The Firefox Privacy Guide For Dummies!

Facebook created same day Pentagon drops similar project

See the revision history at the end (if you make it that far).

NOTICE: This is an early release that i am publishing in order to get some feedback. If you are interested in following this guide, you may want to wait until it is more solidified.

You’re aware that companies like Facebook, Google, YouTube and even your ISP are spying on you, even if you may not be aware of how they’re doing it. You’re concerned about this invasion of privacy, but just aren’t sure what you can do about it.

Welcome to the ‘for dummies’ edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs. Some of us aren’t basement dwelling tech geeks, or maybe we just don’t have the desire to fiddle around with gobs of obscure web browser settings. It is especially for you that The Firefox Privacy Guide For Dummies! was created.

The goal here is to provide a simple guide (to the extent that’s possible) which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little more effort into your surfing activities, at least until the jello gels. The pay-off will be a faster, cleaner web that is less able to track and profile you. Note i said “less“, not “not“.

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it’s the best way to stay informed.

Catching the Fox

This guide isn’t going to work spectacularly for any web browser other than Firefox and it’s the standard release version you want, so if you don’t have it, get it. Since it’s privacy we’re interested in, we’re too smart to be goofing around with Gaagle Chrome or Micro$haft Edge, though if you have an inferior alternative browser installed you could keep it as a backup, if you must.

Profiling the Fox

Once Firefox is installed, run it. After the little bugger calms down, enter about:profiles in the address bar (you can call it the “location” bar or the “awesome” bar – i call it the “address bar”), then press your ‘Enter’ key to load that address. This is where Firefox keeps a list of all your profiles. Profiles are where most of your settings, bookmarks and lots more junk is stored.

Firefox Profile Manager
click me

You can have as many profiles as you want, but by default there will be just one named ‘default’. We need more, so click the ‘Create a New Profile’ button and name the first new profile ‘privacy’. Repeat that process, but name the second one ‘__testing__’ (include the underscores to make it stand out better). You can change the names later, but leave them be for now.

Firefox will now annoy you (and let it keep annoying you for the duration of our time together) by asking which profile you want to load every time you start it and you should choose your new ‘privacy’ profile.

Pro Tip

There are many ‘about:’ pages in Firefox, but not all are accessible from the various menus. To see some of those that aren’t, enter about:about in the address bar, but be careful what you do in there! You can bookmark those which you use often if you like.

Training the Fox

Firefox Profile Manager 2
click me

If you’ve started Firefox with your new ‘privacy’ profile, you’ve already done a bad thing. It’s OK, we’re still on (reasonably) good terms, but don’t test me like that again. Now we have to fix the mess you made, so restart Firefox and when you see the window used to choose which profile you want to load, delete your privacy profile and all the files in it when you are prompted. We need a clean, empty profile to work with. Lastly, recreate your ‘privacy’ profile.

Pro Tip

If you don’t want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the ‘Don’t ask at startup’ option, but don’t do that yet either! Another way is to create a shortcut to load any profile you want.

For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.

For more about penguins being tickled, go here.

 

If you’re running Windows you will need to unhide file extensions, and i suggest you keep them unhidden.

Start Firefox and load your ‘default’ profile, then go to the ghacks-user.js GitHub repository. We need the prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: Click on the file names in the repository, then click the ‘Raw’ button, then press Ctrl+S to save the files to your desktop. Failing to save them this way may cause problems later

Now if you’re one of those smart-asses who knows something about something, you may already know we’re going to need that user.js file, but don’t get ahead of me sugar-cakes!

Next, go to the labwrat/Firefox-user.js GitLab repository and download the user-overrides.js file to your desktop by clicking the file name:

GitLab - DL file 1 of 2

… then the little cloud-looking icon:

GitLab - DL file 2 of 2

What the hell are these 'user-whatever' files anyway?

It’s where we’re going to store a truck load of browser settings. Just know you aren’t cool if you don’t have one.

 

Now you’ll need a decent code editor with syntax highlighting. If you’re running Wintendo (that’s my derogatory name for “Windows”), PSPad is nice, simple and free. If you’re running Linux you’ve already got something installed. Poke around.

What you need to do now is open that user-overrides.js file in your code editor and read the comments in it carefully. Very! Carefully! Every single little thing you could ever possibly need to know about your new user-overrides.js file is in there (except whatever i forgot to put in there).

Now that you’ve sifted through that convoluted mess (go you!), open Firefox’s about:profiles page again to discover where it hides your profiles. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled ‘Root Directory’ under your ‘privacy’ profile, click the ‘Open Directory’ button. If all you see in there is a file named times.json (and maybe a couple of other ‘dot’ files), you’re probably in the right neighborhood. Just for giggles, double check to make sure Firefox is using the ‘default’ profile and that the folder you opened in your file browser is your ‘privacy’ profile.

You may have noticed that the folder containing your ‘privacy’ profile actually has a longer name with a bunch of gobbledygook in front of ‘profile’. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper (he did that for a reason by the way).

Now grab those files from your desktop you downloaded earlier and stick ’em in your ‘privacy’ profile folder. You should have something that looks sorta like this:

/firefox/gobbledeygook.privacy/
...prefsCleaner.bat
...times.json
...updater.bat
...user-overrides.js

The ‘.bat’ files will of course have a ‘.sh’ extension if you’re running Linux.

Now don’t start Firefox with your ‘privacy’ profile anymore until i say it’s OK! OK?

Linux trivia!

Did you know that Linux is not an operating system? Linux is a core part of Linux-based operating systems known as the kernel. That said, i’m gonna to continue to refer to Linux-based OSs as ‘Linux’ as though i never knew that which, actually… actually i knew that all along.

 

Now we need to run that updater script. How to do that depends on whether…

...you're using Linux

You will need to make those .sh files executable. You could try meditation or sacrificing a chicken, but it’d probably be quicker to just right-click on each of them to open the file properties dialog window and on the ‘Permissions’ tab, click the ‘Is executable’ (or similar) checkbox. If your file browser doesn’t have such an option, see How do I run .sh files?.

We need to run that updater.sh script from a terminal, so open one and change the directory to your ‘privacy’ profile directory. In the example below you’ll need to change ‘gobbledygook’ to match the correct name of your profile folder (and don’t include the ‘$’ sign):

$ cd ~/.mozilla/firefox/gobbledygook.privacy/

Let’s double check to make sure we’re in the right directory by using ‘ls’ to list the directory contents:

$ ls

The output should be…

prefsCleaner.sh times.json updater.sh user.js user-overrides.js

…and possibly those couple of ‘dot’ files.

If all looks good, run the updater.sh script by preceding the file name with a dot and a slash:

$ ./updater.sh

 

Or…

...or you're using Wintendo

To run that updater.bat script, hold down the Shift key and right-click in an empty space where the file is, then select “Open Command Window Here”. Enter the name of the script and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).

 

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you’ve followed the directions, the script will download a fresh copy of the ‘ghacks’ user.js file and then append the contents of your user-overrides.js to it.

Fattening the Fox

We’re going to go to the Firefox Add-ons website and No. Where. Else. (except here) because we first need to install some (non-lubricated) protection. Start (or restart) Firefox and select your ‘privacy’ profile (yes, it’s OK now!), then come back here.

One at a time, middle click each of the links below to open their pages in a new tab, then read what their pages say and install them. Firefox will display some notices prior to installation and you can just click your way through to allow the install just like you click your way through all those ‘Terms of Service’ agreements you never read. Don’t make a habit of installing add-ons that way though or you’ll be sorry!!! If any of the links are dead, let me know and don’t install something you think is equivalent.

Once you have those installed, find the ‘Customize’ option in one of the Firefox menus or by right-clicking on a toolbar somewhere. Now you can drag the toolbar icons for your add-ons to different places if you wish, but keep them all visible with the exception of ‘CSS Exfil Protection’, ‘Decentraleyes’ and ‘Don’t touch my tabs!’ which you can drag to the overflow menu if you want to get them off your toolbar.

Neutering the Wild World Web (and the Fox)

We need to configure some of the add-ons we installed, but first a word to the wise: Unless you know what you’re doing (and you probably wouldn’t be reading this if you did), configure these add-ons as suggested. Consider yourself warned (yes, i still love you).

Clear URLs: Click the toolbar button and make sure the ‘Filter’ and ‘Badges’ options are enabled. The rest are optional.

To configure some of the other the add-ons, open about:addons in a new tab or find the ‘Add-ons’ menu item in one of the menus.

ProTip

Remember the good ol’ days when every program had a menu toolbar with stuff like File and Edit and Help on it? Press your Alt key.

 

Decentraleyes: Click the ‘Options’ button and select the following options where [X] indicates the option is enabled:

[X] Display injection counts on icon
[_] Block requests for missing resources
[X] Disable link prefetching
[X] Strip metadata from allowed requests
Exclude domains from inspection (leave this empty)

Privacy-Oriented Origin Policy: Click the ‘Options’ button and configure it like so:

Set the ‘Global mode’ to ‘relaxed’.

In the ‘Exclusions’ section, enablee ‘Exclude root domain matches’, then paste the following code in the big text box below that. It’ll come in handy if you ever switch POOP to its ‘aggressive’ mode:

www.youtube.com *.googlevideo.com
www.youtube-nocookie.com *.googlevideo.com
*.dailymotion.com *.dmcdn.net

In the ‘Other’ section, make sure ‘Spoof cross-origin Referer’ is enabled, and don’t blame me for the spelling. Long story.

uBlock Origin: This is a huge biggie! I know, supposed to be the ‘for dummies’ guide and you’re not a quantum field propulsion scientist, but you really have to learn how to use uBlock Origin (uBO)! The good news: It’s got a ‘dummy’ mode and it’s enabled by default.

uBlock open dashboard
click me

Although there’s an ‘Options’ button for uBO in Firefox’s about:addons page, let’s ignore that and get accustomed to working with this powerful little doohickey from its toolbar icon (that little red shield thingy). Click that, then click the ‘dashboard’ icon.

 

Make sure the ‘Settings’ tab is selected at the top, then select the following options where [X] indicates the option is enabled:

[_] Hide placeholders of blocked elements
[X] Show the number of blocked requests on the icon
[_] Make use of context menu where appropriate
[_] Disable tooltips
[_] Color-blind friendly
[_] Enable cloud storage support
[_] I am an advanced user (required reading)

DO NOT select the ‘I am an advanced user’ option! Don’t look at it. Don’t think about it. Don’t think about looking at it! … at least not until you read all that ‘required reading’ stuff and understand fully what uBO is, does, how to configure it, and how easy it is to break the internet if you don’t know what you’re doing. Did i scare you? Totally intentional.

In the ‘Privacy’ section, enable the following options where [X] indicates the option is enabled:

[X] Disable pre-fetching
[X] Disable hyperlink auditing
[X] Prevent WebRTC from leaking local IP addresses
[X] Block CSP reports

In the ‘Default behavior’ section, enable the following options where [X] indicates… You know.

[_] Disable cosmetic filtering
[_] Block media elements larger than kB
[_] Block remote fonts
[X] Disable JavaScript

Now switch to the ‘Filter lists’ tab and enable only those listed below. Because this section is long, we won’t bother showing all the check boxes or listing all the disabled options. You may have to expand each section by clicking those little ‘+’ things to reveal all the options:

Why does he say 'WE' when 'I' am the one doing all the friggin' work?!

Plausible deniability. If i screw something up that causes your computer to implode, i can blame it on you.

 

Beginning at the top, WE want to enable the following:

Auto-update filter lists
Parse and enforce cosmetic filters
Ignore generic cosmetic filters

My filters

In the ‘Built-in’ section, enable all the filters with the exception of ‘uBlock filters – Experimental​​​​​​​​’.

In the ‘Ads’ , ‘Privacy’ and ‘Malware domains’ sections, enable all the filters.

​​In the ‘Annoyances’ section, enable the following:

Adguard’s Annoyance List​​​
Fanboy’s Cookie List​

​​In the ‘Multipurpose’ section, enable these:

Dan Pollock’s hosts file​​​
Peter Lowe’s Ad and tracking server list​

Don’t worry about the ‘Regions, languages’ section unless you browse sites in those languages (which begs the question; how are you reading this?).

When you’re all done with that, open your ‘privacy’ profile folder again (use about:profiles if you forgot where it’s at) and select everything in it (Ctrl+A), then copy your selection (Ctrl+C). Now open your ‘testing’ profile folder and paste what you’ve copied in there. If you are warned about overwriting existing files, choose to not overwrite them.

Training the Foxineer

If you’ve used Firefox before, there’s going to be some changes. One of them is that you’ll be searching from the search bar (or a web page that isn’t Google, hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it’s a privacy/security thing. Live search suggestions are also disabled (also a creepy privacy/security thing), though the search bar will still suggest all kinds of other things, such as stuff from your history, bookmarks and previous porn search terms.

Now for the biggie: uBlock Origin. Remember the part at the beginning when you started reading this just a bit ago yesterday? Where i said we would be “breaking as few websites as possible”? ROFL! Since we disabled JavaScript globally in uBO, every other website you visit is going to be busted.

OK, there’s a few things you need to know about JavaScript: 1), it’s awesome-ish, 2) it sucks dead moose scrotum, 3) almost every website uses it (even this one).

JavaScript (JS) can be used to do all kinds of cool (and annoying) things like make web pages interactive, make dull things look un-dull, animate stuff, etc.. It’s used a lot for making navigation menus work. It can also do really bad things. JS is leveraged heavily for tracking and profiling you, your web browser, your computer, finger prints, blood type and worse, and thus it’s a big privacy and security thing. Now do you see why we disabled JS globally in uBO? Thing is, it’s very easy to enable again for those websites where you really need it to be enabled. “Need”, i said. Not “like” or “want”, but “need”.

uBO - enable JS
click me

If you’re not already using your ‘privacy’ profile, restart Firefox and load it up, then middle-click this link. Click some of the colors on the color swatch and…… well that was boring. Now click the uBlock Origin button on your toolbar and in the lower right corner there’s an icon that looks like </>, except it has a red ‘X’ through it. That icon is secret code for [CENSORED]. Click it to remove the ‘X’ and you will have enabled JavaScript for that particular website and you’ll then see a new button appear with circle-ly arrows.

uBO - JS enabled
click me

Clicking that button will refresh the page at www.w3schools.com and this time your browser will allow JS to run. The page will look very different now and when you click on the color swatch, awesome things will appear that will surely keep you busy for hours on end (like that damned triangle puzzle-peg thing in every Cracker Barrel).

The point of this barely interesting exercise was to demonstrate the power of JavaScript and show you how different it can make a page or entire website look, as well as how necessary it is in some, but not all cases. If you have your ‘privacy’ profile loaded, you may have been reading this nail-biting page-turner with JS disabled and never knew it. And frankly, everything would look pretty much the same if you had enabled it. Bland.

Now you’re going to take the JavaScript oath. DON’T LAUGH! This is important! Repeat after me:

EYE SHALL NOT ENABLE JAVASCRIPT FOR ANY WEBSITE UNLESS A) THE WEB DEVELOPER IS A CLOSE, PERSONAL AND ETHICAL FRIEND OF MINE WHOM I TRUST COMPLETELY (WITH MY GOOFY NEIGHBORS LIFE) AND B) IT MUST BE ENABLED IN ORDER TO PROVIDE REQUIRED FUNCTIONALITY THAT WOULD OTHERWISE NOT BE AVAILABLE (AND LOOKING AT BOOBS DON’T COUNT!).

Now it’s time for me to make another cup of nice hot coffee from some freshly ground beans, but you don’t get a break! While i’m java-sipping, you’re going to learn how to use uBlock Origin. You’re going to read this and this and, finally, this, but only up to the ‘Medium mode’ part.

What to do when the Fox bites

It’s inevitable that you’re going to have trouble with some websites. Keep calm. Breeeeath! This where having more than one profile comes into play, which is why we created a duplicate of your ‘privacy’ profile named ‘testing’. You’ve already gotten a taste of how a website can be rendered useless with JavaScript disabled and although i let you enable it for that site, i only did so because it’s a trustworthy place, more or less. The next website you visit may not be (you’re here aren’t you?).

So my advice is to use uBlock Origin to enable the functionality you need for websites which you trust. For anything else, like purchasing useless plastic widgets from the e-store, you should probably switch to your ‘testing’ profile and disable whatever protections you must to get the site to function. You could even create profiles for specific websites if you want. For websites you don’t trust, first of all, don’t disable any protections ever and, second of all, why are you visiting them?

If you end up relaxing the protection offered by the add-ons we installed and the website still doesn’t work, you can try disabling them from the about:addons page. If even that doesn’t fix the problem, then as a last resort you can spin-up a new and temporary Firefox profile from the about:profiles page and load it in a new window, but understand that you will now be at the mercy of a completely default Firefox configuration with all of our extra privacy protections removed. After you’re done doing what you need to do, you should delete that temporary profile including all of its contents. And while we’re on the subject, if you’re a first-time Firefox user, you can delete that ‘default’ profile we started out with. If you’re not a first-time user and you have important bookmarks you need to save, then you can transfer that stuff to your ‘privacy’ profile before deleting the ‘default’ one.

The point here is to not disable any protection globally for all websites when using your daily-driver ‘privacy’ profile. If you have to adjust something for a particular website that you trust, fine, but use your other profiles if you need to make extensive changes.

The Fox hole

Congratulations! You’ve cleared every hurdle i’ve placed in your path. Almost…

Even with everything we’ve done, you’re still vulnerable to being tracked and profiled, however you’re in better position then you were. Except for one little problem…

answer inside...

Your Internet Service Provider! Did you forget already???

 

At the very least your ISP can tell what websites you visit, what files you download, when you’re surfing the web and when you’re not. They may even inject ads, malware and other junk in your data stream. The solution: Hijack your neighbors unprotected WiFi and… Kidding! Listen, you and i have gotten to know each other throughout this ordeal. We’re kinda buddies now. Kinda. And i can already tell you’re ethics are of a higher standard than mine that!

One solution to the problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?

A VPN works by encrypting the traffic between you and another computer which we’ll call an ‘exit node’. That exit node could be anywhere in the world. From there your traffic flows as normal to whatever website you want to visit (that has good kitty videos). That website then sends the kitty vid you clicked on back to the exit node thinking IT is YOU, but alas, it is NOT! Sucker! The video then secretly makes its way back to you through this secret tunnel which has been secretly established between you and the exit node. So far as the website is concerned, it doesn’t know your real physical location. Ever annoyed by that galactically stupid “Sorry, this video is not available in your country” crap? Pfff. And as far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to a blind pet rock with no fingers.

There are truck loads of different VPN service providers and it seems not a lot take customer privacy all that seriously, however i think both NordVPN and AirVPN are good companies that offer a good service at good prices. I’ve used both and i like both. Both have servers (think ‘exit nodes’) all around the globe and neither restrict any protocols (think ‘BitTorrent’). Both offer client applications that you can install to make using their service stupid simple. If you’d prefer to pick a VPN provider yourself however, i recommend you visit That One Privacy Site and browse the fantastic spreadsheets this cool dude puts together. Another good resource is TorrentFreak’s annual VPN reviews. Here’s the one for 2018.

The downside? Though VPN services are cheap, it’s still an additional expense. VPN exit node IP addresses can become blacklisted which could cause problems sending mail and accessing certain services on the web, however in my experience this hasn’t been an issue and, even if it were, it’s usually just a couple of mouse clicks to switch servers. Latency (the time between the mother-in-law jumping in front of you and your realization that you need to slam on the breaks) and bandwidth (how many tweets per second you can send to your friends notifying them of the “accident”) will be affected, but in my experience the difference is usually minimal. In short, i think the pluses far outweigh the minuses, especially for us privacy conscious folks. That said, you can never trust any VPN service 100%, but any reputable one should be OK for general web surfing and it will certainly prevent your ISP from spying on you.

WHAT THE FOX!

So now you’re all smitten thinking you’re invincible and ready to hack NASA to see if aliens really built hotels on the back of the moon (they did, pretty sure). You’re not, but you’ve taken one, small step for man, and on….. Truth is, there’s probably far more vectors for attack than you or i know about, so don’t get all uppity. Perfect privacy for us casual web users is a pipe dream and that wasn’t the goal here anyway. We’ve covered a few important bases that will help to prevent websites (and your ISP) from tracking and profiling you, but not all of them. Remember that when you’re creating fake profiles on Facebook to stalk your ex (you should use Tor for that).

After you’ve taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode. And after that, then it’s the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Be safe. Be ethical. And if you need help (after you’ve tried to help yourself) leave a comment.

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it’s the best way to stay informed.

Revisions

Click to expand...

26-Dec-2018

  • first (pre) release

27-Dec-2018

  • added more info about using the user.js updater and prefsCleaner scrips
  • many small changes and polishing

29-Dec-2018

  • polishing, clarifications

6-Jan-2019

  • clarified a lot of stuff that may not have been clarified clearly enough
  • eliminated the ‘relaxed_user-overrides.js’ file – the user-overrides.js is now used for both the advanced and dummy guides
  • updated the user-overrides.js file
  • lots of minor edits, corrections

12-Jan-2019

  • clarified info regarding the downloading of the configuration files

22-Jan-2019

  • added better description and screen-caps for how to download user-overrides.js
  • minor edit