12bytes Mumble meet every Sat. night!
Coronavirus information & resources
Vaccines - What You Need To Know

Firefox Search Engine Cautions, Recommendations

This tutorial will cover how to sanitize and add search engine plugins for Mozilla Firefox in order to protect your privacy.

See the revision history at the end of this document.

When 'free' software isn't

I suggest reading The Mozilla Monster as a primer.

Have you ever wondered how Mozilla gets paid by the privacy-hating mega-monopolies like Google? Simple; when you use the default search engine plugins that are packaged with the browser, parameters similar to these are added to your search query:

client=firefox
name="appid" value="ff"
name="hspart" value="mozilla"

These parameters inform the search engine that you're using a Firefox/Mozilla product and that's all it takes for Mozilla to rake in millions annually. From my point of view that wouldn't be a problem were Mozilla an ethical company, but in my view that is far from the truth. If you do not wish to support unethical companies like Google, or want to punish Mozilla for doing so (as well as many other stupid things) read on...

Types of search engines

The two primary types of search engines are meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example use software "robots" called "crawlers" to discover and index web content. In other words these companies actively seek out updated and fresh content to store in their databases so it's ready for you to find. On the other hand, meta search engines do not index the web and instead rely upon third parties such as Google and Bing to provide their search results. When you use these so-called "alternative" search engines, such as DuckDuckGo, Startpage, Searx, etc., you are still subject to the filter bubbles and censorship that is employed by the corporate giants. That said, privacy-respecting meta search engines still make sense since they offer a method to access the data-harvesting corporate giants without the privacy violations that accessing them directly would incur. Understand though that they are not true alternatives as they are often described, but rather proxies. These alternative search engines are also subject to local laws, such as secret surveillance requests issued by a government.

Indexing the web involves storing massive amounts of data which is an incredibly expensive proposition that requires significant resources and infrastructure and this is why the much smaller meta search companies like DuckDuckGo, Startpage, Qwant and others rely heavily upon corporations like Alphabet's Google and Microsoft's Bing. There are better alternatives that both respect your privacy and are censorship resistant however. Ever hear of a peer-to-peer distributed search engine? Imagine a free, open-source, decentralized search engine where the web index is created and distributed by ordinary people using personal computers, each storing a piece of the whole. This is what the developers behind YaCy have done with their search engine and i think it's a great way to escape the filter bubbles created by big tech, however YaCy is not yet a viable alternative.

For a list of alternative search engines, see Alternative Search Engines That Respect Your Privacy.

Adding search engines to Firefox

To mitigate potential risks to your anonymity posed by the default Firefox search engines, simply disable all of them and use alternatives. One easy way to add a search engine to Firefox is to find one you like and then right-click the address bar and click the "Add..." menu item. Most search engines can be added to Firefox in the same way, but there are additional methods also. The Mycroft Project hosts tens of thousands of preconfigured search engine plugins for a variety of web browsers, the top 100 of which are listed here. They also have a form for writing your own search plugins. Although it is not possible to review the code from the main listing of search plugins, you can use their submission form to do so by mousing over the plugin name to reveal its numeric ID, then filling in that ID in their submission form page.

Another easy way to add a custom search engine to Firefox is with the Search Engines Helper add-on by Soufiane Sakhi which offers a bit more control than the above method, including the ability to define the website icon path or base64 code (a binary-to-text encoding scheme that encodes the site icon in text form). The advantage of using a base64 encoded version of the site icon is that the browser won't have to fetch the icon from the server. A great on-line resource for converting an icon to base64 code is the Base64 Encoder utility which can accept the icon URL or an uploaded file.

Yet another way to add custom search engines to Firefox is by using the mozlz4-edit add-on by 'serj_kzv'. This slick extension allows you to edit the search.json.mozlz4 search plugin file directly from within Firefox, though a browser restart is necessary before the changes are realized. This file is located in your Firefox profile directory and it is here that Firefox stores the code for all of its search engine plugins. If you use this tool, be careful not to touch the default search engines in the file, else all your changes will be lost. Instead you can create copies of the default engines and sanitize the copies.

Manually editing search.json.mozlz4

If you would rather avoid the hassle of manually editing the default Firefox search engine plugins, see the 'Pre-sanitized search plugins' section below where you can download my search.json.mozlz4 file.

If you don't want to sanitize the default Firefox search engine plugins you should at least use something like the ClearURLs add-on or the ClearURLs for uBo list (requires uBlock Origin) which strips the tracking parameters from the search engine result links. You should also disable JavaScript for the search engine web page if possible. For this i would recommend uBlock Origin by Raymond Hill.

If you have already added custom search engines to Firefox, create a copy of search.json.mozlz4 and work with the copy, reason being that if you mess up, Firefox will will delete all of your search plugins and restore only the default ones. If you don't want to see or use the default ones, simply disable them in the search preferences of Firefox rather than removing them from the plugin file. And no, as far as i know you cannot remove the default search engine plugins but disabling them should be every bit as good. If you don't know where your Firefox profile is located, load about:config in the address bar and you'll figure it out.

To edit the search.json.mozlz4 file you first need to decompress it. There's at least a few utilities available that will handle this, but i might suggest using the mozlz4-edit Firefox add-on by 'serj_kzv' since it's easy to use and it provides a basic code editor with syntax highlighting. To sanitize the default search engine plugins that are packaged with Firefox, copy the entries and edit the copies. Be sure to give the copies a different name since no two plugins can share the same name.

Download pre-sanitized search plugins

If you'd rather avoid sanitizing the default search engine plugins, you can download a pre-sanitized copy of my personal search.json.mozlz4 file that should work for Firefox version 57 and up ("up" meaning until the next time Mozilla decides to break everything again). The download contains the default engines which come with the U.S. English version of Firefox 98, plus the sanitized versions of them, plus a pile of additional search engines i personally use. All in all there's over 40 search engine plugins which you can then reorder or hide in your Firefox Search preferences.

Download: search.json.mozlz4.zip

Install: Backup your existing search.json.mozlz4 file, then extract the the one from the archive to your Firefox profile directory and restart Firefox.

When you use the search engines you'll notice that all of the alternative search plugins are tagged as follows:

[index] = search engines that actively crawl the web in order to build their own index. These engines are especially valuable in thwarting the censorship practiced by Google, Bing, DuckDuckGo, etc..

[hybrid] = search engines which index their own content as well as relying upon 3rd parties, often Bing.

[special] = special purpose search engines, such as those used to find satellite images or out of print books and those that cater to a specific websites like the Internet Archive.

Any engines which are not tagged are the default search engines, all of which you can/should disable in Firefox's preferences.

Removing Firefox system add-ons

In addition to search engine plugins, Mozilla also packages system add-ons with Firefox, installs them without your permission, and doesn't provide an easy way to remove or disable all of them. These system add-ons have been used for quite controversial purposes in the past. To remove them, see the 'System add-ons' section of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Resources

Special mention goes to 'Thorin-Oakenpants' (aka 'Pants') as well as the 'arkenfox' crew and their GitHub repository where they host an excellent privacy-centric user.js for Firefox and its derivatives, as well as an extensive Wiki full of valuable information.

Resources at 12bytes.org:

External resources:

Recent changes

21-Mar-2022

  • added a link to the 'ClearURLs for uBo' filter list

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Want to configure Firefox and other Gecko-based browsers for better performance and security?

Project moved to Codeberg

The Firefox Configuration Guide for Privacy Freaks and Performance Buffs has been moved to Codeberg.

A note regarding user comments

When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.

Malware - It's (way) worse than you think

Relying on anti-virus software to protect your system is paramount to relying on guard rails to keep your car on the road. Here's why...

UPDATE: Since writing this article i have finally dropped Windows and moved to Linux-based operating systems which are inherently more secure in some ways (not all). I humbly suggest you consider doing the same. End update.

My view on the subject of anti-malware/security suite software may be quite different than that of most casual computer users. I think that one of the primary keys to securing your system is a lack of stupidity rather than anti-virus software, and that relying on such products for protection is tantamount to relying on guard rails to keep your car on the road.

Problem number one: Often the primary method vendors of anti-virus software employ to protect against malware is by way of virus signatures, also known as 'definitions'. In order to develop a signature for a piece of malicious code, generally the vendor must be aware of its existence and since black-hat malware authors or those identifying 0-day vulnerabilities often sell their code or findings to major corporations, governments and other black-hats, they are obviously going to try to protect their secret as long as possible. This means that an exploit may exist undetected in the wild for hours, days, weeks or even years.

Problem number two: There are many viruses and software exploits that were never, are not currently, and may never be detected by any widely available, general anti-malware product. In fact, it is rather trivial to write a piece of malware that most popular anti-malware products will happily report as being 'clean'.

Problem number three: No single product can possibly protect your system against all threats, much less malware which is tailored for a specific target. On the other hand it simply is not feasible, or even possible in some cases, to run multiple anti-virus products simultaneously.

Problem number four: Everyone with an internet connection has very likely been infected with malware. If you think you are an exception, then i would posit that you simply never knew your system was/is compromised.

Problem number five: The good ol' days of malware are gone. While it was often humorous to read about or even experience your mouse cursor moving without you moving it, much of the malware being distributed today is orders of magnitude more sophisticated and more dangerous. Malware that targets industry has actually killed people. Today's malware is often designed to be as stealthy, efficient and resource friendly as possible so that it can remain completely undetected. With many millions of dollars to be earned in the malware market, the stakes are extremely high.

Video title: Zero days - Security leaks for sale - Docu - 2014

Video title: These Companies Can Legally Hack You

I'm not suggesting you throw your hands up in utter defeat, trash your anti-virus software and commence to having digi-sex without a digi-condom, but i want to make it clear that relying primarily upon anti-virus software to protect you against malware threats is a road laden with land mines, regardless of how many products you use, what they cost, what they scored on the latest Virus Bulletin test, or what bells and whistles the vendor claims it has. If there was just one, affordable anti-virus product that protected against even the majority of the threats, there wouldn't be heaps of malicious hackers getting paid to write malware any longer, yet malware is more prevalent today than ever before and more people are running anti-malware software today than ever before. What does that tell you about the overall effectiveness of the anti-virus industry? And it gets worse.

The 2016 article, Antivirus software could make your company more vulnerable, from CSO Online, points out exactly what is suggested in its title which is that using popular anti-malware products that are generally trusted can, in and of itself, get you in trouble:

Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.

Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms -- self-propagating malware programs. In many cases, attackers would have only needed to send specially crafted email messages to potential victims, to inject malicious code into legitimate websites visited by them, or to plug in USB drives with malformed files into their computers.

This does not mean you can't protect yourself from the majority of common threats however. Not only can you do so, but you can do so quite effectively without even using an anti-virus product. I wouldn't recommend that Windows users go without any protection, but my point is that anti-virus software plays a much less significant role for the savvy computer user who relies on more effective means of protection than any software product can provide.

Security is a dish best served cold. And in layers. Here are some of the key security practices i would suggest for most anyone, especially the casual computer user who is at the greatest risk due to their lack of technical knowledge:

  • Realize what the vectors for attack are, which is basically anything you connect to your machine including flash drives, discs, modems, routers, printers, USB devices, T.V.'s and even peripherals like mice and keyboards, as well as anything that is delivered through your network connection.
  • Realize that malicious software isn't likely to be considered malicious by your anti-virus product until after it is known to exist and a signature has been developed and pushed out by the vendor, leaving you completely vulnerable in the interim. Also realize that the existence of some exploits and malware may never be known.
  • Realize that no anti-malware product on the planet is bullet-proof -- Not. Even. Close. -- and many are just plain garbage or are effectively malware themselves which vacuum up personal data and send it off to who knows where, or worse. Do some research before choosing a product.
  • By learning just a handful of good security practices, the burden of protection will naturally shift more toward the smarter you and away from your dumber anti-virus software.
  • Do not install crap-ware or software from nefarious sources and, by all means, forget about "warez" and "cracks" as failing to do so will cause doom at some point.
  • That game or joke document that's being passed around all over Facebook or by email or wherever? Let it pass.
  • Get in the habit of never opening email attachments. None. Ever. Period. The only exception is if you are expecting something important from someone you trust and even then you should not trust any attachment blindly, especially if it's an executable. Even hyperlinks can be dangerous. Your coworker or close friend could be using a little social engineering to infect you, or they could be infected themselves and not know it, or it might not be your coworker or friend at all, but rather someone impersonating them. If someone sends you something you really want to see, ask them to send a link to the webpage if possible and make sure you know where that link is pointing before clicking it (and ask them to quit sending attachments unnecessarily).
  • For many of us, our internet browser is are our primary window to the digital world. It is also a most attractive vector for attack, not only because of security holes and poorly coded extensions, but because of what websites people visit. Tighten down the security of your web browser and remove any unnecessary plugins, including Flash, Java, the Adobe PDF viewer, etc.. Most modern browsers can handle video and PDF content without plugins anyway and Java is rarely used by websites anymore.
  • Browse smart and stay away from porn sites or any other questionable sites, even if they are hugely popular. Keep in mind that you need not click or do anything on a malicious website to become infected other than simply visit it (see drive-by malware). I would also suggest dumping Microsoft Internet Explorer and replacing it with something more secure and transparent, which is basically anything other than IE.
  • As with your browser, your email client is also a huge vector for attack, so learn how to harden it by disabling JavaScript and HTML mail. As with your browser, i would suggest dumping any Microsoft email clients and replacing them with something more secure and transparent, such as Thunderbird.
  • Scan everything you download from any source with a decent anti-virus product. You don't have to run a bloated "security suite" in the background that analyzes your every click and key press and file you open as long as you work and play smart, but at least have an on-demand scanner available to manually scan all incoming downloads and email attachments.
  • If you're not sure about the integrity of a piece of software or the reputation of a website, scan it using something like the VirusTotal service, which uses a whole bunch anti-malware products to scan a single file or website URL. There are several add-ons for Firefox that make accessing VirusTotal very easy. Certainly do not rely on the over-pimped "Web of Trust" service or any other service where the data comes primarily from everyday users who lack knowledge regarding malware and rate sites based primarily upon their bias.
  • If you use only popular, mainstream software products for protection, such as Windows Defender or the Comodo Internet Security suite, etc., realize that chances may be significantly higher that malware is in play which is purposely designed to completely bypass the protection these popular products offer. The larger the following, the bigger the target.
  • Do not log on to your operating system as an administrator.
  • Keep regular backups of your data, preferably off site and encrypted, but at least on an external drive. If you have become infected, do not rely on the Windows System Restore utility since the malware may have infected those backups as well.
  • If you discover a virus, and especially if it's a Trojan, assume all your data has been compromised including any passwords, banking information, credit card numbers, documents, etc.. You should immediately unplug your computer from your modem and take action to remove the virus, change all of your passwords and notify your bank.

Again, i do not advocate running around the web with your skirts flying high and no underwear on. The trick is to find a good anti-malware product and, while there are hoards of products to choose from, there are not that many that are actually worth considering. In the past i have had extended communications with a couple of people who are apparently heavy hitters in the anti-malware industry and Bitdefender seems to be one of the better general purpose products. So is Malwarebytes Anti-Malware. I will emphasize again however that there is no single product, nor combination of products, that will protect you from all threats.

Personally i don't run a resident virus scanner at all any more, but i do use the Emsisoft Commandline Scanner which is an on-demand scanner (you have to run it manually) to scan everything i download. It is a general purpose anti-malware tool that is probably about as good as they come and it's free for personal use. Also known by it's executable, a2cmd, the Emsisoft scanner is a hybrid of both the Emsisoft and Bitdefender products.

While i have been infected a couple of times back in the day, to my knowledge i haven't been infected with any malicious software in the last 15 years or so since i started learning more about computer security. I am very careful about what i download and install, what websites i visit and where i allow JavaScript or browser plugins to run and what email attachments i choose to open. I have taken measures to harden my browser and email client and i use a non-Microsoft firewall and anti-virus products. I never plug anything into my everyday machine that i don't own, especially flash memory. Still, i feel very threatened by the potential that something will slip by my defenses, but my paranoia plays a key role in keeping me infection free... at least to the best of my knowledge.

Good luck.

You'll need it.

Encrypting DNS Traffic (and why you want to)

Prevent your ISP and others from collecting information about what websites you visit by encrypting your DNS traffic.

UPDATE (25-Jan-2020): This article is largely obsolete but i'm keeping the page alive because i intend to rewrite it at some point. One of the items i want to add is how to set up DNS over TLS on your network router so that all devices that connect to your network can benefit from private and encrypted DNS resolving.

UPDATE (26-Jan-2018): If you use a Virtual Private Network (VPN) you do not necessarily need to worry about encrypting your DNS traffic as long as a), your VPN offers a DNS service and b), you trust them. The other primary advantage of using a VPN is that, like Tor, all of your internet traffic between you and the VPN exit node is encrypted, meaning neither your ISP nor anyone else should be capable of monitoring it. Yes, a VPN is yet another expense and as much as i dislike paying more to access the web on top of what my ISP charges, it doesn't cost much and i can't see myself ever going back to not using one.

The problem...

DNS -- Domain Name System -- is the service responsible for converting a domain name, such as '12bytes.org', to an IP address that is understood by computers routing internet traffic. The DNS server(s) that you are currently accessing to convert domains to IP addresses are configured in the properties of your network adapter, each adapter having its own DNS configuration, or perhaps your router or modem.

DNS is a weak link in the internet chain because this traffic is most often unencrypted and open to man-in-the-middle (MITM) attacks, even when visiting an encrypted (https) website. An attacker can easily set up their own DNS server and, using a little social engineering and/or malware, convince you to change your current DNS server, or change it without your knowledge, to the one controlled by the attacker. One possible result is that you could visit 'your-bank.com' but actually land on a forged website that may look exactly like the authentic one and thus there would be no cause for alarm while you log on with your user name and password, which would then be in the hands of the attacker. I am quite sure the tactic of DNS spoofing is used by law enforcement as well.

Lastly, i wrote this tutorial while using Windows and have since switched to Linux. A tutorial for the Debian flavors of Linux can be found here.

The solution...

Securing your DNS traffic is easy using DNSCrypt (don't download the client from the OpenDNS page). If you're not afraid of the command-line and wish to keep the process as efficient as possible, i would suggest reading the article How to Encrypt Your DNS for More Secure Browsing by How-To Geek. If you prefer a point-and-click approach however, along with a nice GUI for controlling DNSCrypt and selecting your DNS server, here's how to install and configure Simple DNSCrypt:

If you have another version of DNSCrypt installed, uninstall it first. If there is no uninstaller, then run the following command:

dnscrypt-proxy --uninstall

Next, download Simple DNSCrypt from the authors site and install the .msi package. The GUI to configure the DNSCrypt client should start automatically after the installation is complete. Configuring the DNSCrypt client is easy:

  1. Enable DNSCrypt for your network adapter.
  2. Select a DNS service.
  3. Enable the Primary DNSCrypt Service. If the service does not start, try disabling DNSCrypt for your adapter and then enabling the service. Note that the Secondary Resolver settings are disabled because this feature is not completely implemented at the time of this writing.
  4. In the 'Advanced Settings' you can download a fresh copy of the DNS resolvers list and by clicking the 'Plugins' button you can disable IPV6.
  5. Open port 443 in your firewall to allow outgoing UDP traffic for dnscrypt-proxy.exe if you need to.
  6. If you installed the 'dnscrypt-proxy' service, you can exit the Simple DNSCrypt GUI, otherwise it will need to be left running.
Simple DNSCrypt configuration for Windows

Verify DNSCrypt is working...

Windows 7 Network Connection Dialogs
Windows 7 network connection settings

To verify that everything is working, check the properties for your network adapter and make sure the primary DNS server is set to 127.0.0.1 and that the secondary server is empty as seen in the screen-shot. If it is not, make it so. Next, try visiting a website to make sure everything is working.

If necessary, reboot your machine or flush the Windows DNS cache by opening a command prompt and entering: ipconfig /flushdns , then load a web page to ensure DNSCrypt is working.

If you're wondering about the default Windows 'DNS Client' service, leave it running. You can also leave in place any firewall rules for DNS look-ups on port 53 to enable easy switching of the DNS servers in your network adapter for troubleshooting purposes.

At this point i'm not entirely sure what happens with DNS caching, but it appears that a query is sent with every request, which is not optimal. I hope to write more about this after i figure out exactly what is happening in this regard.

Tech