A new tutorial has been published titled Firefox Search Engine Cautions and Recommendations which covers the risks to your privacy when using any of the major search engines in general, but specifically when using the default search engine plugins that are packaged with the Firefox web browser, though this problem is certainly not limited to Firefox. I also cover how to circumvent the risks to your privacy when using the default Firefox search engine plugins, as well as make suggestions for alternative search engines.
I have to say that i'm becoming more and more disillusioned with the multi-million dollar Mozilla corporation and its flagship product, Firefox. Firefox was never a great web browser in my opinion, but it is/was appealing to many because of how completely customizable it is. In it's earlier days it was just a little slow and buggy, but more recently Mozilla is making highly unethical choices with regard to the privacy-hating corporations they willingly partner with and how these partnerships have manifested and have been monetized in Firefox is a result of utter stupidity and greed in my opinion. I stuck with Firefox all these years because it has always been one of the most hackable browsers out there, but these days i stick with it primarily because i'm not (yet) able to reproduce the functionality i have added to it via add-ons with any other browser, and Chrome is out of the question, much less Google's spyware version of it.
It's sad and frustrating that a company who produced a decent, super-highly customizable browser for a niche market has lost its way and turned its back on the very market it once served by deciding to become a Google Chrome clone in order to appeal to the masses.
Screw you Mozilla.
But let's end on a lighter note, shall we? Here, have a look.
Have you ever wondered how Mozilla gets paid by the privacy-hating mega-monopolies like Google? Simple; when you use the default search engine plugins that are packaged with the browser, parameters similar to these are added to your search query:
These parameters inform the search engine that you're using a Firefox/Mozilla product and that's all it takes for Mozilla to rake in millions annually. From my point of view that wouldn't be a problem were Mozilla an ethical company, but in my view that is far from the truth. If you do not wish to support unethical companies like Google, or want to punish Mozilla for doing so (as well as many other stupid things) read on...
Types of search engines
The two primary types of search engines are meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example use software "robots" called "crawlers" to discover and index web content. In other words these companies actively seek out updated and fresh content to store in their databases so it's ready for you to find. On the other hand, meta search engines do not index the web and instead rely upon third parties such as Google and Bing to provide their search results. When you use these so-called "alternative" search engines, such as DuckDuckGo, Startpage, Searx, etc., you are still subject to the filter bubbles and censorship that is employed by the corporate giants. That said, privacy-respecting meta search engines still make sense since they offer a method to access the data-harvesting corporate giants without the privacy violations that accessing them directly would incur. Understand though that they are not true alternatives as they are often described, but rather proxies. These alternative search engines are also subject to local laws, such as secret surveillance requests issued by a government.
Indexing the web involves storing massive amounts of data which is an incredibly expensive proposition that requires significant resources and infrastructure and this is why the much smaller meta search companies like DuckDuckGo, Startpage, Qwant and others rely heavily upon corporations like Alphabet's Google and Microsoft's Bing. There are better alternatives that both respect your privacy and are censorship resistant however. Ever hear of a peer-to-peer distributed search engine? Imagine a free, open-source, decentralized search engine where the web index is created and distributed by ordinary people using personal computers, each storing a piece of the whole. This is what the developers behind YaCy have done with their search engine and i think it's a great way to escape the filter bubbles created by big tech, however YaCy is not yet a viable alternative.
To mitigate potential risks to your anonymity posed by the default Firefox search engines, simply disable all of them and use alternatives. One easy way to add a search engine to Firefox is to find one you like and then right-click the address bar and click the "Add..." menu item. Most search engines can be added to Firefox in the same way, but there are additional methods also. The Mycroft Project hosts tens of thousands of preconfigured search engine plugins for a variety of web browsers, the top 100 of which are listed here. They also have a form for writing your own search plugins. Although it is not possible to review the code from the main listing of search plugins, you can use their submission form to do so by mousing over the plugin name to reveal its numeric ID, then filling in that ID in their submission form page. Because Mozilla changed they way search engine plugins are added to Firefox, you'll need the Add Search Engine from Mycroft Project add-on to install the search plugins from Mycroft.
Another easy way to add a custom search engine to Firefox is with the Search Engines Helper add-on by Soufiane Sakhi which offers a bit more control than the above method, including the ability to define the website icon path or base64 code (a binary-to-text encoding scheme that encodes the site icon in text form). The advantage of using a base64 encoded version of the site icon is that the browser won't have to fetch the icon from the server. A great on-line resource for converting an icon to base64 code is the Base64 Encoder utility which can accept the icon URL or an uploaded file.
Yet another way to add custom search engines to Firefox is by using the mozlz4-edit add-on by 'serj_kzv'. This slick extension allows you to edit the
search plugin file directly from within Firefox, though a browser restart is necessary before the changes are realized. This file is located in your Firefox profile directory and it is here that Firefox stores the code for all of its search engine plugins. If you use this tool, be careful not to touch the default search engines in the file, else all your changes will be lost. Instead you can create copies of the default engines and sanitize the copies.
Manually editing search.json.mozlz4
If you would rather avoid the hassle of manually editing the default Firefox search engine plugins, see the 'Pre-sanitized search plugins' section below where you can download my
If you have already added custom search engines to Firefox, create a copy of
and work with the copy, reason being that if you mess up, Firefox will will delete all of your search plugins and restore only the default ones. If you don't want to see or use the default ones, simply disable them in the search preferences of Firefox rather than removing them from the plugin file. And no, as far as i know you cannot remove the default search engine plugins but disabling them should be every bit as good. If you don't know where your Firefox profile is located, load about:config in the address bar and you'll figure it out.
To edit the
file you first need to decompress it. There's at least a few utilities available that will handle this, but i might suggest using the mozlz4-edit Firefox add-on by 'serj_kzv' since it's easy to use and it provides a basic code editor with syntax highlighting. To sanitize the default search engine plugins that are packaged with Firefox, copy the entries and edit the copies. Be sure to give the copies a different name since no two plugins can share the same name.
Download pre-sanitized search plugins
If you do not want to sanitize the default search engine plugins yourself you can download my pre-sanitized copy of my
file that should work for Firefox version 57 and up ("up" meaning until the next time Mozilla decides to break everything again). The download contains the default engines which come with U.S. English version of Firefox 94, plus the sanitized versions of them, plus a pile of additional search engines i personally use. All in all there's over 40 search engine plugins which you can edit, or disable in your Firefox Search preferences.
Install: Backup your existing
file, then extract the the one from the archive to your Firefox profile directory and restart Firefox.
When you use the search engines you'll notice that all of the alternative search plugins are tagged with
= sanitized, meaning the search plugin has been sanitized by me. All of the non-default search plugins are sanitized and the default ones should be disabled.
= hybrid, meaning the service indexes it's own content as well as pulls content from a 3rd party.
= index, meaning the service uses its own crawlers to index content. These engines are especially valuable in these days of censorship that is exercised by all/many of the mainstream search engines.
The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.
This guide is long, boring, dry, tedious and somewhat technical, so if you don't feel comfortable digesting it give the The Firefox Privacy Guide For Dummies! a shot instead, however be aware that it doesn't offer quite the same degree of protection.
To understand my personal position regarding the ethical nature of the Mozilla Foundation, read The Mozilla Monster.
WARNING: This guide is not for use with the Tor browser. Configuring the Tor browser as outlined in this guide may/will result in serious risks to your privacy and personal security.
Though this guide is centered around the Firefox web browser, users of other browsers, email clients and Mozilla products may find it useful. If you are interested in hardening the Thunderbird email client, see The Thunderbird Privacy Guide for Dummies!.
Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their "intelligence" apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of many corporations to do so, including Microsoft, Google, Facebook, Verizon, Comcast, Amdocs and many, many others. While the data these corporations collect may be used for relatively benign purposes such as targeted advertising, the intentions are usually far more sinister. Governments, intelligence organizations and their contractors present a whole new level of threat. Much of what Edward Snowden has brought to light is not new, but it seems Snowden has presented the information in a way that has captured the attention of a broader range of the public, prompting many to seek ways to mitigate such threats.
While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running secure, open source software on a security enhanced operating system, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that i will attempt to address here however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe, and please correct me if i'm wrong, that this guide is currently one of the most comprehensive of its kind in that it its scope includes Firefox configuration, extensions and optimizations. If you want to go further than i can carry you, see the resources section at the end which include the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP and other bad actors. That One Privacy Site is a good resource for choosing a VPN, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.
As with any modern and mainstream web browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. The modern web browser has reached the point where they exceed the complexity and size of entire computer operating systems in some cases and things can go down the toilet quickly if one starts messing around with browser settings willy-nilly. Poorly coded browser extensions are an additional weak point that can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal number of carefully chosen and necessary browser extensions.
A trade-off must be expected when we tighten security and privacy insomuch as some websites will cease to function as we expect until the settings for those specific sites are adjusted. Anyone who has used a content filter such as uBlock, NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources for a particular website usually consists of a few mouse clicks followed by a page refresh. Nevertheless, be prepared to put a little more effort into your web surfing activities initially and expect the occasional hard-case where more fiddling than usual will be required to get a particular site to work. As adjustments are made to your most visited websites your workload will decrease significantly and the pay-off will be a much cleaner, faster web that is less able to track, profile and fingerprint you, as well as a Firefox that is more resistant to attack.
A note regarding user comments
When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.
Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software, typically developed by a 3rd party individual or company, which extends the capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. The newer API is essentially the same as used by Google Chrome and some other web browsers. The WebExtension API is severely limited compared to the older API and while this is a plus with regard to browser security and stability, it also strictly limits what extensions are able to do.
AMO: Addons.Mozilla.Org - the Mozilla Add-ons website.
CDN: A Content Delivery Network is a service that hosts often bloated and insecure reusable content for idiot "web developers" that can't write good code themselves. This may include graphics and libraries which developers can leverage to make building crappy web platforms easier. CDN's often present a threat to our privacy by tracking our web activities and browser security by delivering insecure code. CDN's are used by many millions of websites and therefore the damage potential to both privacy and security is formidable. The use of CDN's is so prolific today that many websites will not function without them and so blocking them entirely is hardly an option.
CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however much like HTML and other web technologies, the capability of CSS has been expanded well beyond its original intention to the point where it too can be used for nefarious purposes.
Domain/subdomain/TLD: In the example 'sub.example.com', 'example' is the root domain, 'sub' is a subdomain of the root domain and 'com' is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content for a single website. For example, let's assume kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain 'shop.kitties.com'.
HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an insecure, unencrypted connection is established between your web browser and the website you're visiting. This is dangerous because such a connection is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks. An HTTPS connection on the other hand offers a more secure connection because the data you send and receive is encrypted. Some web servers simply do not support HTTPS however and for this reason, as well as others, i would strongly suggest using a VPN.
Tracking: Once a unique identity for the browser has been established through fingerprinting, it is then possible to track your web browsing activities both within the same domain and across domains. See also the explanation for 'web storage'.
Web fonts/remote fonts: These are font packages typically hosted by a 3rd party (CDN), such as Google, which a web developer may use to specify how text is displayed on a website because they don't give a crap about your choices. Web fonts present a few problems regarding browser tracking and, potentially, security.
Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites, such as this one.
You will need a decent code editor with syntax highlighting to edit Firefox's configuration files. Linux users should have something suitable installed by default, however if you're running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.
Though i personally recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), however it is usually an older version. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party modifications and forks of Firefox, including Waterfox, Cyberfox, Pale Moon (or Basilisk from the same developer), etc., i do not recommend using any of them. The small development teams for these 3rd party builds often lag behind regarding security patches and they can be buggy and incompatible with the latest add-ons (Pale Moon doesn't support the newer Web Extensions at all apparently). While some forks may be more privacy-centric out of the box, we can accomplish essentially the same degree of privacy, or better, with the official version from Mozilla.
The user.js file
While the prefs.js file is the primary configuration file for Firefox, the user.js or user-overrides.js file (we'll get into that later) is where all your personal preferences are best kept. In our case we will be using a preconfigured user.js template and then supplementing that with a user-overrides.js file which will be appended to our user.js using a script.
If you have been using Firefox, back-up your current profile before making any changes. If you don't know where your Firefox profile is, enter
in the address bar and click the 'Open Directory' button in the 'Root Directory' row. The easiest way to backup your profile is to select your profile folder under the
directory and press Ctrl+C to copy the folder, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending
to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes.
Packaged with Firefox are a bunch of system add-ons which are installed without your consent and they are essentially hidden (they are not listed in about:addons). Some of these add-ons have been and may currently be used for highly controversial purposes such as collecting data without your consent. Typically i remove all of them, however you may want to keep some of them after researching what they do and whether you need them. On a Linux-based OS these add-ons might be found at
and for Windows in
\Program Files (x86)\Firefox\browser\features
. You can delete them from the terminal in Linux:
sudo rm *.xpi
These system add-ons will be reinstalled each time Firefox is upgraded. On Windows you can apparently use CCleaner to handle them. If you're running Linux with the pacman package manager (Arch, Manjaro, Artix, etc.), you can prevent their re-installation by editing the pacman configuration file, pacman.conf. Note that this will not work if using Pamac, the GUI package manager, until this bug is addressed. In my case i find it preferable to just bookmark the
folder in my file manager and then run the command above each time i update Firefox.
I recommend readingFirefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what can be done to opt out of their affiliate scheme should you so choose. While it may seem, and is in fact contradictory for me to recommend Firefox while suggesting to de-monetize Mozilla, i personally feel it is an ethical move given the utterly stupid and unethical things the company has pulled in the past and continues to do.
Required and suggested add-ons and settings
All of the add-ons listed here are of the WebExtension variety, all of which will work with the latest version of Firefox. Download and configure each add-on one by one. Each of these add-ons are important and so it's suggested to not skip any of them unless otherwise noted.
Description: Strips many tracking and other (mostly) unnecessary parameters from hyperlinks, such as the
tracking parameters used by Google Analytics. Unlike other similar extensions, ClearURLs uses a remotely updated list from GitLab and requires little or no interaction.
Settings: Following are the most important settings. Others are optional.
Allow domain blocking: if you are not using any of the major ad filtering lists in uBlock, then enable this
Skip URLs on local hosts: enabled
Prevent tracking injection over history API: enabled
Filters ETag headers from requests: enabled
'Block hyperlink auditing' can be left disabled as long as
is enabled in your user.js or user-overrides.js (we'll get to that).
Note: This add-on is optional since the 'arkenfox' user.js negates the privacy aspect of connecting to CDNs, however LocalCDN will speed-up page loading so you may want to use it. Do note that it can break websites on rare occasions in which case the solution may be to enable the HTML filter option for that particular website, or LocalCDN can be disabled altogether for the site.
Settings: Following are the most important settings. Others are optional.
Disable link prefetching: enabled
Strip metadata from allowed requests: enabled
Enabling the option to 'Block requests for missing resources' will break more websites and so the choice is yours.
Settings: I would recommend setting the 'Global mode' to 'aggressive' and enabling the 'Exclude root domain matches' and 'Spoof cross-origin Referer' options. You can also add the following to the 'Exclusions area:
Description: Skips link redirections such as used by Google, YouTube, AMO and many other websites, thus helping to prevent tracking. Redirects are intermediate links, such as 'click-track.com/abc123' or short links, that forward the browser to the final destination.
Settings: I would suggest enable the pop-up option so that you know when Skip Redirect skips a redirect, other than that the default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.
Description: uBlock Origin is an excellent ad/content blocker that can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other. It is important that you enable advanced mode in uBO and learn how to use its dynamic filtering capabilities.
The tl;dr version: Do NOT enable automatic add-on updates. The longer version...
Regarding automatic add-on updates, which is enabled by default in Firefox, this function is disabled in the 'arkenfox' user.js file and i would strongly suggest keeping it disabled. Automatic checking for updates is fine and this is enabled in the 'arkenfox' user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem here is that developers may, at any time, and without notice, monetize their add-on or sell their work to an unethical 3rd party and this often results in compromising your privacy. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn't; BlockSite, a content blocker; Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first introduced which is why i strongly suggest keeping automatic add-on updates disabled and carefully reviewing the change logs, permissions and privacy policies each time an update is available. The Extension source viewer add-on by Rob W. is a handy toolfor reviewing the source code of any add-on on AMO while visiting the site. For more about Firefox add-ons, see Firefox Extensions – My Picks.
This guide depends heavily on the 'arkenfox' user.js configuration file which alters hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring anything from the Preferences menu of Firefox other than a search setting which we'll get to. If you choose to not use the 'arkenfox' user.js, then your job is likely to be considerably more difficult assuming your goals are similar. Still, you may find it helpful to refer to the 'arkenfox' project should you choose to start from scratch.
Search bar on navigation bar
I would suggest adding the search bar to the navigation bar and using it instead of the address bar for searching the web. Not only might you find it more convenient, but there are potential privacy concerns when searching from the address bar. To accomplish this, open the Firefox Preferences page, click the Search item on the left, then enable the option 'Add search bar in toolbar'.
Firefox profile in RAM
With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits to doing so.
If you don't want to disable disk caching, web storage and cookies globally, and thus break a lot of websites in the process, there will be substantial read and write activity for your storage media. Placing your Firefox profile in RAM will alleviate much of this, however doing so can be risky should a catastrophic failure occur, such as a power failure which could result in data loss or corruption. Fortunately there are ways to minimize this risk.
If you use Windows you're on your own since i don't, suffice to say that there exists Windows compatible software that can manage RAM disks and backup your profile to your storage media ('Bushdoctor' provides a method in a comment left on this article). Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon (PSD) which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it's available in your repository. To get PSD working, run
in a terminal or consult the guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.
Note that Firefox stores its web cache in a location other than the profile directory. On Linux you might find it in
. Normally you would have to deal with web cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the 'arkenfox' user.js (cache is stored in memory) and the cache is dumped when you exit Firefox, you need not worry about it. If you're thinking it would be more efficient to keep the browser cache instead of having to re-download objects for the websites you visit frequently, you're right, however doing so can compromise your privacy. We won't exactly be dumping all of the browser cache either since we're using the LocalCDN add-on.
Keep the following hierarchy in mind as you read this section. When Firefox starts:
prefs.js is read by Firefox
user.js is read by Firefox - all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js - prefs.js is then used to generate what you see in about:config
user-overrides.js is never read by Firefox but these preferences are appended to the 'arkenfox' user.js with a script (preferred) or by manual copying. If using the 'arkenfox' user.js then the user-overrides.js is the only file you should edit and it is where all your custom preferences should be placed. This may defy conventional knowledge, so let me be clear:
If you are going to use the 'arkenfox' user.js file then you should never edit it, (nor the prefs.js file that Firefox creates) nor should you change important settings from about:config unless you're only testing something. All of your custom preferences should be placed in your user-overrides.js file and then appended to the 'arkenfox' user.js using their updater script.
One reason for this is because the 'arkenfox' user.js file is quite a large and is updated frequently, so if you edit it and then update it, all your custom changes will be lost, whereas if you copy the preferences you want to alter from the 'arkenfox' user.js to your user-overrides.js and change the values there, then updating the 'arkenfox' user.js will be a lot less painful. On the other hand, should you choose to not use the 'arkenfox' user.js, then you should add your changes to your own user.js instead of using my user-overrides.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you're just testing.
If you do not have a general understanding of the the user.js file, you may want to read this on the 'arkenfox' wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.
Obtaining and maintaining the user preferences files
In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the 'arkenfox' one. Next, i might suggest considering my user-overrides.js file. Go to the 12bytes.org/Firefox-user.js-supplement at my Codeberg.org repository and download the user-overrides.js file to your Firefox profile directory. The easiest way to get the file without messing up the formatting is to view the raw file, then press Ctrl+S to save it to your Firefox profile directory. Next, open the file for editing using your code editor and follow the instructions within.
After that we want the 'arkenfox' user.js from the arkenfox GitHub repository but you need not download it directly. Instead, grab their updater.sh (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the 'Raw' button in the new page and pressing Ctrl+S to save the file to your Firefox profile directory. Use the same method to get a copy of their prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this whenever you update the user.js. If you're running Linux, don't forget to make the files executable. Next, run the updater script in a terminal to fetch the 'arkenfox' user.js (
). The script will automatically append the contents of your user-overrides.js to the 'arkenfox' user.js it if it finds one.
At this point it is important to go through the entire 'arkenfox' user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file where you will then change their values. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the 'arkenfox' user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them.
Over time it is possible that your user-overrides.js file will contain preferences that are obsolete. The 'arkenfox' user.js file contains a list of some of these preferences in
[SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
and these preferences should be removed from your user-overrides.js file. One very tedious way to do this is to go through the list line by line and see if they are duplicated in your user-overrides.js. An easier way is to use the
switch (documentation here) when you run the updater script which will output a 'diff' file containing the differences between the old user.js and the new one.
I suggest you run the updater script with the
option (Linux only) every time you update the user.js file or make changes to the user-overrides.js file. This will create a "diff" file containing the differences between the old and current versions. You can read more about the updater script here and the cleaner script here.
Verifying the integrity of user.js
IT IS VITAL that you perform two integrity checks whenever the 'arkenfox' user.js file is updated or you have edited the user-overrides.js file if you're using one.
From the 'arkenfox' crew:
In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.
To perform this check, you might want to disable your network connection so that, in the event there is a problem with a preference, Firefox cannot connect to the network and potentially allow data to flow in or out which you may have wanted to avoid. With that done, start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for any preferences errors by pressing Ctrl+F to open the find dialog and entering 'pref' or 'user' and seeing if any errors point to preferences in your user.js file (other errors and warnings can usually be ignored).
Now we will further check the integrity of the user.js file and, by extension, also the user-overrides.js file since the content of the latter was copied to the end of former with the updater script.
You may have noticed a bunch of unusual looking
preferences in the 'arkenfox' user.js as well as in my user-overrides.js if you're using it. These are used find the approximate location of any syntax errors. When you run Firefox for the first time after updating the user.js or making changes to your user-overrides.js, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the
preference (it may be the first one listed without having to search). The value should match the very last
preference value in your user-overrides.js or, if you are not using a user-overrides.js, then it should be the last value in the 'arkenfox' user.js.
If you're using only the 'arkenfox' user.js, the value should be, "
SUCCESS: No no he's not dead, he's, he's restin'!
If you're also using my user-overrides.js, the value should be
"SUCCESS! USER-OVERRIDES SETTINGS LOADED"
If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user.js or user-overrides.js the syntax error lies. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.
Updating the user.js and user-overrides.js files
To update the 'arkenfox' user.js file, run the updater script (you can add the the
switch as explained earlier if you're running a Linux OS). To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js, then run the updater script. Lastly, always run the 'arkenfox' prefsCleaner script with Firefox closed whenever you update the user.js or my user-overrides.js.
The 'arkenfox' user.js is updated frequently and so you'll need to check for updates regularly. There's two ways you can check for updates if you're running Linux and one if you're running Windows, however there's only one (easy) way to actually update the user.js and that's by using the 'arkenfox' updater script.
If you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification when:
the 'arkenfox' user.js is updated
my user-overrides.js is updated
this guide is updated
You can add the script to your startup programs so it runs each time you log-on to your desktop, or run it automatically some other way. Instructions for implementing the script are contained within the script. Open the file with a code/text editor to read the instructions and edit the options.
To check for a new user.js if you're running Windows, or to actually update the file, exit Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my user.js-version-checker.sh script, you should run the updater script every week or so in order to check for a new version. You always want the user.js version that corresponds to the major version of Firefox, so if the updater script says
Available online: * version 80-alpha
and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79.
Each time you run the updater script, be sure to follow it up by running the prefsCleaner script with Firefox closed.
In the alleged interest of privacy, Firefox has added code which allows to route all DNS look-ups over HTTPS to a resolver of your choice. Typically DNS queries are routed through your ISP, so while they cannot view your traffic as long as it's encrypted (HTTPS), they can see what websites you visit and this is a serious privacy concern. There are several ways to mitigate this, one of them being to use a VPN that provides DNS services. Another is to enable DoH within Firefox, however this will only protect your browser and not any other programs on your system that connect to the internet. Moreover, there seems to be a lot of controversy regarding DoH, so before you enable this setting you might want to watch the video, Paul Vixie talks about DNS over HTTPS, and read this on Wikipedia, and also the article, Mozilla is becoming evil.
Part of the DoH system in Firefox can be controlled with the preference,
, however it is easier to simply use the Preferences UI to do so (Preferences > General > Network Settings > Connection Settings). The default DNS resolver is Cloudflare, but given what i have read about this company, i would highly suggest not using it. You might want to do some research and locate a privacy-centric DNS resolver to use for DoH should you decide to enable DoH.
If you decide to use my user-overrides.js preferences file, note that it disables DoH by setting
to '5' (i use a VPN that provides DNS). You will need to change that if you want to enable DoH.
Thanks to 'AHappyUser' for reminding me about the policies.json configuration file which can be used to control how Firefox behaves, particularly in enterprise environments. 'AHappyUser' linked to the Controlling Firefox section of the article, Mozilla is becoming evil - be careful with Firefox, which provides a few examples of what can be done with the policies.json file. Note that all of the examples given can be controlled via preferences in your user.js file so there is no need to create the policies.json file, however i mention it because some folks may find it useful. For more information regarding what can and cannot be done with policies.json, see the Mozilla repository on GitHub.
Persistent web storage (cookies, etc.)
A problem that will likely creep up at some point is a website not saving settings across browser sessions that you wanted to save, such search engine settings for example (If you want to learn more about alternative search engines, read Alternative Search Engines That Respect Your Privacy). To save this data you will need to edit the permissions for the domain and there's two easy ways to access them; you can click the padlock icon in the address bar, then the right-facing arrow, then "More information", or simply hit Ctrl + I. In the window that opens, click the "Permissions" icon and scroll down until you see the "Set Cookies" item. Finally, deselect the "Use Default" preference and select the "Allow" preference. Firefox will now save the website data for the domain you're visiting even after it is restarted.
THE END (lie)
While there are many more things you could do if you're really concerned about protecting your privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. Understand however that there are threats present in almost all computers which users have little or no control over regardless of what software or operating system is used. Such threats include the Unified Extensible Firmware Interface (UEFI) which has all but replaced the Basic Input/Output System (BIOS) for booting the computer. Intel's Management Engine (IME) and AMD's Secure Processor (SP) / Platform Security Processor (PSP) present a massive threat to security and privacy for virtually everyone using any Intel or AMD powered device.
Lastly, if you are using a proprietary operating system, be it Windows or any other, it is absolutely crucial that you move to a more secure, open source OS such as Linux. The importance of doing so cannot be overstated in my opinion. For more information, read the free book, Free Yourself from Microsoft and the NSA.
I welcome any questions or comments you may have, just please leave them in the comment section so others can benefit (you need not be logged in).
IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.
I must thank all of the dedicated and skilled people who created, maintain and contribute to the arkenfox/user.js repository, especially Thorin-Oakenpants (aka, 'pants') and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :) Also i'd like to thank the many people who make privacytoolsIO possible. Their website is an excellent resource for those looking to protect their privacy and security.
Also i thank the many people who have left comments here, many of which have been very helpful in correcting, maintaining and improving this guide.
removed Cookie AutoDelete (rather obsolete with dFPI and v96 of arkenfox user.js, plus due to delayed cleaning it doesn't offer the level of protection we want)
removed section on HSTS tracking (largely if not entirely obsolete)
added 'Persistent web storage' section
changed user-overrides.js successful loading parrot from "SUCCESS! USER SETTINGS LOADED" to "SUCCESS! USER-OVERRIDES SETTINGS LOADED"
removed all references to uMatrix since it's no longer developed and is becoming less effective at time ticks on - uM users are advised to use uBO in advanced mode instead
corrected some information and made some minor changes to language
changed wording for the suggested uMatrix settings in the 'Settings, Convenience' section
updated info for the privacy settings for uMatrix
removed HTTPZ add-on and associated info - no longer needed since Firefox v83 as long as
added a note in ClearURLs settings regarding hyperlink auditing
minor clarifications, edits
minor edits and clarifications in the 'Terminology' section
changed recommendation for the use of CAD (i DO recommend it) - see sections 'Cookie AutoDelete by CAD Team' and 'Cookie AutoDelete (CAD) usage'
added info about the user.js-notify.sh script
reversed the order of this revision history so the latest changes are at the top - big sloppy kiss to 'Anon' for helping with that
added notes to CanvasBlocker, Cookie AutoDelete and LocalCDN stating that they are optional - the reason they are optional are because of settings in the 'arkenfox' user.js, particularly
and the clearing of storage on browser exit - many readers may see this decision as strange, in which case i'd recommend reading the Questions regarding compartmentalization, extensions and uniqueness thread in the 'arkenfox' user.js issues
for uMatrix several suggested settings in the "Settings, Privacy" section were removed, these being:
Delete blocked cookies
Delete non-blocked session cookies minutes after the last time they have been used
Delete local storage content set by blocked hostnames
Clear browser cache every minutes
Strict HTTPS: forbid mixed content
added info in the 'Cookie AutoDelete by CAD Team' section instructing how to save storage for a website if not using CAD
added info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only) in the 'Updating the user.js and user-overrides.js files' section
replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
added info about importing rules from LocalCDN to uMatrix - see the paragraph beginning with "If you're using the LocalCDN add-on"
removed info about manually cleaning the user-overrides.js file in favor of using the -c switch when running the updater.js/updater.bat script
added Site Bleacher to list of required add-ons
removed all info regarding containers as well as the Temporary Containers and Firefox Multi-Account Containers add-ons - i prefer to enable
(the default in the 'arkenfox' user.js) in combination with Site Bleacher (far less headaches)
replaced Neat URL with ClearURLs - while the former is a good extension, i think the latter is even better
replaced Smart HTTPS with HTTPZ
moved all add-on settings info to the required add-ons section
uBlock: added info for globally blocking 3rd party fonts while allowing 1st party fonts
added instructions for cleaning user-overrides.js of obsolete preferences
added a link to a comment by 'Bushdoctor' who was kind enough to provide information about loading Firefox profiles in RAM for Windows users
updated info on HSTS tracking
updated info regarding downloading my user-overrides.js file
clarify information regarding the downloading of the configuration files thanks to a commenter
fix minor typo
added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback - it appears some AV's might have a problem if this file is set to read only
added a new resources section specific to the 'arkenfox/user.js' GitHub repo
added Temporary Containers (TC) add-on and associated info - this results in several major changes throughout the guide
added Firefox Multi-Account Containers add-on and associated info - this is used in conjunction with the TC add-on
added 'Using containers' section
removed Canvas Blocker add-on - not needed with TC
removed Restrict to Domain add-on - not needed with TC
removed Don't touch my tabs! add-on - (probably) not needed with TC
removed Header Editor - not needed for what we were using it for since the function is handled by TC
edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
added more info about importing rule-sets for uMatrix
moved Smart HTTPS add-on to the required section
moved Skip Redirect add-on to the required section
removed the suggested add-ons section
corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
reworked and updated the entire user-overrides.js file
removed mention of the template user-overrides.js file and associated download link - user should use the one provided in my GitLab repo
several minor edits/clarifications
add notice about newsletter subscribing
corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it's enabled in uM only)
dumped Cookie AutoDelete add-on - not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
in user-overrides.js in order to enable First Party Isolation
added Restrict to Domain add-on to toggle
(FPI) via toolbar button
removed the list of optional add-ons (NoScript and Smart Referrer)
coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead - i'm playing with it now
added POOP as a required add-on and accompanying configuration information
configuration information for Neat URL was located in the wrong section
clarified much information regarding the user.js files as well as other parts
added more info about browser fingerprinting
added more detail regarding system add-ons
added a user-overrides.js template
updated Header Editor rules download
added several more 3rd party resources
misc. minor edits
added more info to the uMatrix section, particularly about indexedDB storage
added info about HSTS tracking
added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
removed information about the Forget Me Not add-on
added information about First Party Isolation
added rule to uM to prevent web workers
added information about the uBO and uM logging functions
corrected some mistakes
added uMatrix to the add-on pile again
added the uMatrix sections of this document
removed info about running uBlock in advanced mode since we're using uMatrix for dynamic filtering instead
several minor edits
lots of clarifications and polishing, added several resources
added the section 'Firefox profile in RAM'
misc. other minor edits
rewrote most of this guide, so if you read it before, read it again :)
removed cryptocurrency miner section
removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
removed the Load from Cache add-on
removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it's a much more active project.
updated some information
note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide
updated some content to reflect the current state of Firefox and WebExtensions
misc. minor edits
added more info about IndexDB storage in the "Terminology" and "uMatrix configuration" sections.
added section "A special note about cryptocurrency miners"
i didn't keep track of all the changes and many were made - you'll have to re-read the guide :)
added some add-ons to the recommended section
misc. minor edits
rewrote and updated much of the content pertaining to uMatrix
added section "Removing system add-ons"
added section "Sanitizing the default search engine plugins"
deleted the GitHub repository which i forked from Pants' 'arkenfox' repository and created a new repository which does not include his code
some changes to user.js
some major editing of this document mostly in regard to the creation and changes of the GitHub repositories
updated user.js to version 51r2 - see the GitHub page for the change-log
updated info here regarding the user custom preferences section of user.js
published my user.js on GitHub which was forked from Pants' code
removed my user.js code from this page and linked to it on the GitHub page instead
changed my versioning scheme to match Pants' where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
updated user.js to include v51 of Pants' config - no preference changes so far as i know, just added/removed/changed comments
updated text in user.js section to account for the new changes
changes to comments and troubleshooting preference names and values, other minor changes
switched to using Pants' config v0.11 and mostly just appending my settings to the end of his - because this is a major update, no history of changes to individual preferences will be published
removed Extension Defender from the list of recommended add-ons since it's home page is gone and the code hasn't been updated in two years
updated user.js file
removed duplicate preferences in use.js file (see change-log in the file for details)
changed the name of the troubleshooting/bogus preference to
and added values to indicate the point at which the file stopped loading - a huge thanks to commenter 'Pants' for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, 'Pants' is the author of the user.js config file used in the 'arkenfox' article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i'm very glad to have his input here)
corrected 'plugin.scan.*' values to be strings
added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems
added some basic information for configuring the Clean Links add-on
set 'browser.fixup.hide_user_pass' back to its default value
corrected an error with pref 'layout.css.devPixelsPerPx' where the value was an integer instead of a string - this caused all prefs following it to be ignored
updated user.js file
minor grammar/spelling corrections
updated user.js file
updated guide information
updated user.js file and added a revision history to the file
updated user.js file contents
updated user.js file contents
updated user.js file
removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it
Minor edits for uMatrix usage text
added more info for uMatrix and IP Config test results
updated user.js file contents
various other edits
removed HTTP UserAgent cleaner since it is no longer being developed
removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
updated uBlock settings to match the current development version (0.9.9.2)
misc. minor updates
switched to Raymond Hill's version of uBlock
updated uBlock filter information
added Fetch information for new version of HTTP UserAgent cleaner
updated user.js file contents
misc. minor updates
added information for securing DNS traffic
misc. minor updates
minor updates to user.js file contents
updated user.js file contents
updated a few settings recommendations for HTTP UserAgent cleaner
updated list of recommended filters for uBlock
updated user.js file contents
added Pure URL as a suggested add-on
updated contents of the user.js file
added and edited some information for HTTP UserAgent cleaner
added more resources in the References section
updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a
updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner
updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
updated the user.js file
updated some definitions of terms used in this document
added some more resources
updated some HTTP UserAgent cleaner information
deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
misc. other minor changes
updated information for HTTP UserAgent cleaner
updated user.js file
minor updates to uBlock information
misc. other minor changes
updated HTTP UserAgent cleaner information
for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.
updated and added more information for uBlock
updated one HTTP UserAgent cleaner screen-shot
misc. other corrections/updates/edits
updated user.js file
switched uBlock versions since a new fork was created
updated uBlock images and documentation
added a "Current notices" section
misc. other corrections/updates/edits
updated user.js file
several other small updates and a few corrections
removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
various other edits and corrections.
Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.
Relying on anti-virus software to protect your system is paramount to relying on guard rails to keep your car on the road. Here's why...
UPDATE: Since writing this article i have finally dropped Windows and moved to Linux-based operating systems which are inherently more secure in some ways (not all). I humbly suggest you consider doing the same.
My view on the subject of anti-malware/security suite software may be quite different than that of most casual computer users. I think that one of the primary keys to securing your system is a lack of stupidity rather than anti-virus software, and that relying on such products for protection is tantamount to relying on guard rails to keep your car on the road.
Fact number one: The primary method vendors of anti-virus software employ to protect against malware is by way of virus signatures, also known as 'definitions'. In order to develop a signature for a piece of malicious code, generally the vendor must be aware of its existence and since black-hat malware authors or those identifying 0-day vulnerabilities often sell their code or findings to major corporations, governments and other black-hats, they are obviously going to try to protect their secret as long as possible. This means that an exploit may exist undetected in the wild for hours, days, weeks or even years.
Fact number two: There are many viruses and software exploits that were never, are not currently, and may never be detected by any widely available, general anti-malware product. In fact, it is rather trivial to write a piece of malware that most popular anti-malware products will happily report as being 'clean'.
Fact number three: No single product can possibly protect your system against all threats, much less malware which is tailored for a specific target. On the other hand it simply is not feasible, or even possible in some cases, to run multiple anti-virus products simultaneously.
Fact number four: Everyone with an internet connection has very likely been infected with malware. If you think you are an exception, then i would posit that you simply never knew your system was/is compromised.
Fact number five: The good ol' days of malware are gone. While it was often humorous to read about or even experience your mouse cursor moving and combine that with the fact that you weren't the one moving it, much of the malware being distributed today is orders of magnitude more sophisticated. Today's malware is often designed to be as stealthy, efficient and resource friendly as possible so that it can remain completely undetected. With many millions of dollars to be earned in the malware market, the stakes are extremely high.
I'm not suggesting you throw your hands up in utter defeat, trash your anti-virus software and commence to having digi-sex without a digi-condom, but i want to make it clear that relying primarily upon anti-virus software to protect you against malware threats is a road laden with land mines, regardless of how many products you use, what they cost, what they scored on the latest Virus Bulletin test, or what bells and whistles the vendor claims it has. If there was just one, affordable anti-virus product that protected against even the majority of the threats, there wouldn't be heaps of malicious hackers getting paid to write malware any longer, yet malware is more prevalent today than ever before and more people are running anti-malware software today than ever before. What does that tell you about the overall effectiveness of the anti-virus industry? And it gets worse.
Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.
Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.
This does not mean you can't protect yourself from the majority of common threats however. Not only can you do so, but you can do so quite effectively without even using an anti-virus product. I wouldn't recommend that Windows users go without any protection, but my point is that anti-virus software plays a much less significant role for the savvy computer user who relies on more effective means of protection than any software product can provide.
Security is a dish best served cold. And in layers. Here are some of the key security practices i would suggest for most anyone, especially the casual computer user who is at the greatest risk due to their lack of technical knowledge:
Realize what the vectors for attack are, which is basically anything you connect to your machine including flash drives, discs, modems, routers, printers, USB devices, T.V.'s and even peripherals like mice and keyboards, as well as anything that is delivered through your network connection.
Realize that malicious software isn't likely to be considered malicious by your anti-virus product until after it is known to exist and a signature has been developed and pushed out by the vendor, leaving you completely vulnerable in the interim. Also realize that the existence of some exploits and malware may never be known.
Realize that no anti-malware product on the planet is bullet-proof -- Not. Even. Close. -- and many are just plain garbage or are effectively malware themselves which vacuum up personal data and send it off to who knows where, or worse. Do some research before choosing a product.
By learning just a handful of good security practices, the burden of protection will naturally shift more toward the smarter you and away from your dumber anti-virus software.
Do not install crap-ware or software from nefarious sources and, by all means, forget about "warez" and "cracks" as failing to do so will cause doom at some point.
That game or joke document that's being passed around all over Facebook or by email or wherever? Let it pass.
Get in the habit of never opening email attachments. None. Ever. Period. The only exception is if you are expecting something important from someone you trust and even then you should not trust any attachment blindly, especially if it's an executable. Even hyperlinks can be dangerous. Your coworker or close friend could be using a little social engineering to infect you, or they could be infected themselves and not know it, or it might not be your coworker or friend at all, but rather someone impersonating them. If someone sends you something you really want to see, ask them to send a link to the webpage if possible and make sure you know where that link is pointing before clicking it (and ask them to quit sending attachments unnecessarily).
For many of us, our internet browser is are our primary window to the digital world. It is also a most attractive vector for attack, not only because of security holes and poorly coded extensions, but because of what websites people visit. Tighten down the security of your web browser and remove any unnecessary plugins, including Flash, Java, the Adobe PDF viewer, etc.. Most modern browsers can handle video and PDF content without plugins anyway and Java is rarely used by websites anymore.
Browse smart and stay away from porn sites or any other questionable sites, even if they are hugely popular. Keep in mind that you need not click or do anything on a malicious website to become infected other than simply visit it (see drive-by malware). I would also suggest dumping Microsoft Internet Explorer and replacing it with something more secure and transparent, which is basically anything other than IE.
Scan everything you download from any source with a decent anti-virus product. You don't have to run a bloated "security suite" in the background that analyzes your every click and key press and file you open as long as you work and play smart, but at least have an on-demand scanner available to manually scan all incoming downloads and email attachments.
If you're not sure about the integrity of a piece of software or the reputation of a website, scan it using something like the VirusTotal service, which uses a whole bunch anti-malware products to scan a single file or website URL. There are several add-ons for Firefox that make accessing VirusTotal very easy. Certainly do not rely on the over-pimped "Web of Trust" service or any other service where the data comes primarily from everyday users who lack knowledge regarding malware and rate sites based primarily upon their bias.
If you use only popular, mainstream software products for protection, such as Windows Defender or the Comodo Internet Security suite, etc., realize that chances may be significantly higher that malware is in play which is purposely designed to completely bypass the protection these popular products offer. The larger the following, the bigger the target.
Do not log on to your operating system as an administrator.
Keep regular backups of your data, preferably off site and encrypted, but at least on an external drive. If you have become infected, do not rely on the Windows System Restore utility since the malware may have infected those backups as well.
If you discover a virus, and especially if it's a Trojan, assume all your data has been compromised including any passwords, banking information, credit card numbers, documents, etc.. You should immediately unplug your computer from your modem and take action to remove the virus, change all of your passwords and notify your bank.
Again, i do not advocate running around the web with your skirts flying high and no underwear on. The trick is to find a good anti-malware product and, while there are hoards of products to choose from, there are not that many that are actually worth considering. In the past i have had extended communications with a couple of people who are apparently heavy hitters in the anti-malware industry and Bitdefender seems to be one of the better general purpose products. So is Malwarebytes Anti-Malware. I will emphasize again however that there is no single product, nor combination of products, that will protect you from all threats.
Personally i don't run a resident virus scanner at all any more, but i do use the Emsisoft Commandline Scanner which is an on-demand scanner (you have to run it manually) to scan everything i download. It is a general purpose anti-malware tool that is probably about as good as they come and it's free for personal use. Also known by it's executable, a2cmd, the Emsisoft scanner is a hybrid of both the Emsisoft and Bitdefender products.
Prevent your ISP and others from collecting information about what websites you visit by encrypting your DNS traffic.
UPDATE (25-Jan-2020): This article is largely obsolete but i'm keeping the page alive because i intend to rewrite it at some point. One of the items i want to add is how to set up DNS over TLS on your network router so that all devices that connect to your network can benefit from private and encrypted DNS resolving.
UPDATE (26-Jan-2018): If you use a Virtual Private Network (VPN) you do not necessarily need to worry about encrypting your DNS traffic as long as a), your VPN offers a DNS service and b), you trust them. The other primary advantage of using a VPN is that, like Tor, all of your internet traffic between you and the VPN exit node is encrypted, meaning neither your ISP nor anyone else should be capable of monitoring it. Yes, a VPN is yet another expense and as much as i dislike paying more to access the web on top of what my ISP charges, it doesn't cost much and i can't see myself ever going back to not using one.
DNS -- Domain Name System -- is the service responsible for converting a domain name, such as '12bytes.org', to an IP address that is understood by computers routing internet traffic. The DNS server(s) that you are currently accessing to convert domains to IP addresses are configured in the properties of your network adapter, each adapter having its own DNS configuration, or perhaps your router or modem.
DNS is a weak link in the internet chain because this traffic is most often unencrypted and open to man-in-the-middle (MITM) attacks, even when visiting an encrypted (https) website. An attacker can easily set up their own DNS server and, using a little social engineering and/or malware, convince you to change your current DNS server, or change it without your knowledge, to the one controlled by the attacker. One possible result is that you could visit 'your-bank.com' but actually land on a forged website that may look exactly like the authentic one and thus there would be no cause for alarm while you log on with your user name and password, which would then be in the hands of the attacker. I am quite sure the tactic of DNS spoofing is used by law enforcement as well.
Lastly, i wrote this tutorial while using Windows and have since switched to Linux. A tutorial for the Debian flavors of Linux can be found here.
Securing your DNS traffic is easy using DNSCrypt (don't download the client from the OpenDNS page). If you're not afraid of the command-line and wish to keep the process as efficient as possible, i would suggest reading the article How to Encrypt Your DNS for More Secure Browsing by How-To Geek. If you prefer a point-and-click approach however, along with a nice GUI for controlling DNSCrypt and selecting your DNS server, here's how to install and configure Simple DNSCrypt:
If you have another version of DNSCrypt installed, uninstall it first. If there is no uninstaller, then run the following command:
Next, download Simple DNSCrypt from the authors site and install the .msi package. The GUI to configure the DNSCrypt client should start automatically after the installation is complete. Configuring the DNSCrypt client is easy:
Enable DNSCrypt for your network adapter.
Select a DNS service.
Enable the Primary DNSCrypt Service. If the service does not start, try disabling DNSCrypt for your adapter and then enabling the service. Note that the Secondary Resolver settings are disabled because this feature is not completely implemented at the time of this writing.
In the 'Advanced Settings' you can download a fresh copy of the DNS resolvers list and by clicking the 'Plugins' button you can disable IPV6.
Open port 443 in your firewall to allow outgoing UDP traffic for dnscrypt-proxy.exe if you need to.
If you installed the 'dnscrypt-proxy' service, you can exit the Simple DNSCrypt GUI, otherwise it will need to be left running.
Verify DNSCrypt is working...
To verify that everything is working, check the properties for your network adapter and make sure the primary DNS server is set to 127.0.0.1 and that the secondary server is empty as seen in the screen-shot. If it is not, make it so. Next, try visiting a website to make sure everything is working.
If necessary, reboot your machine or flush the Windows DNS cache by opening a command prompt and entering:
, then load a web page to ensure DNSCrypt is working.
If you're wondering about the default Windows 'DNS Client' service, leave it running. You can also leave in place any firewall rules for DNS look-ups on port 53 to enable easy switching of the DNS servers in your network adapter for troubleshooting purposes.
At this point i'm not entirely sure what happens with DNS caching, but it appears that a query is sent with every request, which is not optimal. I hope to write more about this after i figure out exactly what is happening in this regard.