HOME - RSS
FIREFOX PRIVACY GUIDE
29 May 2019 - 21 minute read
I've tried plenty of things to help improve privacy on the internet. I've done the whole spectrum from minimum-effort and no privacy to privacy-nut lock down mode. In this post I'm going to go over various things I've used and different setups I've had, then walk through explaining what I have now and how to recreate the setup.
My first privacy-oriented setup was pretty simple and worked fairly well for the most part, but had some notable issues. I changed Firefox's settings graphically to what made sense such as enabling full tracking protection and disabling the telemetry, and I used uBlock Origin on all defaults with NoScript. Couple that with Smart HTTPS and you're basically sorted. Have everything blocked by default, then allow stuff with NoScript until the website does enough for me to use it. All fairly simple, but it had issues in that it wasn't an exceptionally private setup. I also used Privacy Badger and the DuckDuckGo extension on and off for a bit, but they tended to break each other.
I still have this setup on my work machine, but mostly because I've never got around to changing anything about it and it's a work machine anyway so I don't do anything personal on it.
Setup 2 is probably the polar opposite. I found 12bytes' Firefox guide and followed through all of it. I got setup with uMatrix, CSS Exfil Protection, Decentraleyes, Privacy-oriented Origin Policy, Temporary Containers, and Multi-account Containers. The guide goes through plenty of good config for all of these. A more recent version also added extensions like Site Bleacher. Lastly, this setup made use of the GHacks user.js file.
This setup was... extreme to say the least. I managed to get Mastodon and Protonmail working, but Riot crashed immediately after logging in so I used the Electron version of it. Loads of sites would just be completely broken, and I found myself spending more time refreshing pages than using them. Also at some point there was an update to the user.js file which meant the size of the webpage would snap to a limited set of sizes so I'd end up with this huge hideous white border around every webpage and I couldn't for the life of me find which setting was causing it so I couldn't turn it off. The user.js probably does a tremendous amount for privacy, but I really struggled to use it without properly understanding what each option actually affected. It's a very well-documented file, but I think it could use more comments to actually explain what effects would be seen, like for instance having a comment that said "This will restrict webpage sizes so they snap to multiples of xyz pixels" so I can see it and add overrides in the user-overrides.js.
My approach to the GHacks user.js will probably be not to use it for now, but come back to it occasionally to see if I can tweak it just enough to get it usable, at which point I'll obviously start using it everywhere immediately.
This is what I'd probably call a "realist" setup. You get a reasonable level of privacy and it's not terrifying to work with. Sites for the most part work fine after a little tweaking. This is the setup I use at the moment, so I'll walk through what I've done and explain how to recreate it.
First place to start is with extensions. I have 12 installed and I'll walk through each including all the settings I have for them:
- ClearURLs is designed to remove nonsense from URLs that can be used for tracking. It's very simple and I've done no config with it. Just install it and maybe hide the button for it as you'll probably never need to click it. It's nice to keep the UI tidy so there's more space for the stuff that actually matters.
- CSS Exfil Protection protects you against "CSS data exfiltration attacks". Very simple little extension with no options to configure. As before, add, hide button, move on.
- Firefox Multi-Account Containers is one of Mozilla's own extensions and it adds the ability to create special containers for tabs to sit in. The idea is that each container is completely separated from the next, so some sketchy website in one container can't see any cookies from or exploit the state of any other tab in a different container. You might have heard of the very simple tracking attack in which a site can make requests to specific image URLs and use the response code to determine whether you're logged into Facebook or Twitter or whatnot. Having a malicious site in a container and social media in a different one makes you safe from this kind of attack as the request for the image in the isolated container can't reach it even if you're logged in in another container. This extension doesn't have any options, but what you want to do is clear the stock containers it makes and create an individual container for each website you log into that you want to stay logged into. For instance, I have one for Riot, one for Mastodon, one for Protonmail (though it's not entirely necessary), and one for DuckDuckGo (to keep the theme the same).
- HTTPZ is much the same as Smart HTTPS and other similar HTTPS-enforcing extensions, but it's very lightweight and unobtrusive and also claims to get along well with Temporary Containers which is a good thing. In the options for it, we want Automatic mode on, "Remember secure sites" on, and to check again if a site supports HTTPS after Firefox is restarted to make sure when a site fixes itself and uses HTTPS that we get on it as soon as possible.
- Invidition is less a privacy boost and more a convenience boost. If - like me - you use Invidious, then this extension will intercept any requests to YouTube before they're even sent and redirect them to Invidious. This means you can very safely click on a YouTube link without worrying about Google because you'll get sent straight to Invidious. I didn't change any options for this extension.
- Privacy-Oriented Origin Policy removes origin headers from requests when they're unlikely to be necessary. This dramatically aids in protecting your privacy - especially when using a VPN as you absolutely should be (covered later too). We want "Global mode" on "aggressive", nothing in "Overrides", "Type filters" won't have any effect in aggressive mode, and under "Exclusions" we want "Exclude root domain matches" to be enabled.
- Skip Redirect does what it says on the tin and will attempt to find the source URL from redirects and go there directly rather than stopping at however many intermediate pages. Most intermediate pages are used for tracking, so avoiding them here helps plenty. Under "Mode", we want it set to "Skip all redirects except for URLs matching any of the lines on the blacklist" but have "Skip redirects for URLs with the same public domain" disabled. The blacklist should have a number of things there by default such as "/account", "/auth", and such. Leave these as they are. I'd also optionally disable the notification pop-up as it can get a little annoying at times - especially if you have your notifications make noise.
- Stylus is a wonderful extension. It won't improve your privacy, but it's absolutely wonderful for making the websites you use a lot look nicer. This extension is completely optional, but I like using it, especially for little fixes. For instance, I have a style on Mastodon for making the columns in the UI expand so they evenly fill the width of the screen so they're a little wider. I also have a number of fixes for Riot such as removing a few buttons, changing the mention colour to the green so they don't look like horrible errors, swapping around a few username colours so I'm the nice blue rather than green, and reducing the size of images as they are unusably huge.
- Temporary Containers is arguably the most powerful privacy-boosting extension you'll get here. It uses exactly the same system as the Multi-account containers, but automatically spawns new containers for each website you visit so they're all completely isolated. There are quite a few options though - we'll start in the "General" tab. Enable automatic mode - this is what makes everting work nice and smoothly. Don't have notifications when containers are deleted or that's all you'll see in you notifications. Leave the container name prefix as "tmp", or you can change it if you want, but eh. Random colours are nice to help see them working, but leave the icon on the circle so it stays tidy as these containers are going to be showing up in the list under Multi-account containers. Everything else on this tab stays default - onto the "Isolation" tab. Ignore the "Per Domain" settings and go straight to "Global". There are 4 options with drop downs. We want all of them to be set to the option that has "Subdomains won't get isolated" in parentheses at the end. Next, under "Multi-Account Containers" we want that option disabled otherwise everything we do with permanent containers gets broken. On the "Advanced" tab, disable ignoring requests for "getpocket.com" as Pocket is stupid anyway - let it break.
- uBlock Origin is an ad-blocker, but comes with a few extra powers. We'll be using it mainly just as a static content blocker, where uMatrix will be more dynamic and interactive. Under the "Settings" tab, we want to enable "Hide placeholders of blocked elements" to keep our pages tidy, enable "Show the number of blocked requests on the icon", enable "Make use of context menu where appropriate", disable "Disable tooltips", disable "Color-blind friendly" (unless you're colour-blind obviously), disable "Enable cloud storage support", and enable "I am an advanced user" briefly. Click the little gears icon next to that last option and look for the option named "suspendTabsUntilReady". Make that say "true". This completely blocks anything from loading at all until uBlock is ready to filter things. This prevents unwanted trackers and content being loaded before uBlock is ready to filter it out. Continuing now, enable all options under "Privacy" and under default behaviour we want to enable "Disable cosmetic filtering". Next we want to go to the "Filter lists" tab. Enable "Auto-update filter lists", disable "Parse and enforce cosmetic filters", and enable "Ignore generic cosmetic filters". For the filters themselves we want the following: "My filters", all "Built-in" lists excluding the experimental one, "Adblock Warning Removal List", "EasyList", all "Privacy" lists, all "Malware domains" lists, "AdGuard Annoyances", "Fanboy's Annoyance List", "Dan Pollock's hosts file", "Pete Lowe's Ad and tracking server list", and finally we want to import a custom list, using the URL https:
raw.githubusercontent.com/hostsadiq/adblock-nocoin-list/master/nocoin.txt. Remember to apply changes. We're using Decentraleyes, so under the "My Rules" tab, we want to add the following:
* ajax.googleapis.com * noop
* ajax.aspnetcdn.com * noop
* ajax.microsoft.com * noop
* cdnjs.cloudflare.com * noop
* code.jquery.com * noop
* cdn.jsdelivr.net * noop
* yastatic.net * noop
* yandex.st * noop
* apps.bdimg.com * noop
* libs.baidu.com * noop
* lib.sinaapp.com * noop
* upcdn.b0.upaiyun.com * noop
* cdn.bootcss.com * noop
* sdn.geekzu.org * noop
* ajax.proxy.ustclug.org * noop
- uMatrix is a dynamic filtering extension that allows you to see what's being requested from where and selectively block and allow only what you're ok with. Starting simple, open the extension and switch to global mode (asterisk). We want to block "all" so everything is denied by default, but we want to enable all CSS and images. Next, we want to allow cookies and frames for 1st party only. Lastly, open the 3 dots menu and enable "Forbid web workers", "Spoof Referer header", and "Spoof <noscript> tags". Next, we can go into preferences. Under the "Settings" tab under "Convenience", we want to enable "Show the number of blocked resources on the icon", disable "Hide placeholder of blocked elements" but enable "Hide placeholder of blacklisted elements", enable "Spoof <noscript> tags when 1st party scripts are blocked", and disable the last 2 options. Ignore the "Matrix" options, then enable everything under "Privacy" except "Strict HTTPS: forbid mixed content" as it'll otherwise break a lot of things. Under the "My rules" tab, make sure there's the option "no-workers: * true" added and committed. Lastly we want to go to the "Assets" tab. Enable "Auto-update assets", but we want to disable all the hosts files as uBlock Origin is handling this all for us already. Under "Ruleset recipes", enable "Ruleset recipes for English websites". If you're using Invidition, then import a rule set recipe by putting in this URL: https:
gitlab.com/Booteille/invidition/raw/master/umatrix/recipe.txt. Next, add the same rules from above to the "My Rules" tab in uMatrix as we did before in uBlock Origin.
Phew, that's a lot to take in. Unfortunately though, that's only half the story. We still need to configure all the options for Firefox itself. Fortunately, we can do this all from about:config. Start by scrolling through the whole thing (it's not as long as you expect it to be) and if you see any option with a value set to a Google URL or similar that isn't called "block the shit out of this", then clear the value. Now is the tedious part. I've gone through my whole about:config and looked at all the options that weren't default, picked out all the ones that mattered, and have listed them here. Go through your about:config and change these as necessary:
browser.ping-centre.* all false and empty
browser.safebrowsing.provider.google.* all false and empty
browser.safebrowsing.provider.google4.* all false and empty
toolkit.telemetry.* all false and empty
Now, I am by no means claiming to be an expert, nor am I even claiming to have a good understanding of Firefox. These are just various things I've found having read existing guides and doing small bits of experimenting myself. I am very much open to suggestions and recommendations for this so I can improve my own privacy and pass that information on to others too.
Now this is a really huge post with a lot to take in, but I hope it benefits some people. As I've said: if there are any changes or improvements you'd suggest then absolutely let me know so I can improve both my own setup and this guide.
Guides - Internet
HOME - RSS
Copyright Oliver Ayre 2019. Site licensed under the GNU Affero General Public Licence version 3 (AGPLv3).