56 comments

[ 4.1 ms ] story [ 109 ms ] thread
I'm always incredibly skeptical of any set of tweaks that is supposed to take off-the-shelf software and make it more private (how?) or secure (from what?). I'm sure some of these tweaks do that, but can't help but think they increase your attack surface over all (unless you have the time to read and think carefully about each settings change- in which case, you probably could have just changed the settings yourself).
They do modify the attack surface, but since these prefs cover code that ships in the release version of Firefox, they should be reasonably well tested.

Most of the preferences in this will actually reduce the target-able attack surface, and disable some features that could be footguns, but at the same time disable some optimizations that aim to reduce cognitive load on users (which in turns reduces the likelihood that mistakes will be made).

Additionally, do keep in mind that browser dev's, in addition to their ulterior harvesting agenda, have the burden of universal appeal/usability, which makes niche installs impossible. If this is a NixOS-type of configure-your-own-browser, I'm all for it. This is the reason why Consumer wireless-Router configuration sucks, because manufacturers are trying to appeal to the masses and don't want to generate a call-for-support nightmare. So yeah, if we can *nixify(I'm claiming coinage here) all things produced in bulk and for the masses, by all means!!!
> Most of the preferences in this will actually reduce the target-able attack surface

Can you point to anything specific that reduces the attack surface?

When looking at the "securefox" config, it does a bunch of strange things, like enabling embedded TikTok links (https://github.com/yokoffing/Betterfox/blob/443710b0738ebc8f...) and disabling UITour (https://github.com/yokoffing/Betterfox/blob/443710b0738ebc8f...) which Firefox uses to highlight menus and is only accessible by approved Mozilla domains (https://searchfox.org/mozilla-central/source/browser/app/per...).

It's a very strange mix of configs.

> Can you point to anything specific that reduces the attack surface?

I haven't had a chance to dig though those configs yet, but disabling things like service workers, webgl, normandy/experiments, pocket, and webrtc would be a good start at reducing attack surface

All of that also makes you easier to fingerprint. How many people disable WebGL?
Enabling WebGL makes you a lot more fingerprintable than having it disabled. See e.g. How gullible are web measurement tools? A case study analysing and strengthening OpenWPM’s reliability. B. Krumnow, H. Jonker and S. Karsch. In Proc. 18th International Conference on emerging Networking EXperiments and Technologies (CoNEXT’22). ACM, pp. 171–186, 2022. (Table 3).
The section "Securefox" should probably be renamed "Privatefox", but labels are misleading. It's best to read the project files to understand the balance taken with security, privacy, and functionality. Let's make it simple:

Want a mix of speed and privacy, while retaining functionality? Use Betterfox user.js.

Want more privacy and security at the expense of site functionality? Use Arkenfox user.js.

Want Tor prefs but without using its nodes/relays? Use Mullvad Browser.

Want anonymity? Use Tor Browser.

Another way to look at it is, you may not be aware of all the settings out there, and a set like this will help you discover them
Another way to illustrate the point: Do you read other peoples' code before you run it, or do you just blindly run it.
People who install Betterfox without reading the code are only blindly trusting one more piece of code than everyone else, really.
For specific example, this particular one disables the bookmarks toolbar, reader mode, Firefox Sync, and screen reader accessibility. Opinionated does not imply “Better”, even if the name claims otherwise.
I appreciated that the accessibility thing is called out as the top entry on the list of changes it makes you may want to override.

If it's genuinely just munching CPU if you don't use it, then turning it off by default with a warning that it's going to do that seems pretty reasonable.

(I've not tried their user.js and probably won't, but "realising the accessibility tools thing was important enough to go at the top even if the vast majority of users will care more about other entries in the list" seems like an indication that at least some thought has gone into this)

The first two prefs are commented out (using //) and are not in the user.js itself, and the latter two are in the user.js but are 1) easy to re-enable and 2) the repo indicates how to enable them if you need them. Please read the Github page.
There’s two user js files. One has all four. The other has two of four. Note the comments at the top if you’d like to distinguish between them, though certainly others will not.

I also see a disable for 0RTT; why? (Probably for the same reason that disabling TLS 1.2 was popular a few years ago.) Webrender is force-enabled; anyone that this causes startup crashes for is out of luck. Autofill and password saving is disabled; hope you migrated to a third-party app before using this.

I reiterate: Opinionated does not mean Better. It just means opinionated.

This is generally the case imo. Installing hardening tweaks/extensions/... to make yourself "more secure" and "more private" often just ends in increasing the viable attack surface and making yourself more identifiable (because such extensions/settings are very uncommon)
It's okay to have a unique fingerprint when it changes all the time. It's far better to always show up as someone new than to try to blend in with the crowd and pray that none of the countless and ever-changing ways to ID you individually doesn't give you away.
In this case, it only toggles settings already baked in to the original software. That should not increase your attack surface unless the settings are poorly tested.

Moreover, it would not decrease your privacy unless:

1. The number of people messing with the setting is very small, AND

2. The default for the setting gives you at least as much privacy as flipping it does.

The second point is not often the case. For example, turning off WebGL provides 1 bit of info ("turned off WebGL"). Leaving WebGL on allows a website to measure your WebGL setup, which is typically far more revealing. Not everyone uses the same GPU hardware and screen, after all.

In general, flipping a setting to off reveals 1 bit of information - but it might indeed be 1 bit that few others know of, thereby reducing your anonymity group in that respect. Leaving a setting on allows a website to probe you further and find out things related to the setting.

See for example amIunique.org -- it tests 4 WebGL parameters, which, for me, have a similarity ratio of 1.17%, 0.94%, 2.68%, and 0.53%. Those are quite horrible numbers and would likely identify me uniquely unless they almost completely overlap.

Took the words right out my mouth, as I wanted to post a very similar comment beginning with I'm always skeptical.

Is it because we've seen so many let downs? Probably. Can't trust anything or anyone anymore.

I think it's justified in this case. Mozilla suffers from a schizophrenic existence where they are simultaneously non-profit and for-profit, and Firefox privacy-friendly and unfriendly. For example, Firefox supports HTTPS-only mode and DNS over HTTPS, but they are not on by default. It also ships with DuckDuckGo and other search engines in the setting drop-down, but alas, that $10M/year or whatever they get from Google is too good, so fuck your privacy. You then have to manually turn all that shit on, because they won't, to the point where installing a fresh Firefox on a system now requires a bit of a rite of passage before you can get a useful browser. Do all these things I mentioned really increase your attack surface?

Also, mandatory mention: https://librewolf.net/

I wonder if you are on the group that think that DNS over HTTPS is obviously and unambiguously a benefit for security and privacy, and of course nobody disagrees; or in the group that thinks that it is obviously and unambiguously a threat for security and privacy, and of course nobody disagrees.
Neither? That setting is perhaps not a clear default among the ones I mentioned, especially because I personally wouldn't want to send my DNS requests to fucking Cloudflare or something based in the US. But I still stand by my comment that Firefox's defaults suck. At the very least they could have a useful one-time wizard that doesn't just ask you to import your bookmarks from Chrome.
How does this differ from LibreWolf? https://librewolf.net
There is a crucial difference between a config file that changes options within Firefox, and something that adds new code.

Unless something has changed dramatically, the Firefox team (and other teams) test and fuzz Firefox extensively - obviously default prefs and features will get more coverage.

An actual fork like LibreWolf that adds or removes code and ships a different build fundamentally changes how the software is built and invalidates a significant portion of the security work that has been done by the Firefox security team.

I am not arguing that Librewolf or any of the other forks of Firefox[1] are necessarily worse for security, just that browsers are ridiculously complex pieces of software and making claims about security requires more than just gutting or adding features.

[1] other than Palemoon, because screw those guys; when I challenged them on the security program for Palemoon, their loopy leader tried to harass me and other former Mozilla folks. Given their propensity for instability I wouldn't trust them at all.

That's a good point, thanks!

I should have rephrased my question to: "How do the levels of privacy/security/speed differ between Firefox+Betterfox and LibreWolf?"

I'm sure both have their tradeoffs, but I was just curious if anyone has tried and extensively compared both.

Librewolf is essentially Arkenfox but as a browser instead of a user.js. You may gain more privacy but at the expense of potential site breakage.

Betterfox is for everyday use cases and should rarely cause site breakage. It also has prefs to prevent annoyances and improve browsing speed.

…assuming you don’t use assistive technology: https://github.com/yokoffing/Betterfox/blob/443710b0738ebc8f...
I mean yeah it says that:

    Assumptions

    Apply preferences from the common overrides sticky if you want to revert the following behavior:

    - Firefox Accessibility Service is disabled to improve resource utilization and security. Override this if you use assistive software.
What about Arkenfox?
Arkenfox can be both heavy-handed (disables search from URL bar, restore tabs from previous session, etc) and hard to digest (1200 lines). By comparison, Betterfox is 250 lines and looks to be more "sane" out of the box.
> disables search from URL bar

Set keyword searches to true:

    user_pref("keyword.enabled", true);
That way it uses your default search engine when searching from the address bar.
There are substantial differences in Betterfox compared to Arkenfox. Betterfox causes less breakage and is appropriate for everyday use cases.
Does this turn off dns leaking in ff when it doesn’t find a domain.

And does this turn off wasm or web gpu?

For turning off wasm you're probably better off with something like noscript or umatrix, turning it off globally will cause mysterious problems with an increasing number of websites
This is probably what I would want - I'd prefer to know them and never visit them again except for a chosen few. (Wasm has many legitimate uses and I'm happy it exists but being old enough to see the evolution of the web I'm 100% sure it will be abused also in the ways we have no idea about yet.)
Do you mean DoH? Not everyone uses DoH or even the same DoH provider, so no, it cannot make this change universally for everyone.

You can make DoH strict by adding user_pref("network.trr.mode", 3); to your user.js. Or you can also go to about:config in the address bar, searching for network.trr.mode, and changing the value to 3.

Meanwhile I modify my Firefox to be less secure (allow unsigned extensions) so I can continue using my beloved TabMixPlus. Once you taste multiple rows of tabs you’ll never go back.
I've been using the Firefox addon called "Tree Style Tab" for quite a few years now. I'm quite pleased with it since I have more width than height on my screen anyway.

Just a heads up!

I used to use Tree Style Tabs, but I moved to Sidebery a couple years ago and I'm pretty happy with it.

Now somebody else can inform me about the newest one.

I love sidebury but how do you cope with two lots of tabs? Do you use tweaks to remove the top line?
Not OP, but I use tst too and I have around 7000 tabs open. I use a userStyle to hide the sidebar-header like this.

#sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header { display: none; }

I use Tree Style Tabs with it set to autohide, makes for even more screen space
”- Firefox Sync and Firefox View are disabled.”

No, that’s one of the best features!

View mode is potentially risky because it disables content filtering, e.g. with uBlock Origin.
Are you confusing Firefox View with Reader view?
Yes, I meant Reader View.
What that tells me is that this is more of an "opinionated" list than they let on.
Betterfox configs provide with a clean and simple interface that lets users focus on their desktop browsing experience. The overrides are there for users who want to retain features like Sync.

Edit: The project aims to have the minimum amount of needed changes, but everyone will have a different opinion on what is needed. No one can please everyone, so you have to draw the line somewhere.

Perhaps Betterfox can post a poll and get feedback on how important it is for users.

On a Mac, command-tabbing to FF takes easily half a second when you have a few tabs open. Any fixes for that?
I thought I was crazy! Would love a fix for this
Had to login to counter with my experience. I'm on MacOS and there is no delay at all when tabbing to Firefox. It's as instant as tabbing to any other app. Also, I'm not ashamed to say that I have more than a few tabs open.
Relevant: Mullvad Browser https://mullvad.net/en/browser
There are substantial differences in Betterfox compared to Mullvad, Arkenfox, and Librewolf. The latter three use almost the same configs, each with their own minor differences, while Betterfox causes less breakage and is appropriate for everyday use cases — as long as you learn how to apply a user.js.
Or just use Pale Moon, which is privacy respecting out of the box and doesn't need any hardening bullshit because it doesn't have any analytics, telemetry, third party crap like Pocket or anything else built in. It is what Firefox would've been if they didn't discard their original powerful XUL extension system and epic customization that doesn't need you to only dick around with userChrome.css (though you can if you want).

And with Firefox, the point is not that you can disable these features in about:config (until they remove that ability a few versions later) - the point is why the hell should you have to do any of this for a browser that keeps claiming to be privacy respecting?