HOME - RSS


FIREFOX PRIVACY GUIDE

29 May 2019 - 21 minute read


I've tried plenty of things to help improve privacy on the internet. I've done the whole spectrum from minimum-effort and no privacy to privacy-nut lock down mode. In this post I'm going to go over various things I've used and different setups I've had, then walk through explaining what I have now and how to recreate the setup.


SETUP 1

My first privacy-oriented setup was pretty simple and worked fairly well for the most part, but had some notable issues. I changed Firefox's settings graphically to what made sense such as enabling full tracking protection and disabling the telemetry, and I used uBlock Origin on all defaults with NoScript. Couple that with Smart HTTPS and you're basically sorted. Have everything blocked by default, then allow stuff with NoScript until the website does enough for me to use it. All fairly simple, but it had issues in that it wasn't an exceptionally private setup. I also used Privacy Badger and the DuckDuckGo extension on and off for a bit, but they tended to break each other.

I still have this setup on my work machine, but mostly because I've never got around to changing anything about it and it's a work machine anyway so I don't do anything personal on it.


SETUP 2

Setup 2 is probably the polar opposite. I found 12bytes' Firefox guide and followed through all of it. I got setup with uMatrix, CSS Exfil Protection, Decentraleyes, Privacy-oriented Origin Policy, Temporary Containers, and Multi-account Containers. The guide goes through plenty of good config for all of these. A more recent version also added extensions like Site Bleacher. Lastly, this setup made use of the GHacks user.js file.

This setup was... extreme to say the least. I managed to get Mastodon and Protonmail working, but Riot crashed immediately after logging in so I used the Electron version of it. Loads of sites would just be completely broken, and I found myself spending more time refreshing pages than using them. Also at some point there was an update to the user.js file which meant the size of the webpage would snap to a limited set of sizes so I'd end up with this huge hideous white border around every webpage and I couldn't for the life of me find which setting was causing it so I couldn't turn it off. The user.js probably does a tremendous amount for privacy, but I really struggled to use it without properly understanding what each option actually affected. It's a very well-documented file, but I think it could use more comments to actually explain what effects would be seen, like for instance having a comment that said "This will restrict webpage sizes so they snap to multiples of xyz pixels" so I can see it and add overrides in the user-overrides.js.

My approach to the GHacks user.js will probably be not to use it for now, but come back to it occasionally to see if I can tweak it just enough to get it usable, at which point I'll obviously start using it everywhere immediately.


SETUP 3

This is what I'd probably call a "realist" setup. You get a reasonable level of privacy and it's not terrifying to work with. Sites for the most part work fine after a little tweaking. This is the setup I use at the moment, so I'll walk through what I've done and explain how to recreate it.

First place to start is with extensions. I have 12 installed and I'll walk through each including all the settings I have for them:

* ajax.googleapis.com * noop
* ajax.aspnetcdn.com * noop
* ajax.microsoft.com * noop
* cdnjs.cloudflare.com * noop
* code.jquery.com * noop
* cdn.jsdelivr.net * noop
* yastatic.net * noop
* yandex.st * noop
* apps.bdimg.com * noop
* libs.baidu.com * noop
* lib.sinaapp.com * noop
* upcdn.b0.upaiyun.com * noop
* cdn.bootcss.com * noop
* sdn.geekzu.org * noop
* ajax.proxy.ustclug.org * noop

Phew, that's a lot to take in. Unfortunately though, that's only half the story. We still need to configure all the options for Firefox itself. Fortunately, we can do this all from about:config. Start by scrolling through the whole thing (it's not as long as you expect it to be) and if you see any option with a value set to a Google URL or similar that isn't called "block the shit out of this", then clear the value. Now is the tedious part. I've gone through my whole about:config and looked at all the options that weren't default, picked out all the ones that mattered, and have listed them here. Go through your about:config and change these as necessary:

browser.contentblocking.category	'custom'
browser.contentblocking.reportBreakage.url	''
browser.ping-centre.*	all false and empty
browser.sofebrowsing.downloads.remote.url	''
browser.safebrowsing.provider.google.*	all false and empty
browser.safebrowsing.provider.google4.*	all false and empty
browser.search.geoip.url	''
browser.startup.homepage	'https://start.duckduckgo.com/'
browser.startup.page	3
browser.urlbar.suggest.searches	false
datareporting.healthreport.uploadEnabled	false
extensions.pocket.api	''
extensions.pocket.site	''
extensions.update.autoUpdateDefault	false
geo.enabled	false
geo.wifi.uri	''
media.navigator.enabled	false
media.peerconnection.ice.default_address_only	true
media.peerconnection.ice.no_host	true
network.cookie.cookieBehaviour	1
network.cookie.lifetimePolicy	1
network.dns.disablePrefetch	true
network.predictor.enabled	false
network.prefetch-next	false
pref.general.disable_button.default_browser	false
privacy.donottrackheader.enabled	true
privacy.firstparty.isolate	true
privacy.resistFingerprinting	true
privacy.trackingprotection.cryptomining.enabled	true
privacy.trackingprotection.fingerprinting.enabled	true
privacy.userContext.enabled	true
privacy.userContext.ui.enabled	true
security.OCSP.enabled	0
signon.rememberSignons	false
toolkit.telemetry.*	all false and empty
webgl.disabled	true

Now, I am by no means claiming to be an expert, nor am I even claiming to have a good understanding of Firefox. These are just various things I've found having read existing guides and doing small bits of experimenting myself. I am very much open to suggestions and recommendations for this so I can improve my own privacy and pass that information on to others too.


VPNS

The one thing that I think is absolutely necessary is a VPN. You can use whatever provider you like as long as they're trustworthy and have a clear privacy policy. I use IVPN myself, but there are plenty of others too. Protect all of your devices. Desktop, Laptop, Phone, all of it. It'll especially do good for phones where real privacy options are terrifyingly limited and your only real smartphone options are both brimming with spyware - until the Librem 5 comes out that is.

Now this is a really huge post with a lot to take in, but I hope it benefits some people. As I've said: if there are any changes or improvements you'd suggest then absolutely let me know so I can improve both my own setup and this guide.


CATEGORIES

Guides - Internet


HOME - RSS

Copyright Oliver Ayre 2019. Site licensed under the GNU Affero General Public Licence version 3 (AGPLv3).