Enhance Firefox Browsing Security & Privacy
Firefox is by far the most secure and transparent web browser software out there. It is privacy friendly unlike Chrome which has all sorts of tracking built in it, and I am not sure if you can disable all of them, plus Chrome is not open source despite being built on Chromium, it has Google services built in it, which are all known to be privacy invasive. Due to it's closed source nature however we have no idea what code is running there, the lack of transparency is always a security vulnerability.
Despite Firefox being transparent and open, it's still configured for general usage, thus it is still vulnerable to several attack vectors that come from browsing randomly untrustworthy websites. This means that Firefox has to be configured well to give you a safe browsing experience.
Configuring Firefox for Security & Privacy
1) Addons
You should install a few addons for enhancement, but not too many, since they could be incompatible with eachother, and certainly do not install untrustworthy addons that are either new or they are not open source or they are suspicious.
There are 3 addons that I can recommend:
- HTTPS Everywhere (by EFF Technologists)
- No Script (by Giorgio Maone)
- uBlock Origin (by All uBlock Origin contributors)
This is it, these are all the addons you will need, no need to install all sorts of things, less is more, and these addons are all open source, trustworthy and compatible, not to mention that they do their job very well.
To install them just go to Addons (or press CTRL+SHIFT+A) and in the search bar search for them, make sure that the author name matches, you don't want to install a fake one.
HTTPS Everywhere
It's a simple yet powerful addon that helps you guarantee that you only visit HTTPS websites and it signals if the website you are on has vulnerably configured HTTPS protocol. You only want to use secure HTTPS on critical login interfaces like logging into your Online Banking interface or Steemit.
It has an optional feature the Observatory, which is kind of privacy invasive if you enable it, it will record all websites that you visit and use that data according to their privacy policy, but in return it will help you avoid phishing websites. This might be helpful given how phishing can cause huge problems for crypto users, and it doesn't have to be that privacy unfriendly since the Observatory connection can be anonymized via Tor. But keep in mind that it's a post-active defense not a pro-active one, since it compares other people's browsing data to yours so it can't save all people from phishing scams. It's your choice whether to enable it or not.
NoScript
No Script might make your browsing experience worse, since it blocks all sort of scripts in websites. So while it gives you huge security advantages, the layout of the website might be totally broken. Some websites specifically not let you browse them if you disable Javascript. Others might have their layout broken. Some videos might not work, Adobe Flash and Microsoft Silverlight won't work either. But it shouldn't. It is well know that Flash and Silverlight are horrible products for browsing security. All videos should be HTML5 like Youtube, custom video plugins can't really be trusted.
Now you can whitelist some websites to allow Javascript or partially allow it, and you can customize it to your security level, but it's hard to customize it on your own, especially if you are a novice. If you are a newbie then just leave everything at default, otherwise there are configuration files on the internet that can be imported where people have already tweaked the addon to be more usable while also keeping the security aspects.
uBlock Origin
It is an adblocker, a real and transparent one, unlike Adblock Plus, which have started whitelisting ads for money, thus leaving you exposed to annoying ads, or even a security vulnerability. It's well known that most ads on the internet are HTML or Javascript based, the era of small banner ads is over, now they are all over the place, popup ads, ads that could inject malware into your computer, it's just horrible.
So blocking ads nowadays is a security advantage, not to mention a privacy advantage, given how Google ads basically track you like Big Brother.
uBlock Origin is like a protest against the corruption that happened to Adblock Plus, many customers felt betrayed. And look I get that they want to make money, but this is not a honest way to do it. They could have charged people for the service or be based on donation like other project or integrate some sort of cryptocurrency in it, there are tons of ways to make money. But whitelisting ads for money is not a honest way, since what if a scammer pays them to whitelist their scam ads full of ransomware virus? It's a security problem.
uBlock Origin is fully transparent, and it is the best adblocking software right now. Although it was recently broken on some websites, don't worry it's not an issue, I believe they have patched it in the latest version, it sometimes happens since advertisers have also figured out ways to circumvent the blocking protocols, so it's a constant cat & mouse game. But you can trust this addon since it's totally transparent and it has very good developers behind it.
2) Firefox Configuration
Ok now that you have addoned yourself up with the best ones out there, you are still not safe, since Firefox itself is configured for general browsing, thus it has tons of bloated features in it, that enhance website usability at the cost of security and privacy.
Let me just give you are few examples:
Cookie Policy: By default Firefox stores all cookies forever or until they expire (most cookies are permanent), and they accept cookies from any URL in a website. This means that if you visit websites (most of them have Cloudfare, Facebook, Google, Twitter, Linkedin, ... you name it, cookies by default thanks to Adsense ads all over the place and social media buttons) this means that these services can track you forever. It doesn't matter if you have a Dynamic IP address, they track all your browsing activity via these unique cookies they place on your computer, and they can build an entire profile having all your browsing data. It is imperative to clear cookies after they are used, and never accept 3rd party cookies, while it is necessary to allow cookies since they are used in a login procedure, why would you allow Google cookies for a Steemit login? It makes no sense, so that Google can track all websites you visit forever?
Behavior Tracking: This means that Firefox by default has behavior tracking enabled that allows websites to fetch tons of private data from you like: mouse movement, laptop battery %, wifi logging, web notifications, timing, geolocation, region & country code, network info, operating system info, internal IP (inside a home network), sensors (temperature sensor in your computer), access to webcam, camera control, facial detection, access to microphone, access to clipboard (if you have a password copied in your clipboard, any website can fetch it) , .... you name it. This is absolutely horrible invasion of privacy and security, and by default all websites can theoretically have access to this. You have no idea how much you are tracked do you? It is really imperative to disable these features, Firefox is transparent, you can disable this. I am not sure about Chrome…
Link Prefetch: This is another monstruosity. This means that all URL's in a website are pre-loaded. So if there is any malware link in a website, like say a forum, it is automatically loaded when you just open that page, you don't even have to click on it, and baaam the malware infects your PC. So let's say you are on Bitcointalk.org where tons of newbie scammers are posting malware links all the times, you don't have to click on the malware link, the Link Prefetch feature already opens that link automatically in the background for you, so you are infected automatically.
Cryptography: By default Firefox has a very weird cryptographic setup, it is definitely built on convenience, again, while ignoring security. When you connect to a secure HTTPS website it ignores all sort of warning signs of a MITM attack. So when you connect to a website, and you negotiate the connection by sending cryptographic keys back and forth from the server to verify that the server you are connecting to is the real one, and not a fake phishing server. Firefox ignores several red flags in a basic connection just to make the connection faster and smoother, but this could mean that you can easily connect to a fake web server and not even knowing about it. It also allows servers to use depreciated encryption schemes, and bypass several protocols. This is not secure, and opens up a pandora's box of problems. Luckily it can be configured to enforce the security protocols as it should be.
These things are scary, and I understand that Firefox wants to be competitive and user friendly, but not at the expense of security and privacy. So all of these and more, have to be disabled.
Luckily there is a very easy way to disable it, some guys have already created a configuration file, which is transparent, and all you need to do is just copy that file into the Firefox configuration folder.
- Download this
user.jsfile from here: https://github.com/pyllyukko/user.js/blob/master/user.js - Copy the
user.jsfile to your profile location: https://github.com/pyllyukko/user.js#installation - Note that if you do a single profile installation then you should not edit anything after in the
about:configsection or it will reset things to default, if you want to do a system wide installation then follow this: https://github.com/pyllyukko/user.js#system-wide-installation-all-platforms
Conclusion
Well after you have all of these privacy addons and the configurations installed, you should have a reasonable secure browsing experience free of annoying ads, malware, browser exploits, and browser tracking. Browsing the web is more privacy invasive than you thought, all websites can track you forever all websites you visit by default, it is our job to not let that happen if you value your privacy.
You really don’t want your bank see that you came from a porn site or Facebook to see all websites you visit and tie it to your user profile. It’s really an Orwellian world that we live in now, and it’s not just the Government that tracks people but basically anyone could if these things are left unchecked.
Do you want a jackboot stomping on your face forever, or you have had enough of it, and try to free yourself a little bit.
Sources:
- https://www.pexels.com
- Firefox logo by The Mozilla Foundation CC BY 3.0 or MPL 2, via Wikimedia Commons
I have really liked the innovations that Mozilla has been releasing. Their new web rendering engine sounds like it will be really good.
The next presentation at our Linux User Group will be on Firefox. Most people just assume that's it's just a browser and that things have pretty much stayed the same, but there's some great new features already released and in the works.
Well I don't. They are planning to spy on their users too:
Fortunately, Firefox is still the most transparent browser out there, and there is a transparent opt-out as always, however the tracking features are enabled by default. So novice users who don't add this custom
user.jsfile (which was already updated to disable this), are being spied upon by default.I can't even imagine what is inside Google Chrome, that is why I only run it inside a VM.
The fewer people who use Google, the better for everyone.
I do use Chrome but only in a virtual machine, It does have some interesting apps in it.
For the important websites like banking and crypto, I only use Firefox with these configurations enabled. Anything less in my opinion is foolish and dangerous.