'
        
        12Bytes says:
        
        May 25, 2020 at 2:30 pm
        
        actually, rather than posting the code to add DDG no-JS version to search.json.mozlz4, all you have to do is add it from the search bar – then you can edit search.json.mozlz4 with the mozlz4-edit add-on if want
        
        i think the mistake you made is the template URL “https://duckduckgo.com/html” i believe you missed the trailing slash: “https://duckduckgo.com/html/”
        
        Reply to '12Bytes'
        
        AK47 says:
        
        May 26, 2020 at 3:16 pm
        
        You don’t need the trailing slash, but you do need to restart the browser for the change to take effect.
        
        Reply to 'AK47'
AK47 says:

May 25, 2020 at 6:19 pm

After following your dummy guide through from start to finish on a default profile I have something odd. When I open a new tab to search something there is lets call it greyed out text that says “Search with DuckDuckGo or enter address”, which is exactly what I expected to see. But when I type something in instead of searching for my “word” it immediately changes it to a URL “http://test/”. Looking at the preference settings in about:preferences it looks good. If I compare it with a working profile the settings are identical. Is this a setting in either the ghack user.js or your user-overrides.js preferences?

Everything else seems to be working exactly as it should, again thank you very much for your very comprehensive guides. They are awesome.

Reply to 'AK47'
1. 12Bytes says:
  
  May 25, 2020 at 6:29 pm
  
  what is the address/url of the new tab you open to search from?
  
  Reply to '12Bytes'
  1. AK47 says:
    
    May 26, 2020 at 2:41 am
    
    I am not sure I understand your question properly.
    
    I open a new tab, at which time there is no address or anything in the address bar. What is in the address bar is a magnifying glass on the left and next to that it says “Search with DuckDuckGo or enter address”. If I proceed and type “test” in to search DDG for “test” and I hit enter it doesn’t perform a search, instead it goes to http://test/.
    
    Reply to 'AK47'
    1. 12Bytes says:
      
      May 26, 2020 at 6:29 am
      
      are you using the default new tab page provided by Firefox or by an add-on? if the former, i don’t know the answer – if the latter, what add-on are you using?
      
      Reply to '12Bytes'
      1. AK47 says:
        
        May 26, 2020 at 7:13 am
        
        No I do not use a new tab add-on. Ok I guess I will try with another new profile and if that gives the same rresult well then I can only try on a completely different installation, either on the same machine or in a VM. I switched my search engine to Google to test but that does not work either. I can choose the option in about:preferences “Add search bar in toolbar” then it searches correct, but I do not like it like that.
        
        Reply to 'AK47'
        
        AK47 says:
        
        May 26, 2020 at 10:10 am
        
        I created a new profile in Firefox (I also reinstalled Firefox to check everything) and when I start typing a word into the address bar, like “test” it is searched on DDG.
        
        I then copied updater.bat, prefsCleaner.bat, user-overrides.js to the new profile directory and executed updater.bat. After it completed successfully I open Firefox and when I type “test” into the address bar it wants to go to http://test/ instead of searching test on DDG. So this problem must be something that is set in either ghack’s user.js or user-overrides.js.
        
        This is with Firefox 76.0.1.
        
        Reply to 'AK47'
        
        AK47 says:
        
        May 26, 2020 at 3:27 pm
        
        I must still check the history of ghack’s user.ja but I found the ‘problem’,
        
        /* 0801: disable location bar using search
        * Don’t leak URL typos to a search engine, give an error message instead.
        * Examples: “secretplace,com”, “secretplace/com”, “secretplace com”, “secret place.com”
        * [NOTE] Search buttons in the dropdown work, but hitting ‘enter’ in the location bar will fail
        * [TIP] You can add keywords to search engines in options (e.g. ‘d’ for DuckDuckGo) and
        * the dropdown will now auto-select it and you can then hit ‘enter’ and it will work
        * [SETUP-CHROME] If you don’t, or rarely, type URLs, or you use a default search
        * engine that respects privacy, then you probably don’t need this ***/
        user_pref(“keyword.enabled”, false);
        
        If you set that to true you can once again search directly from the address bar.
        
        Reply to 'AK47'
        
        AK47 says:
        
        May 26, 2020 at 4:23 pm
        
        You also have a preference set in user-overrides.js, line 287,
        
        user_pref(“browser.urlbar.oneOffSearches”, false); // [SET] whether to allow searching from the address bar
        
        The description of the preference is wrong however. That preference does not control whether searching from the address bar is allowed or not. What this preference allows you to do, is click on an icon of another installed search engine to use it for that search. But only that search. Your default search engine is not changed.
        
        https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/
        
        The correct preference to use is the one from above, “user_pref(“keyword.enabled”, false);”. Line 461 of ghack’s user.js. This preference controls whether searching from the address bar is allowed or not.
        
        Reply to 'AK47'
        
        12Bytes says:
        
        May 27, 2020 at 5:43 am
        
        actually both prefs control searching from the address bar – browser.urlbar.oneOffSearches will display the search icons and allow searching from the address bar even with keyword.enabled disabled
        
        but your right about my description – it was not entirely accurate – i changed it to ‘[SET] whether to display search engine icons when searching from the address bar‘
        
        thanks for pointing that out
        
        sorry for the trouble- had i known you were using the address bar i would have mentioned the keyword.enabled pref
        
        Reply to '12Bytes'
        
        12Bytes says:
        
        May 27, 2020 at 5:52 am
        
        actually, scratch that – i just moved browser.urlbar.oneOffSearches to the depreciated section of user-overrides – there’s no reason i know of to disallow searching from the address bar AS LONG AS keyword.enabled is disabled – might be until FF v77 hits that i’ll upload a new user-overrides
        
        Reply to '12Bytes'
        
        12Bytes says:
        
        May 27, 2020 at 5:30 am
        
        ah, i neglected to ask whether you were searching from the search bar or address bar – address bar searching is disabled in ‘arkenfox’ user.js for privacy reasons – at one point Moz partnered with what appears to be a shady company (Cliqz or something like that) and everything people typed in the address bar was being sent to them – i believe there are still privacy concerns with that, thus why it’s still disabled
        
        Reply to '12Bytes'
AK47 says:

May 28, 2020 at 4:12 pm

My FF has now been hardened according to this dummies guide for 3 days. During these days I have used my browser extensively and I salute you. Your advice is really awesome and I enjoy learning from you. Your articles are great and easy to understand.

So far things have been running really smooth. I have had ‘problems’ here and there but it has mainly been down to Java Script. I believe I can increase my control over this more with uMatrix, then you don’t necessarily have to enable Java Script as a whole. I still need to look into that.

The one thing that I would like your input on is why is takes so long for a YouTube video to ‘load’ on a browser that has been hardened and that has 540 tabs open. By ‘load’ I mean if I paste the YouTube video URL into the address bar and I start timing when I hit enter until the window becomes responsive again. I am not here to bash you that you have slowed my browser, I am just trying to understand how the hardening is affecting load times of a YouTube video in a browser with lots of tabs.

To put what I say into perspective, I created 2 additional profiles. The one profile I left default and into the second profile I copied the contents of my browser profile (minus parent.lock and times.json). After opening the second browser I closed all but the tab I was on, so now both the new default and hardened profile browsers only had a single tab and I had my hardened profile with 540 tabs.

I Then copied the URL of the YT video into the clipboard and pasted it into a new tab in each browser (not all at the same time) and started timing as soon as I hit enter.

privacy (540 tabs) : 25
privacy (1 tab) : 9
default (1 tab) : 5

I closed my browser and started it fresh before opening the 2 additional profiles and performing the test. So none of the other tabs loaded.

I am interested in why it takes 14 seconds longer for the video to load on a hardened profile with 540 tabs. Why would the additional tabs influence load time?

Reply to 'AK47'
1. 12Bytes says:
  
  May 28, 2020 at 4:34 pm
  
  you’ll get more control over resources with uMatrix, but then you’ll want to disable advanced mode for uBlock (if you have it enabled) and use it more or less as an ad blocker – in this mode uBO becomes pretty much transparent, requiring no fiddling from you
  
  ThemTube (aka “You”Tube … censorship, right?) is owned by Google who markets Google Chrome – as such, YT is purposely designed to load slower with Firefox because they are using an obsolete API (Polymer) – this is one reason why YT vids load slower on FF, however i wasn’t even aware that a privacy profile would also slow it down – uBO has a logger that you might use to troubleshoot, or you can use the built-in FF developer tools
  
  to speed-up loading you can disable Polymer by adding disable_polymer=true to YT URLs – you can automate that with an extension like Redirector
  
  Reply to '12Bytes'
  1. AK47 says:
    
    May 28, 2020 at 5:42 pm
    
    You are the dude!
    
    I knew about the Polymers, I read about them in your “Firefox Tweaks and Fixes and Styles and Things” article. This is what I am doing next. But I quickly skipped ahead and disabled Polymers. What a difference! There isn’t even a difference in load time now comparing the 540 and 1 tab hardened profiles. They both come in at 7. It looks so much better as well.
    
    Reply to 'AK47'
AK47 says:

May 29, 2020 at 6:35 pm

After customizing Firefox preferences with user.js and user-overrides.js I find that if I change a preference either through the UI or in about:config that if I close Firefox and open it again the changes that I made are lost and they are reverted back to what was set in user.js and user-overrides.js. Are changes that you make like that not supposed to be kept?

Reply to 'AK47'
1. 12Bytes says:
  
  May 29, 2020 at 6:53 pm
  
  changes made within the FF UI/about:config are written to prefs.js – user-overrides is copied to user.js with the bat/sh script – when FF starts, it reads user.js and overrides any duplicate prefs in prefs.js, so any changes you make to prefs in the UI which are duplicated in user.js (which includes user-overrides) will be overwritten/lost on re-start
  
  since i strongly advise against making changes to the ‘arkenfox’ user.js, what you can do instead is copy the pref(s) you want to change to the overrides file and change them there
  
  if you’re having a problem, let me know
  
  Reply to '12Bytes'
  1. AK47 says:
    
    May 29, 2020 at 7:16 pm
    
    I was just thinking after I started using the Aris-t2 CustomCSSForFx if I quicly wanted to see my interface the way it looks without the custom CSS I could just set the toolkit.legacyUserProfileCustomizations.stylesheets preference to false and restart the browser. Instead of commenting out the import of the library in the userChrome.css and userChrome.css files. Which I think is the same thing, but changing the preference is easier/quicker. However that does not work as per the above.
    
    Reply to 'AK47'
    1. AK47 says:
      
      May 29, 2020 at 7:38 pm
      
      It just slipped my mind that Firefox reads the user.js file each time it starts.
      
      I have to say the UI looks fantastic using the CustomCSSForFx library. It is such a cool experience to remember what the browser UI can look like, and should look like, if you don’t have really !smart people working on it.
      
      On that, would you perhaps know or should I rather be asking the CustomCSSForFx developer. On the default interface if I have a tab in a container, I now use containers exclusively for separating work streams (I really like that I can (un)hide containers from the UI) and different logins to the same services, and the tab is coloured Red all the tabs that belong to that container group will have a Red line underneath the tab title. But when using CustomCSSForFx the Red line is only displayed on the tab when the tab is active. I am not sure if this behaviour can be changed in my userChrome.css. If it can would you perhaps know what to import?
      
      Reply to 'AK47'
      1. 12Bytes says:
        
        May 29, 2020 at 7:42 pm
        
        no idea – i don’t use containers
        
        Reply to '12Bytes'
    2. 12Bytes says:
      
      May 29, 2020 at 7:40 pm
      
      what doesn’t work?
      
      Reply to '12Bytes'
2. 12Bytes says:
  
  May 29, 2020 at 6:56 pm
  
  this may help you too
  
  Reply to '12Bytes'
Frisco says:

June 9, 2020 at 1:13 pm

I have to re-do all the process in my Fox again, so two questions:
1. Is there a way to save all that privacy-hardening tweaks and data and load it in the default firefox?
2. how do I check that all this is working well, that is, that it’s doing its job?
Thanks!

Reply to 'Frisco'
1. 12Bytes says:
  
  June 9, 2020 at 8:13 pm
  
  maybe i can save you some work – what do you mean you have to re-do your profile? why?
  
  Reply to '12Bytes'
  1. Frisco says:
    
    June 10, 2020 at 12:16 pm
    
    I’ve just reinstalled my entire operating system (Pop_OS! and soon moving to Manjaro). Yeah I’m not very tech-savvy, I’m barely taking my first steps on GNU/Linux and tinkering on it.
    
    Reply to 'Frisco'
    1. 12Bytes says:
      
      June 10, 2020 at 1:37 pm
      
      i use and like Manjaro
      
      regarding your FF profile, just restore your old profile after installing the OS
      
      i would install FF and run it to create the profile directory, exit, then delete everything in the new profile folder and copy everything from the old profile to the new – i think that should work and nothing lost if it doesn’t
      
      Reply to '12Bytes'
duMduM says:

June 15, 2020 at 9:47 am

You make a point that searching from the url bar is not recommended but what about right clicking a word and select, for example, ‘ Search Startpage.com for “word” ‘? Is it still bad for privacy?

Reply to 'duMduM'
1. 12Bytes says:
  
  June 15, 2020 at 4:13 pm
  
  no – also if you use the ‘arkenfox’ user.js then live search suggestions are disabled, as well as other concerns with the address bar
  
  Reply to '12Bytes'
BG says:

October 16, 2020 at 4:09 pm

I use FF esr (now it is 78.3.1).
Which version of user.js should i use?
When updating user.js i run command “updater.bat -esr”. But user.js now has а version “82-alpha”.

Reply to 'BG'
1. 12Bytes says:
  
  October 16, 2020 at 4:37 pm
  
  you should use the one that corresponds to your version of Firefox – so for Firefox 81.x for example, you want version 81 of the user.js
  
  that said, you can (and i have) used newer versions of user.js
  
  Reply to '12Bytes'
  1. BG says:
    
    October 16, 2020 at 5:15 pm
    
    It turns out that the correct way for version 78.3.1esr is to work with the 78 user.js and not update it? I mean do not run “updater.bat -esr” because it will automatically update user.js to the latest version.
    
    Reply to 'BG'
    1. 12Bytes says:
      
      October 17, 2020 at 7:57 am
      
      yes – it’s always been my understanding that the user.js version is intended to be used with the same major version of Firefox
      
      because the user.js is constantly evolving beyond just implementing changes brought with new versions of Firefox, i might suggest re-evaluating whether you want to run an ESR
      
      as for stability, the release version of Firefox is usually very stable – there may be some (usually minor) bugs, but these get patched quickly
      
      Reply to '12Bytes'
2. 12Bytes says:
  
  October 16, 2020 at 4:40 pm
  
  also, is there a particular reason you’re using an ESR release?
  
  Reply to '12Bytes'
  1. BG says:
    
    October 16, 2020 at 5:04 pm
    
    Nothing specific, I just prefer stable software releases.
    
    Reply to 'BG'
Getttt yeeted on! says:

October 18, 2020 at 2:56 am

Don’t you think we should delist umatrix? The repo has been archived which means it won’t get any updates

Reply to 'Getttt yeeted on!'
1. 12Bytes says:
  
  October 18, 2020 at 8:22 am
  
  uMatrix still works ok and will probably continue to do so for some time
  
  Reply to '12Bytes'