from the not-trying-to-start-a-browser-war dept.
There are various stories about Firefox not respecting user privacy. Some suggest certain settings to reduce the information Firefox sends out (such as this one from Mozilla). Over time, I have collected a lot of them into a user.js file. For those who do not know, a user.js file may be dropped into a Firefox profile directory as a convenient way to force certain settings every time Firefox starts up. This can reset changes made by the user during a previous session, but is also a convenient way to initialize desired settings in a fresh profile.
In an IRC discussion, Martyb suggested I share the settings I have collected. Below is a sample user.js that I sometimes use as a template for disabling many potential privacy and/or security holes in Firefox. Some, like HTML pings, are probably features that most privacy-minded individuals do not want (and may not have even known about). Others, like disabling cookies and/or javascript, can break how sites work (sometimes, amusingly, they only break the advertisements). Others, like disabling tracker protection, are double-edged in that disabling them exposes you to being tracked by known trackers, while enabling them might cause Firefox to phone home to get updated lists of known trackers. The comments in the user.js point out some, but definitely not all, of the potential pitfalls. The settings are definitely not set the way everybody should use them, but having them listed out at least provides a convenient starting point. I highly recommend against dropping them directly into your main Firefox profile, as they may undo changes you have made for yourself. Instead, either try them in a fresh profile and copy over things that work for you, or research the settings and only copy over the ones you want that will not break your browser.
Please share any information you may have on various settings in this file, or on any you feel are missing from this file. Also, if you have similar information for some other browsers, consider commenting on those, or perhaps submitting a story about settings for that browser.
/* Note: All of these may be set in about:config. Many may also be set
* via about:preferences. Placing them in a user.js allows for them to be
* set automaticaly when Firefox starts up (overriding any changes made to
* them during the previous session), and also gives a convenient way to
* set many settings in a new profile.
*
* Several of these break sites (often in ways that are not immediately
* obvious); others break features. They are being included here just to
* show what options are there. A small amount of effort has been made to
* comment on the ones that are likely to break things.
*
* Obviously, most of these are not carefully explained. Please search
* online to find out what they do. *//* Start in offline mode, if desired: */
//user_pref("browser.offline", false);/* Disable automatic updates. */
user_pref("app.update.auto", false);
user_pref("browser.search.update", false);
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("extensions.update.enabled", false);/* Disable settings that might try to deal with a typo, sending out
* information that was not intended to be sent. */
user_pref("browser.fixup.alternate.enabled", false);
user_pref("browser.search.suggest.enabled", false);
user_pref("keyword.enabled", false);/* Disable certain storages that could leak information to somebody else
* using the browser. */
user_pref("browser.formfill.enable", false);
user_pref("browser.history_expire_days.mirror", 1);
user_pref("browser.history_expire_days_min", 1);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false);
user_pref("places.history.enabled", false);
/* Note: Some sites that require javascript to be enabled and use local
* storage may choke with these two settings: */
user_pref("dom.storage.enabled", false);
user_pref("dom.indexedDB.enabled", false);/* Disable certain features that leak information. */
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.passwords.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.remoteLookups", false);
/* Disable various pings and automatic checks. */
user_pref("browser.aboutHomeSnippets.updateUrl", "");
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("network.captive-portal-service.enabled", false);
/* Disable the ping attribute in HTML links:
* <a href="https://target.com/" ping="https://ping.com">Ping</a>
* will send a ping to the ping URL when clicked if this is enabled. */
user_pref("browser.send_pings", false);
/* Disable searching the network for finding devices Firefox could send
* video to (like Roku or Chromecast devices). */
user_pref("browser.casting.enabled", false);/* General security. */
/* This definitely breaks sites, but for the paranoid, nothing enhances
* security and privacy like not letting sites choose what code runs. */
user_pref("javascript.enabled", false);
/* This is probably not an issue if javascript is disabled. If enabled and
* used, it allows for probing local IP addresses. Specifically, if
* enabled, the STUN protocol can use an ICE connection to figure out IP
* addresses of your computer. Note that this is required for WebRTC
* (audio/video conferencing). */
user_pref("media.peerconnection.enabled", false);
user_pref("security.enable_java", false);
user_pref("security.warn_entering_secure", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_submit_insecure", true);
user_pref("security.warn_viewing_mixed", true);
/* If you do not plan to use this web notification service, you should
* probably keep is disabled. */
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);/* Set some private settings. */
/* Do not try to load links just because the cursor passed over them. */
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.prefetch-next", false);
/* Do not try to geolocate. */
user_pref("browser.search.geoip.url", "");
/* Disable DNS over HTTPS. See other network.trr.* settings for more
* details. Enable by setting to 2, or by going to about:preferences and
* changing the check box in about:config. */
user_pref("network.trr.mode", 5);
/* Show punycode in URLs using that (rather than showing Unicode). This is
* an attempt to protect against sites that use names that look official,
* like www.google.com except with an ``o'' replaced with some Unicode
* character that looks a lot like an ``o'', or something. */
user_pref("network.IDN_show_punycode", true);
/* Accessibility features might be a privacy issue. */
user_pref("accessibility.force_disabled", 1);
/* Disable studies and personalized extension recommendations. */
user_pref("app.normandy.enabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
user_pref("browser.discovery.enabled", false);
/* Disable Normandy service, which, if enabled, allows Mozilla to push
* configuration changes and add-ons to your browser. While an obvious
* potential security issue, note that this feature does help to prevent
* other security issues with uses not updating software, including
* apparently helping with some problem where a bug was preventing updating
* add-ons. */
user_pref("app.normandy.enabled", false);/* If you want to use your own extensions, they will need to be signed,
* unless you disable this (set it to false). */
user_pref("xpinstall.signatures.required", true);/* Always ask where to download files. */
user_pref("browser.download.useDownloadDir", false);/* Open new tabs with blank pages. */
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
/* Default home page is a blank page. */
user_pref("browser.startup.page", 0);
user_pref("browser.startup.homepage", "about:blank");
/* Cycle through tabs in a more predictable order. */
user_pref("browser.ctrlTab.recentlyUsedOrder", false);
/* Disable showing things in new tabs if not using a blank page. */
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
user_pref("browser.newtabpage.activity-stream.showSearch", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);/* Use autoscroll. */
user_pref("general.autoScroll", true);/* Disable cookies by default. */
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.lifetimePolicy", 2);
/* Disable other potential trackers.
* NOTE: If these are enabled, Firefox may connect to servers to update
* lists of known cryptominers and/or trackers. On the other hand,
* disabling them may result in Firefox loading resources from known
* trackers. */
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);/* Clear stored data on browser shutdown. */
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.siteSettings", true);/* Do not remember credentials. */
user_pref("signon.rememberSignons", false);
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("pref.privacy.disable_button.view_passwords_exceptions", false);/* If desired, always use a SOCKS5 proxy. */
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", "12345");
/* If using a proxy, proxy DNS as well. */
user_pref("network.proxy.socks_remote_dns", true);
(Score: 4, Insightful) by krishnoid on Friday October 23 2020, @02:54AM
You can try the portable version [portableapps.com], and if you don't like what you see. just dump in the Recycle Bin, settings, cache, app and all.
(Score: 3, Informative) by Anonymous Coward on Friday October 23 2020, @03:02AM (4 children)
Looking at the settings for the tor browser is helpful to get privacy/anti-info-leak setting ideas, but a few of their settings require a patched firefox.
Unfortunately, the tor project doesn't point HEAD to latest. So, easiest to just go to this link, and in the upper right, select the branch numbered the latest revision for your version of firefox:
https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.3.0esr-7.5-2 [torproject.org]
ghacks is another good source of ideas:
https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js [githubusercontent.com]
I have a build system that builds several firefox profiles from source config "chunks" with settings for extensions like umatrix also being managed this way, so e.g., my banking profile allows my bank to run js, but my general profile has no reason for this, and doesn't. When extension data was stored in about:config it was easier, the build system could add to allow lists directly. Now, extension data is in separate dbs, so I have writable profiles that are used for nothing but to update config for these extensions, then the extension db files are saved into the build system for the appropriate normal use profile(s) (I run firefox in jails with tmpfs as the only thing it can read/write to). There are also machine specific settings like zoom level that get set by the build depending upon the machine it is run from.
The system works pretty well, but firefox is constantly adding more garbage that intrudes on your privacy (not just blatant spying by "telemetry", but also anti features like java script access to clipboard data, etc. But, firefox is still better than any of the fully corporate alternatives.
If your user.js file grows to more than a few lines, it gets hard to track down issues. This trivial script inserts debug lines into your config, and is *really* handy. Just go to about:config with the temp augmented user.js in place, and search for debug.line.number. The value assigned to debug.line.number will be one line before the config line that caused the error. Good to check after any changes since failures are usually silent. They just cause subsequent config from being applied.
mv user.js user.js.orig && awk '{print $0 "\nuser_pref(\"debug.line.number\", " NR*2 ");"}' user.js.orig > user.js
my user.js files are all approaching 1000 lines. The above has saved me hours of frustration! Sadly, I didn't think to do it until after already accruing several hours of arrrrgggggg!!!!!!
Until firefox was updated to 78.3 LTS by Debian a few weeks ago, I would have said you can make firefox look any way you like with userchrome.css, I have always had a very compact layout with a different tab color scheme per browser profile, no hamburger menu crap, etc.. This latest update has broken things. I looked to using their newish theming stuff that they want you using now, and created a theme instead, but firefox won't let you install your own theme now without having mozilla sign it. All very frustrating. I kinda hope Debian finds some reason to fork firefox again, and the maintainers get rid of some of this mozilla corp knows best, you know you can't be trusted with your own computer B.S. Still better than the alternatives, though.
(Score: 3, Informative) by Anonymous Coward on Friday October 23 2020, @05:18AM (1 child)
I do not recommend mobile browsers because the combination of the platform and the browsers cannot be customised enough for good security and privacy IMHO.
Using Firefox-ESR (Extended Support Release) means you do not usually have to revisit user.js every 4-5 weeks like you would using regular Firefox version. I manage IT for a company, and apply my suggestions to the users, but they have their choices and most use a user.js hardened Firefox instead of Tor Browser, with at least these extensions
Also, I trim the trusted CA certificates to a minimal set using phllyukko's guidance [github.com]. This does not work for Tor Browser, so I switch it to use the system trusted CA certificates based on guidance here [askubuntu.com] and must modify /etc/ca-certificates.conf and run update-ca-certificates to make the changes take effect. These commands will modify Tor Browser or Firefox to use the system trust store in an Ubuntu system (run it from the Browser folder)
Before doing a Tor Browser upgrade, switch it back - otherwise the upgrade takes a long time and will overwrite your changes anyway. After the upgrade, run the script again to use the system trust store.
For the browser versions I use and the link AC mentioned, I found https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-78.4.0esr-10.0-2 [torproject.org] to work best. I like AC's idea of several firefox profiles, but for my users that might get complicated. Instead we switch Tor Browser Security Level (torbutton), and re-import trusted sites (like Wikipedia, etc.) into NoScript after switching to a different security level because it overwrites changes. You can follow instructions at this article [ghacks.net] to use Tor Browser without Tor, for example to do online banking.
(Score: 0) by Anonymous Coward on Friday October 23 2020, @05:56AM
Thanks, your list a great baseline to work with in conjunction with applying own research and personal preferences!
One minor point of criticism:
Using both NoScript and uBlock Origin is now redundant. uBlock recently added an "advanced" mode (checkbox in settings enables it) that borrows from uMatrix in concept and interface and lets you block page elements based on their origin relative to the visited site. In addition to the obligatory block lists, custom rules and cosmetic filters.
In fact, I stoppped using uMatrix in favour of "advanced" uBlock. Reputation as the best *anything*blocker well deserved.
(Score: 1, Interesting) by Anonymous Coward on Friday October 23 2020, @10:15AM (1 child)
Firefox is not better than other browsers. Brave respects the user from the get-go, Ungoogled Chromium establishes zero unwanted connections, PaleMoon is great. Just the fact that FireFox needs to be extensively modified to respect some semblence of privacy says it all.
(Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @02:14PM
The problem is that on non-firefox based browsers, you can't turn off all the info leaking "features". And, every browser you mention is full of them. So, by being able to turn off javascript features used to fingerprint users. Turn off javascript being able to spy on your clipboard. Turn off webrtc and other garbage that leaks your real IP when you are behind a VPN. You are *much* better off with firefox than any other non-firefox based browser.
As for pale moon (a firefox based browser), it is less secure due to vulnerabilities due to running an ancient unpatched/slow to patch firefox by virtue of the tiny group of devs (you are probably better off with seamonkey, if you want XUL extensions)-- I can't find the link but there was a good writeup on pale moon where the author showed that pale moon was vulnerable to exploits known and already fixed in mainline firefox for _years_.
(Score: 0) by Anonymous Coward on Friday October 23 2020, @03:04AM
Nice - I use many of these already!
I appreciate the share and will parse it for interesting stuff I've missed!
(Score: -1, Flamebait) by Anonymous Coward on Friday October 23 2020, @03:19AM (2 children)
Where is the "Impeach again" setting in Firefox? Couldn't find it in Facebook. Is it being intentionally hidden?
(Score: -1, Offtopic) by Anonymous Coward on Friday October 23 2020, @04:52AM (1 child)
Sensored.
(Score: -1, Offtopic) by Anonymous Coward on Friday October 23 2020, @05:13AM
My sensors say the extension is installed, but inactive? How do I activate the "Impeach again" plug in to Firefox? Of course, there is nothing comparable available for Chromium, for some Republican reason. Borat! Khazakstan tech support?
(Score: 0) by Anonymous Coward on Friday October 23 2020, @07:25AM
0.0.0.0 firefox.settings.services.mozilla.com
0.0.0.0 content-signature-2.cdn.mozilla.net
0.0.0.0 location.services.mozilla.com
(Score: 2, Insightful) by Anonymous Coward on Friday October 23 2020, @10:18AM (1 child)
This is getting to be too much; might just have to stick with the lynx browser. I disable network prefetch next install HTTPS everywhere, cookies autodelete, privacy badger, and call it good...
RIP internet; you held much promise...
(Score: 0) by Anonymous Coward on Friday October 23 2020, @03:20PM
lynx has security problems of its own.
(Score: 1, Touché) by Anonymous Coward on Friday October 23 2020, @12:32PM
My favorite setting for Firefox nowdays.
(Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @01:03PM (2 children)
methinks disabling "referrer" is the most obvious way to disable tracking.
also the DOM setting that allows a remote random website to disable your "right mouse click menu(*)" is a must... to disable.
(*) imagine a nagging anoying squeaky voice saying: " no no! you cannot just right-click on this here multimedia element that has been uploaded by meeeee to the wider global public internet and transfered to you and your computers memory and save a copy to a storage facility that remembers past power outs. now go away and thank you for looking at ads that pay me but you haven't requested."
(Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @02:28PM
If you allow javascript you are being tracked.
Firefox is better than any browser out of the box for disabling this tracking due to the project to upstream changes from tor browser into mainline firefox. But, it doesn't block all javascript used to uniquely identify users.
The problem is that if you change firefox config to block more of these javascript holes, you have now become identifiable since your browser acts differently than most. I'm the same AC as started the thread on "other sources", and for the profiles that I allow javascript on, the panopticlick site shows those browser profiles as uniquely identifiable precisely because most things that can be used for tracking are blocked. But, for those profiles, the folks I am protecting myself from (i.e., harvesting my clipboard data, location [real ip], etc.) are sites I've already logged into, and have easier ways to track me.
https://panopticlick.eff.org/ [eff.org]
It isn't just javascript. css can be used to track you too. If the site can query fonts on your browser, that is used to identify and track you (needs js). Window sizes (this is why firefox always opens a large window now (setting migrated from tor browser), battery level (disabled in firefox now; migrated from tor browser), etc. are used to identify and track you (needs js). And, of course the obvious ones of private storage, location (either gps or your IP) and cookies.
The web is a very user hostile place.
(Score: 0) by Anonymous Coward on Friday October 23 2020, @07:20PM
Holding down SHIFT with a RIGHT-CLICK make a REAL RIGHT-CLICK, not what javascript overrides does.
(Score: 5, Informative) by Pino P on Friday October 23 2020, @01:54PM
Firefox has a feature called "race cache with network" that will speculatively open numerous connections to a web server to retrieve a cached resource in case the server returns the data faster than your disk's cache does. This may improve speed on devices with very slow storage, such as a Windows PC with a 5400 RPM HDD and a slow antivirus, at the cost of increased data transfer billing on an ISP's metered plan as well as loss of access to a website whose firewall confuses the "race" behavior with a SYN flood. One site where a lot of Firefox users have run into problems is nesdev.com, a site about homebrew game development for Nintendo Entertainment System. To disable this, open about:config and set network.http.rcwn.enabled to false.
See the following bugs:
Firefox opens several TCP connections and ignores some of them, and may trigger TCP SYN Flood alerts
Resolved as invalid due to lack of steps to reproduce.
Filed to provide more detailed steps to reproduce as well as evidence through Wireshark that it is happening and causing an IP address block on a particular website.
No UI option to turn off "Race Cache With Network"
Users must use about:config to turn off this behavior, if they even know it's happening.
(Score: 1, Interesting) by Anonymous Coward on Friday October 23 2020, @09:26PM
You can lock entries wherever you want, for example:
(Score: 0) by Anonymous Coward on Friday October 23 2020, @09:29PM
https://pastebin.com/raw/anZCprac [pastebin.com]
(Score: 2) by hendrikboom on Sunday October 25 2020, @10:56PM
How much work would it be to write and maintain a new secure browser from scratch using modern tools?
I have no appreciation for the order of magnitude involved.
Does it make a difference if you can ignore standards-nonconforming websites? If you don't need compatibility with obsolete practices?
And, aside from that, how much work *should* it be?
-- hendrik