29 May 2019 - 21 minute read
I've tried plenty of things to help improve privacy on the internet. I've done
the whole spectrum from minimum-effort and no privacy to privacy-nut lock down
mode. In this post I'm going to go over various things I've used and different
setups I've had, then walk through explaining what I have now and how to
recreate the setup.

### SETUP 1 ###

My first privacy-oriented setup was pretty simple and worked fairly well for the
most part, but had some notable issues. I changed Firefox's settings graphically
to what made sense such as enabling full tracking protection and disabling the
telemetry, and I used uBlock Origin on all defaults with NoScript. Couple that
with Smart HTTPS and you're basically sorted. Have everything blocked by
default, then allow stuff with NoScript until the website does enough for me to
use it. All fairly simple, but it had issues in that it wasn't an exceptionally
private setup. I also used Privacy Badger and the DuckDuckGo extension on and
off for a bit, but they tended to break each other.

I still have this setup on my work machine, but mostly because I've never got
around to changing anything about it and it's a work machine anyway so I don't
do anything personal on it.

### SETUP 2 ###

Setup 2 is probably the polar opposite. I found 12bytes' Firefox guide and
followed through all of it. I got setup with uMatrix, CSS Exfil Protection,
Decentraleyes, Privacy-oriented Origin Policy, Temporary Containers, and
Multi-account Containers. The guide goes through plenty of good config for all
of these. A more recent version also added extensions like Site Bleacher.
Lastly, this setup made use of the GHacks user.js file.

This setup was... extreme to say the least. I managed to get Mastodon and
Protonmail working, but Riot crashed immediately after logging in so I used the
Electron version of it. Loads of sites would just be completely broken, and I
found myself spending more time refreshing pages than using them. Also at some
point there was an update to the user.js file which meant the size of the
webpage would snap to a limited set of sizes so I'd end up with this huge
hideous white border around every webpage and I couldn't for the life of me find
which setting was causing it so I couldn't turn it off. The user.js probably
does a tremendous amount for privacy, but I really struggled to use it without
properly understanding what each option actually affected. It's a very
well-documented file, but I think it could use more comments to actually explain
what effects would be seen, like for instance having a comment that said "This
will restrict webpage sizes so they snap to multiples of xyz pixels" so I can
see it and add overrides in the user-overrides.js.

My approach to the GHacks user.js will probably be not to use it for now, but
come back to it occasionally to see if I can tweak it just enough to get it
usable, at which point I'll obviously start using it everywhere immediately.

### SETUP 3 ###

This is what I'd probably call a "realist" setup. You get a reasonable level of
privacy and it's not terrifying to work with. Sites for the most part work fine
after a little tweaking. This is the setup I use at the moment, so I'll walk
through what I've done and explain how to recreate it.

First place to start is with extensions. I have 12 installed and I'll walk
through each including all the settings I have for them:

ClearURLs is designed to remove nonsense from URLs that can be used for
tracking. It's very simple and I've done no config with it. Just install it and
maybe hide the button for it as you'll probably never need to click it. It's
nice to keep the UI tidy so there's more space for the stuff that actually

CSS Exfil Protection protects you against "CSS data exfiltration attacks". Very
simple little extension with no options to configure. As before, add, hide
button, move on.

Decentraleyes contains local copies of common JavaScript libraries. The idea is
that you get them locally and use them locally and so avoid making needless
requests out to JavaScript CDNs that will undoubtedly track the shit out of you.
Decentraleyes hos 4 options, and we want all enabled except the second one
labelled "Block requests for missing resources" as that will break a tremendous
amount of things.

Firefox Multi-Account Containers is one of Mozilla's own extensions and it adds
the ability to create special containers for tabs to sit in. The idea is that
each container is completely separated from the next, so some sketchy website in
one container can't see any cookies from or exploit the state of any other tab
in a different container. You might have heard of the very simple tracking
attack in which a site can make requests to specific image URLs and use the
response code to determine whether you're logged into Facebook or Twitter or
whatnot. Having a malicious site in a container and social media in a different
one makes you safe from this kind of attack as the request for the image in the
isolated container can't reach it even if you're logged in in another container.
This extension doesn't have any options, but what you want to do is clear the
stock containers it makes and create an individual container for each website
you log into that you want to stay logged into. For instance, I have one for
Riot, one for Mastodon, one for Protonmail (though it's not entirely necessary),
and one for DuckDuckGo (to keep the theme the same).

HTTPZ is much the same as Smart HTTPS and other similar HTTPS-enforcing
extensions, but it's very lightweight and unobtrusive and also claims to get
along well with Temporary Containers which is a good thing. In the options for
it, we want Automatic mode on, "Remember secure sites" on, and to check again if
a site supports HTTPS after Firefox is restarted to make sure when a site fixes
itself and uses HTTPS that we get on it as soon as possible.

Invidition is less a privacy boost and more a convenience boost. If - like me -
you use Invidious, then this extension will intercept any requests to YouTube
before they're even sent and redirect them to Invidious. This means you can very
safely click on a YouTube link without worrying about Google because you'll get
sent straight to Invidious. I didn't change any options for this extension.

Privacy-Oriented Origin Policy removes origin headers from requests when
they're unlikely to be necessary. This dramatically aids in protecting your
privacy - especially when using a VPN as you absolutely should be (covered
later too). We want "Global mode" on "aggressive", nothing in "Overrides", "Type
filters" won't have any effect in aggressive mode, and under "Exclusions" we
want "Exclude root domain matches" to be enabled.

Skip Redirect does what it says on the tin and will attempt to find the source
URL from redirects and go there directly rather than stopping at however many
intermediate pages. Most intermediate pages are used for tracking, so avoiding
them here helps plenty. Under "Mode", we want it set to "Skip all redirects
except for URLs matching any of the lines on the blacklist" but have "Skip
redirects for URLs with the same public domain" disabled. The blacklist should
have a number of things there by default such as "/account", "/auth", and such.
Leave these as they are. I'd also optionally disable the notification pop-up as
it can get a little annoying at times - especially if you have your
notifications make noise.

Stylus is a wonderful extension. It won't improve your privacy, but it's
absolutely wonderful for making the websites you use a lot look nicer. This
extension is completely optional, but I like using it, especially for little
fixes. For instance, I have a style on Mastodon for making the columns in the UI
expand so they evenly fill the width of the screen so they're a little wider. I
also have a number of fixes for Riot such as removing a few buttons, changing
the mention colour to the green so they don't look like horrible errors,
swapping around a few username colours so I'm the nice blue rather than green,
and reducing the size of images as they are unusably huge.

Temporary Containers is arguably the most powerful privacy-boosting extension
you'll get here. It uses exactly the same system as the Multi-account
containers, but automatically spawns new containers for each website you visit
so they're all completely isolated. There are quite a few options though - we'll
start in the "General" tab. Enable automatic mode - this is what makes everting
work nice and smoothly. Don't have notifications when containers are deleted or
that's all you'll see in you notifications. Leave the container name prefix as
"tmp", or you can change it if you want, but eh. Random colours are nice to help
see them working, but leave the icon on the circle so it stays tidy as these
containers are going to be showing up in the list under Multi-account
containers. Everything else on this tab stays default - onto the "Isolation"
tab. Ignore the "Per Domain" settings and go straight to "Global". There are 4
options with drop downs. We want all of them to be set to the option that has
"Subdomains won't get isolated" in parentheses at the end. Next, under "Multi-
Account Containers" we want that option disabled otherwise everything we do with
permanent containers gets broken. On the "Advanced" tab, disable ignoring
requests for "getpocket.com" as Pocket is stupid anyway - let it break.

uBlock Origin is an ad-blocker, but comes with a few extra powers. We'll be
using it mainly just as a static content blocker, where uMatrix will be more
dynamic and interactive. Under the "Settings" tab, we want to enable "Hide
placeholders of blocked elements" to keep our pages tidy, enable "Show the
number of blocked requests on the icon", enable "Make use of context menu where
appropriate", disable "Disable tooltips", disable "Color-blind friendly" (unless
you're colour-blind obviously), disable "Enable cloud storage support", and
enable "I am an advanced user" briefly. Click the little gears icon next to that
last option and look for the option named "suspendTabsUntilReady". Make that say
"true". This completely blocks anything from loading at all until uBlock is
ready to filter things. This prevents unwanted trackers and content being loaded
before uBlock is ready to filter it out. Continuing now, enable all options
under "Privacy" and under default behaviour we want to enable "Disable cosmetic
filtering". Next we want to go to the "Filter lists" tab. Enable "Auto-update
filter lists", disable "Parse and enforce cosmetic filters", and enable "Ignore
generic cosmetic filters". For the filters themselves we want the following: "My
filters", all "Built-in" lists excluding the experimental one, "Adblock Warning
Removal List", "EasyList", all "Privacy" lists, all "Malware domains" lists,
"AdGuard Annoyances", "Fanboy's Annoyance List", "Dan Pollock's hosts file",
"Pete Lowe's Ad and tracking server list", and finally we want to import a
custom list, using the URL 'https://raw.githubusercontent.com/hostsadiq/adblock-
↳nocoin-list/master/nocoin.txt'. Remember to apply changes. We're using
Decentraleyes, so under the "My Rules" tab, we want to add the following:

* ajax.googleapis.com * noop
* ajax.aspnetcdn.com * noop
* ajax.microsoft.com * noop
* cdnjs.cloudflare.com * noop
* code.jquery.com * noop
* cdn.jsdelivr.net * noop
* yastatic.net * noop
* yandex.st * noop
* apps.bdimg.com * noop
* libs.baidu.com * noop
* lib.sinaapp.com * noop
* upcdn.b0.upaiyun.com * noop
* cdn.bootcss.com * noop
* sdn.geekzu.org * noop
* ajax.proxy.ustclug.org * noop

uMatrix is a dynamic filtering extension that allows you to see what's being
requested from where and selectively block and allow only what you're ok with.
Starting simple, open the extension and switch to global mode (asterisk). We
want to block "all" so everything is denied by default, but we want to enable
all CSS and images. Next, we want to allow cookies and frames for 1st party
only. Lastly, open the 3 dots menu and enable "Forbid web workers", "Spoof
Referer header", and "Spoof <noscript> tags". Next, we can go into preferences.
Under the "Settings" tab under "Convenience", we want to enable "Show the number
of blocked resources on the icon", disable "Hide placeholder of blocked
elements" but enable "Hide placeholder of blacklisted elements", enable "Spoof
<noscript> tags when 1st party scripts are blocked", and disable the last 2
options. Ignore the "Matrix" options, then enable everything under "Privacy"
except "Strict HTTPS: forbid mixed content" as it'll otherwise break a lot of
things. Under the "My rules" tab, make sure there's the option "no-workers: *
true" added and committed. Lastly we want to go to the "Assets" tab. Enable
"Auto-update assets", but we want to disable all the hosts files as uBlock
Origin is handling this all for us already. Under "Ruleset recipes", enable
"Ruleset recipes for English websites". If you're using Invidition, then import
a rule set recipe by putting in this URL: 'https://gitlab.com/Booteille/inviditi
↳on/raw/master/umatrix/recipe.txt'. Next, add the same rules from above to the
"My Rules" tab in uMatrix as we did before in uBlock Origin.
Phew, that's a lot to take in. Unfortunately though, that's only half the story.
We still need to configure all the options for Firefox itself. Fortunately, we
can do this all from about:config. Start by scrolling through the whole thing
(it's not as long as you expect it to be) and if you see any option with a value
set to a Google URL or similar that isn't called "block the shit out of this",
then clear the value. Now is the tedious part. I've gone through my whole
about:config and looked at all the options that weren't default, picked out all
the ones that mattered, and have listed them here. Go through your about:config
and change these as necessary:

browser.contentblocking.category	'custom'
browser.contentblocking.reportBreakage.url	''
browser.ping-centre.*	all false and empty
browser.sofebrowsing.downloads.remote.url	''
browser.safebrowsing.provider.google.*	all false and empty
browser.safebrowsing.provider.google4.*	all false and empty
browser.search.geoip.url	''
browser.startup.homepage	'https://start.duckduckgo.com/'
browser.startup.page	3
browser.urlbar.suggest.searches	false
datareporting.healthreport.uploadEnabled	false
extensions.pocket.api	''
extensions.pocket.site	''
extensions.update.autoUpdateDefault	false
geo.enabled	false
geo.wifi.uri	''
media.navigator.enabled	false
media.peerconnection.ice.default_address_only	true
media.peerconnection.ice.no_host	true
network.cookie.cookieBehaviour	1
network.cookie.lifetimePolicy	1
network.dns.disablePrefetch	true
network.predictor.enabled	false
network.prefetch-next	false
pref.general.disable_button.default_browser	false
privacy.donottrackheader.enabled	true
privacy.firstparty.isolate	true
privacy.resistFingerprinting	true
privacy.trackingprotection.cryptomining.enabled	true
privacy.trackingprotection.fingerprinting.enabled	true
privacy.userContext.enabled	true
privacy.userContext.ui.enabled	true
security.OCSP.enabled	0
signon.rememberSignons	false
toolkit.telemetry.*	all false and empty
webgl.disabled	true

Now, I am by no means claiming to be an expert, nor am I even claiming to have a
good understanding of Firefox. These are just various things I've found having
read existing guides and doing small bits of experimenting myself. I am very
much open to suggestions and recommendations for this so I can improve my own
privacy and pass that information on to others too.

### VPNS ###

The one thing that I think is absolutely necessary is a VPN. You can use
whatever provider you like as long as they're trustworthy and have a clear
privacy policy. I use IVPN myself, but there are plenty of others too. Protect
all of your devices. Desktop, Laptop, Phone, all of it. It'll especially do
good for phones where real privacy options are terrifyingly limited and your
only real smartphone options are both brimming with spyware - until the Librem 5
comes out that is.

Now this is a really huge post with a lot to take in, but I hope it benefits
some people. As I've said: if there are any changes or improvements you'd
suggest then absolutely let me know so I can improve both my own setup and this


Guides - Internet
Copyright Oliver Ayre 2019. Site licensed under the GNU Affero General Public
Licence version 3 (AGPLv3).