The Firefox Privacy Guide for Dummies!

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." -- Edward Snowden

See the revision history at the end ... if you make it that far :)

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN - Which is right for you?. If you choose to use the Tor Browser you need not follow this guide, though you still might find some helpful info here.

Introduction

The following video will provide an overview of one aspect of what it is we're up against which is one of the reasons why i wrote the Firefox configuration guides. I encourage you to watch it, especially if you're one of the many who aren't worried about surveillance because you "have nothing to hide".

Video: Prof Shoshana Zuboff on surveillance capitalism

You're aware that unethical companies such as Facebook, Instagram, Google, YouTube, advertisers, your ISP and governments are spying on your activities and selling the data they harvest or using it to profile you, even if you may not be aware of how they're doing it. You're concerned about this invasion of your privacy, but you're wondering 'yeah, but what can a tech-challenged dummy like me actually DO about it wise guy???'.

Welcome to the 'dummies' version of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!

The goal here is to provide a simple guide, to the extent that's possible, which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".

As you sift through this, don't make the mistake of thinking i'm a Firefox fanboy. I assure you i'm not, however, at this time, i see Firefox as being the only capable web browser that can be beaten into submission regarding user privacy.

WARNING: This guide is not intended for use with the Tor browser which is an already hardened version of Firefox. Configuring the Tor browser as outlined here would likely result in DOOM!

Catching the Fox

With a single exception i mention below, you want the standard release version of Mozilla Firefox, even if you think you don't. No Pale Moon, no Waterfox, no whatever, so if you don't have it, get it. If you run a GNU/Linux-based operating system (we're already in love, you and i), look in your package manager. Since it's privacy we're interested in, we're way too smart to be screwing around with Google Chrome (un-Googled or otherwise), Microsoft Edge, etc., though if you have an inferior alternative browser you could retain it as a backup.

There is in fact one other browser you might want to consider and it is... Firefox! Except it's actually a fork of Firefox called LibreWolf. LibreWolf already has many of the privacy features discussed here baked right in and thus using it will reduce the trauma you'll be subjected to in this guide. If you decide to use it, you will want to avoid adding the 'arkenfox' user.js (discussed later) since LibreWolf already borrows from the 'arkenfox' project. Just be aware that you will need to manually update LibreWolf since it has no auto-update mechanism (if you're running a Linux distro then update notifications may come by way of your package manager).

Profiling the Fox

Start Firefox and enter about:profiles in the address bar. You can call it the "location bar" or the "awesome bar" or the "mega bar" or whatever else Mozilla is calling it these days, but i call it the address bar. Press your 'Enter' key to load that address and you'll see where Firefox keeps your profiles which is where most of your settings, bookmarks, browsing history and other junk gets dumped.

You can have as many profiles as you want, but by default there will be just one named '[blah-blah].default'. Well, we need another, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now else you'll make me mad and lose 10 internet points.

After creating your new privacy profile, set it as the default one.

You'll notice that your profiles have a bunch of gobbledygook preceding the names you gave them. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper.

In Firefox's about:profiles page, note that your profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. The 'Root Directory' is where your profiles are stored and the 'Local Directory' is where the cache for that profile is stored, at least that's how it works on Linux.

Arkenfoxing

The 'arkenfox' user.js is a supplemental configuration file for Firefox that changes hundreds of settings in the interest of privacy. If you're not going to use the 'arkenfox' user.js for some odd reason (perhaps you're suffering from a traumatic head injury) OR you decide to use LibreWolf, then you can skip this section. If you are going to use the 'arkenfox' user.js, you need to go through their wiki.

To 'arkenfox' Firefox, go to the arkenfox/user.js GitHub repository where we'll grab their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' label, then press Ctrl+S and save the files in your Firefox 'privacy' profile folder where the prefs.js file is (if you're running Windows you've just lost 100 internet points, plus you'll need to un-hide file extensions and i might suggest keeping them un-hidden). Failing to heed my advice can cause the file to get messed up which will surely result in a visit from Greta. If you want to avoid those steps, here's the direct links to the files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Just right-click them and then 'Save as...'. Now if you're one of those wiz kids, you may have deduced that we're going to need that user.js file too but we'll grab that baby another way.

I keep an overrides file for the 'arkenfox' user.js which relaxes some of the 'arkenfox' settings in order to reduce website breakage, plus i use it to add MY own settings (any custom settings you want to add or change should go in an overrides file - never in prefs.js nor user.js). These are MY settings. They are not your settings. In other words, i don't edit them for public consumption which means that, if you choose to use MY settings, you must go through all of them and adjust as necessary.

If you want to use my overrides, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org, click the user-overrides.js file, then click the 'Raw' label and press Ctrl+S to save the file in the same place as the others (here's the direct link).

You'll need a decent code editor for this next step (not Notepad!), preferably one with syntax highlighting. If you're running Wintendo (that's one of my many derogatory names for Winblows), PSPad is nice, simple and free. If you're running Linux (which sucks more than i'm letting on but not nearly as much as Windoze) you've surely got something installed already.

What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little itsy-bitsy thing you could ever possibly want to know about everything in that file, is in that file... except whatever i forgot to put in there.

With Firefox closed we need to run that 'arkenfox' updater script which will download the latest 'arkenfox' user.js and append any user-overrides.js file you might have. How to do that depends on whether...

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've dutifully followed all the directions you didn't read, the script will download a fresh copy of the 'arkenfox' user.js file to your Firefox 'privacy' profile directory and append the contents of your user-overrides.js to it, if you're using one, just like it says on the tin.

The 'arkenfox' user.js is updated frequently so you'll need to check for updates regularly, like maybe once a week or so. One simple way to do that is by running the 'arkenfox' updater script, or if you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification (works on KDE, others untested). You can add the script to your startup programs so it runs each time you log-on to your desktop. Instructions for implementing the script are contained in the script.

You should also check my Codeberg repo for a new version of my user-overrides.js if you're using it. The user.js-notify.sh script will check for an update if you're using that.

Each time you run the 'arkenfox' updater script, with Firefox closed, be sure to follow it up by running the prefsCleaner script using the same method you used to run the updater script. The prefsCleaner script will nuke any depreciated/removed/inactive preferences and it's important that you do this.

Fattening the Fox

Next we're going to the Firefox Add-ons website (AMO) to install uBlock Origin (uBO) by Raymond Hill. We want uBlock Origin specifically and not any derivatives, copies, forks, fakes or impostors.

Regarding add-ons, more = more bad, generally speaking. It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly. The more you install, the more likely things will break and that your privacy and security will be compromised. There are a LOT of add-ons on AMO that are flat-out malware and/or spyware, particularly some of the most popular ones and those dealing with shopping, coupons, VPNs, password managers and crypto currencies. Read the 'Beware' section here.

Firefox has fairly comprehensive built-in mechanisms to thwart browser fingerprinting and tracking and safeguard your privacy and many of these settings are activated by the 'arkenfox' user.js. While they alone are not quite enough for us privacy geeks, which is why you fell into this pit of despair, they do cover a lot of important ground. If you install additional "privacy" related add-ons that you *think* will enhance privacy, you could very easily wind up doing the opposite.

Back to uBlock...

I know, this is supposed to be the 'for dummies' guide and all, but you really must learn how to use uBlock Origin (uBO). The good news is that it too has a 'dummy' mode and it's enabled by default! To begin, configure uBO according to my uBlock Origin Suggested Settings guide using the 'dummy guide' settings.

DO NOT select the 'I am an advanced user' option in uBO! Don't look at it. Don't think about it. Don't think about looking at it ... at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to use it, and how easy it is to break the entire interwebs if you screw up.

Now it's really important that you read this and this and this, but only up to the 'Medium mode' part for the last one. Once you complete that you'll be a Semi-Certified uBlock Origin Web Filter Engineer Apprentice!

Now for some really important stuff...

Remember last week when you started reading this and i said we'd be "breaking as few websites as possible"? Kek! Since we disabled JavaScript globally with the uBO settings i suggested, every other website you visit is gonna be busted, and for good reason too!

There's a few things you need to know about JavaScript: 1), it's awesome-ish, 2) it's a privacy and security nightmare, 3) almost every website on Planet Earth uses it unnecessarily (even this one).

JavaScript (JS) can be used to do all sorts of cool and creepy things like make web pages interactive, make dull things look un-dull, animate stuff, etc.. It's used a lot by morons (the modern web developer) for making navigation menus work and displaying images and interactive content, as well as for annoying the crap out of you with ads, pop-ups and other such garbage. It's almost always necessary to enable JS when shopping. Of primary importance here is the fact that JS is leveraged heavily for distributing malware, tracking your journey across the web-o-sphere, profiling you, learning about your bathroom habits and much, much more (and believe me when i tell you that i'm exaggerating far less than you might think with the "bathroom habits" thing). The 'arkenfox' user.js and uBO provide powerful countermeasures to address such threats, but they can't fix stupid, so don't be stupid.

Here's an excerpt from PrivacyTests.org if you care to read it...

If you want to beat yourself up even more, read Stop pushing JavaScript! by a guy who knows what he's talkin' 'bout and/or watch this video:

Disable JavaScript Tutorial Online Security | The Hated One

Now do you see why we disabled JS globally for the entire interwebs??? Thing is, it's very easy to enable again For Those Specific Websites Where You Really Need It To Be Enabled. "Need", i said. Not "like" or "want", but "need".

Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and...... well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there's an icon that looks like a </>, except it has a red 'X' through it. That icon is secret code for [CENSORED]. Click it to remove the 'X' and you will have enabled JavaScript for that particular domain (w3schools.com) after which you'll see a new button appear on the uBO dashboard right outta thin air that has circlely arrows on it. Clicking that (or pressing F5) will refresh the page at www.w3schools.com and this time your browser will allow JS to run for the entire w3schools.com domain. That color swatch page will now look very different and this time when you click the colors, awesome things will appear that will surely dazzle you for hours on end like that damned triangle puzzle-peg thingy in every Cracker Barrel.

The point of that nail-biting experience was to demonstrate the power of JavaScript by showing you how different it can make a website look and function, as well as how necessary it is in some, but not all cases. For example, if you're reading this intensely interesting novel with your Firefox privacy profile loaded and JS disabled for 12bytes.org, it wouldn't make much difference because thus place looks and works pretty much the same, thus you should never enable it where it isn't needed.

Now you're going to take the JavaScript Oath. DON'T LAUGH! This is important shit!

OK, now repeat after me...

EYE SHALL NOT ENABLE JAVASCRIPT FOR ANY WEBSITE UNLESS A) THE WEB DEVELOPER IS AN ETHICAL BLOOD RELATIVE WHOM I TRUST WITH MY SISTERS VIRGINITY AND B) IT MUST BE ENABLED IN ORDER TO PROVIDE REQUIRED FUNCTIONALITY THAT WOULD OTHERWISE NOT BE AVAILABLE (AND NO, LOOKING AT BOOBS DON'T COUNT).

Importing stuff from an old profile

If you're not a first-time Firefox user and you have important bookmarks or other junk you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.

What to do when the Fox bites

It's inevitable that you're going to have trouble with some websites. Keep calm. Breeeeath! You've already gotten a taste of how a website can be rendered useless with JavaScript disabled and although i let you enable it for the site given in our earlier example, i only did so because it's a trustworthy place. The next website you visit may not be. You're here aren't you?

To make a broken website un-broken you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes with uBlock, you can always spin-up a fresh, empty profile to load the site and delete it afterwards, but understand that you will be at the mercy of a completely default Firefox configuration. You could also create dedicated profiles, such as for shopping or banking for instance. For websites you don't trust, why are you visiting them? Porn? Warez? Facebook? Instagram? Google? If you value your privacy and digital integrity in the least, forget that stuff! Seriously (if you're wanting to find alternative search engines, read this) 

Another 'gotchya' that will likely creep up at some point is a website not saving settings that you wanted to save, such as your log-on credentials or search engine settings. To save such data you'll need to edit the permissions for the domain as was explained earlier. I would not suggest permanently allowing cookies for any mainstream, privacy-hating Big Tech website such as Google, Yahoo, Bing, Facebook, Instagram, Twitter, eBay, etc..

The Fox hole

Even with everything we've accomplished you're still vulnerable to being tracked and profiled, however you're in a much better position then when we started out... except for one little problem: your Internet Service Provider!

At the very least your ISP can see what websites you visit, how long and how often you're visiting, and when you're on-line and when you're not. They may even inject ads, malware or other garbage in your data stream. The solution: Hijack your neighbors unprotected WiFi and... Kidding! Listen, you and i have gotten to know each other throughout this long and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than mine that!

One solution to this problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?

A VPN works by routing all of your internet traffic through an encrypted tunnel between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT ISN'T YOU! The kitty video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know where the hell you are and so far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to an ameba (actually that may be a lie but we're not going to dig that deep, k?). Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff. Any remotely decent VPN provider will maintain many exit nodes throughout the world and switching between them is usually as simple as a mouse click or two.

Now, listen up...

There are truck loads of VPN service providers and the vast majority of them are unethical jackasses. In particular i would strongly advise avoiding any VPN add-on on the Mozilla add-ons website or which advertises its service as being "free".

Currently i use AzireVPN which you can read about here and here and here, however Mullvad is more mature and may be the better choice for those who are less technically inclined. Azire physically owns and secures all of its servers while Mullvad owns and secures a small portion of theirs. Both accept cryptocurrency as payment and do not require any personal information, but they still have your IP address of course.

WHAT THE FOX!

So now you're all smitten thinking you're invincible and ready to hack NASA to see if aliens really built secret underground bases on the back side of the moon (they did, sorta, i think). You're not, but you've taken one, small step for man, and.....

Truth is, there are far more vectors for attack than you and i (and many of the so-called "experts") will ever know about, so don't get all uppity. Perfect privacy on the web, as in real life, is a pipe dream and it wasn't the goal here anyway. We've covered several important bases that will help prevent nasty corporations like your ISP from spying on you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.

After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode. After that, read Hardware and firmware threats and potential solutions.

Be safe. Be ethical. And if you need help (after you've tried to help yourself), let me know, or check the FAQ: Firefox Hardening page.

IMPORTANT: If you incorporate suggestions made in this guide, please check back often for changes or, better yet, you can subscribe to the following news feeds (if you need a news feed reader, see Firefox Extensions - My Picks):

• 12bytes.org main RSS feed
• the feed for the code repository for my 'firefox-user.js-suppliment' (if you're using it) is right here

The last word (i promise!)

One of the stumbling blocks i think many people face when they become aware and concerned regarding on-line privacy is the sudden fear of being spied on and the impulse to address all of the technical hurdles at once and this can lead to frustration and reverting back to their old ways. Digital privacy is not easy, but it's a lot easier to achieve if you progress incrementally rather than attempt to do it all at once and Naomi Brockwell's videos are a fantastic resource in that regard. If you have a hard time swallowing this guide and getting used to a hardened Firefox, don't sweat it and don't give up. Make another default Firefox profile and use it whenever you feel like punching someone (me). Little by little you can make changes to it in order to improve privacy while observing the effects of those changes.

Further resources

• Everything Firefox
• FAQ: Firefox Hardening
• Hardware and firmware threats and potential solutions
• Alternative Search Engines That Respect Your Privacy
• Awesome Privacy - A curated list of privacy & security-focused software and services
• Personal Security Checklist - A curated checklist of tips to protect your digital security and privacy
• Naomi Brockwell

Revisions