Better security, privacy and anonymity in Firefox

In this post gathered some information about several attacks that can be used to track, identity web-browser users in many ways. I will show you here how to protect yourself from those attacks. Information given here should be useful for many communities, for people who hate ads online, who don’t want to be tracked online and also, for Tor users. I should warn you now that the points listed below are used by me and the list was compiled to improve privacy and anonymity without braking most of web2.0 features.

 

1. Let’s start with the most basic privacy settings in Firefox. First, go to Privacy settings (you can do it on many ways, on Linux, go Edit -> Preferences, or universal way just type “about:preferences” in address bar and select “Privacy”). There was much talk about the new Firefox option to disable third party cookies and a lot of people don’t like that feature because they can’t now earn money tracking you. So, tell sites, that you don’t want to be tracked and never accept third-party cookies. Other options are optional for now.

firefox privacy settings

2. Hiding your referrers. I think this option is important because you can hide the source of your source traffic and previously visited URLs. This part requires you to make some mess in about:config. Users don’t usually visit this page, so you need to change values of three variables:

network.http.sendRefererHeaderis a configuration option for the Firefox web browser; it accepts an integer.

Determines when to send the Referer HTTP header.
0: Never send the referring URL
1: Send only on clicked links
2 (default): Send for links and images

Set it to 1, or to 0 if you want to break some pages (but not recommended).

network.http.referer.XOriginPolicy – no official documentation

0 (default): Always send
1: Send if base domains match
2: Send if hosts match

Set it to 1

network.http.referer.spoofSource:

false (default): real referer
true: spoof referer (use target URI as referer)

Set it to 1

network.http.referer.trimmingPolicy:

0 (default): send full URI
1: scheme+host+port+path
2: scheme+host+port

Set it to 2

 

3. AdBlock.

Support for AdBlock Edge will be dropped in July, please skip this part and install µBlock instead.

Personally, I prefer AdBlock Edge as it has one enabled by default feature that AdBlock+ doesn’t have. Briefly:

AdBlock Edge is a fork of the AdBlock Plus version 2.1.2 extension for blocking advertisements on the web, without sponsored ads whitelist.

AdBlock not only blocks ads, but also blocks access to some domains spreading malware, blocks unliked Like! and Share! buttons served by Facebook, Twitter and G+. As we know, those corporations track users not only on their sites, but everywhere where they have scripts. Another reason, why you should replace AD+ with AdBlock Edge is memory and CPU consumption. AD+ consumes several times more memory than ADE. Try it.

Just installing AdBlock isn’t enoguh. For extra privacy, you must download and set some more rules. Simply go to Tools -> Add-ons -> Extensions -> AdBlock and click Filter preferences. You will then see a window like this one, where we add more filter subscriptions, some that I recommend:

adblock lists

Since now, you shouldn’t see any ads. Nowhere. Also Like, Share, Tweet and +1 buttons should disappear.

 

4. Don’t save cookies. A very good add-on that will help you not to save cookies is Self-Destructing Cookies. For me, it works better than disabling cookies in Firefox; the add-on allows you to create a white-list of sites that can save cookies, so if you use reddit/digg/discuss a lot, you can white-list those domains and this will eliminate the need to login every time you close its tab of browser.

 

5. I think HTTPS-Everywhere is an add-on that everyone must use. So let me not waste time here, just install it, and you’re done.

 

6. Privacy badger doesn’t require any configuration from user. It blocks ads, social buttons and other trackers as well as helps with cookies management. You can just forget about this add-on after installation.

 

7. Random Agent Spoofer is something for more advanced users who know what they’re doing. You can download the latest version from Github, with more spoofing options or from Mozilla, so you will be able to auto-update that add-on. To be honest, this add-on can break websites like… server might not send you CSS files or JS, so the website will be incomplete, or something else will magically stop working like flash video player on TED.com. If you encounter any problems, just right-mouse-click to disable RAS for now. I think RAS is be essential for Tor users, as NSA/GCHQ try to(?) identify users by their user-agent and fingerprint left by web-browers when they are using Tor and after switching Tor off. You can check how it works here – Panoptoclick – I made several tests, all were unique.

ras1 ras3Your browser/computer might be leaking DNS queries, you can save some kilobytes of transfer by disabling DNS-prefetching and link-prefetching. One very important option is to disable canvas support. Canvas can be used also to track users, PrivacyBadger should detect and block this kind of tracking, but just to be sure… Disabling webRTC and other options are optional.

WebRTC can be used to check your local IP address, so for privacy and security reasons you might want to disable it this way in RAS or manually:

type about:config in address bar, confirm warning, and search for media.peerconnection.enabled, set it to false.

 

8. If you’re already in about:config… search for browser.safebrowsing. There is a built-in module in Firefox that improves your security, but steals your privacy and anonymity. The module reports what you download to Google servers to check if the file is infected with any kind of malware. Double click on browser.safebrowsing.updateURL and browser.safebrowsing.reportURL and remove text from both windows, also double-click on browser.safebrowsing.enabled to disable it and the same on browser.safebrowsing.malware.enabled. As for Google’s services in Firefox… Set value of geo.wifi.uri to http://127.0.0.1. Firefox uses Google Location Service to determine your physical location on Earth or just… completely disable geo.enabled by setting value to false (double click).

about config

 

9. Recent new attacks on your local router can be blocked on Firefox just by disabling media.peerconnection.enabled, or by NoScript. NoScript is a really great extension that helps to greatly improve our security and privacy online by simply blocking unwanted content like JS from third-party domains, nested frames, forbids execution of Flash, Java, Silverlight… and many, many more. It’s also recommended for more advanced users; you must really know what you are doing. To protect yourself from the attack change ABE settings: noscript

 

10. Are you using SSD? You must take your privacy more serious in some cases. You might want not to save all data for caching on your drive, it can be easily recovered even after very long time, go again to about:config and disable those variables:

browser.cache.disk.enable set to false
browser.cache.offline.enable set to false
browser.cache.disk.capacity set to 0
browser.cache.offline.capacity set to 0

 

11. Yet another add-on to install is RequestPolicy. This add-on is more complicated and recommended for more advanced users, but once configured, you can forget about it. RP allows you to control what kind of requests are made by your browsers to third party servers there are nearly everywhere, like Google, Amazon, Yahoo. Since it is more complicated and will most probably break many webpages you visit, you should read a bit before you try it.