43 comments

[ 3.1 ms ] story [ 74.9 ms ] thread
Shouldn’t Firefox come hardened out of the box ?
This checklist is a work in progress, would love to hear your feedback.
Disable WebGL. Not in a funny javascripty extension, in about:config.
I'm surprised Firefox Multi-Account Containers isn't mentioned. Seems ideal to me to keep Web Universes separate.
There are things I also do like removing sponsored links on the about page and url bar. Also disable type-ahead to search engine.

My understanding is that Privacy Badger no longer learns by default. I never wanted that, just block known things, like search engine click hijacks.

I’m not sure what to do about the user agent header. Changing or simplifying it tends to break sites. Also I’d like to promote Linux there but that’s at odds with privacy.

I just want something (config or extension or instructions or whatever) to give me the best (rather, most common/average) fingerprint possible according to that EFF tool. Does that exist?
Set the browser.ml.chat.enabled and browser.ml.enabled to false as they intensively use the processor and drain the battery. All that to just find the best name for your tab groups. I prefer to have my laptop last one more hour instead.
After the shit Mozilla pulled with ad/tracking this summer, the first step for improved privacy should be to delete firefox and switch to brave / what have you.
I've been a Firefox die-hard since it was called Phoenix a couple decades ago. That said, over the last two months I've been testing Orion Browser (from Kagi, to which I subscribe), and am smitten with it. It's Apple only at the moment, which is a drawback, but if you live in that ecosphere, it's worth a look.

Orion is Webkit-based, can install extensions from Chrome OR Firefox, privacy respecting, and a whole lotta niceties for per-website tweaks and other customizations.

[0] https://kagi.com/orion/

Thanks for this ... great start. Mozilla Firefox COULD be an even more powerful source for good. Stop focusing on BS VPN, AI, etc ... focus on great browser, security, privacy. There is a possible niche for a centrally managed, security focused browser for companies ... like the Island Browser ... as an option.
If the first item isn't "whitelist JS", you're doing it wrong. So many problems arise from letting any site run programs on your computer that it's best to reserve the privilege to the most trusted of sites.
I have also found that since using Noscript that way and only whitelisting the few sites I actually use interactively, now because all the Cookie warning garbage, clicking away of subscribe dialogs etc is gone, all in all I do less manual annoying interaction on sites I visit.
remember that "firefox -p" opens the profile manager so you can have one profile without the last two items on that list, just for when you need one or two sites that have broken login code that requires 3rd party cookie (it's always for malicious reasons rather than incompetence, but if you have to login you have to login)
How would you know if DuckDuckGo actually respected privacy? It's a black box.
A fools errand.

No matter how effective this list is, the settings will either revert, change, or be silently undone.

New settings will alter the efficacy of the old ones.

Existing settings will disappear.

The behavior you hoped to configure changed to its opposite.

Remember: there was one morning when we all woke up and saw every dns query sent to cloudflare doh by default, and with no opt-in.

Will enabling "HTTPS-Only Mode" block http://localhost? If so, it would interfere with web development.
Notice, if you have all these settings enabled, you can still be fingerprinted. Test here:

https://fingerprint.com/

In my tests only Tor was able to prevent that, but using Tor will give you bad rankings on payment sites like PayPal, you may even get banned there.

I learned this from here:

https://news.ycombinator.com/item?id=35243355

That site is now black, surely a coincidence. Here the archive.org link:

https://web.archive.org/web/20250801173508/https://www.bites...

Have a local copy.

> fingerprint dot com

Is this an ad? Of all the things I was expecting to see when I clicked that, "Contact Sales" was not one of them.

AFAIK none of these check for changing fingerprints. Your browser could report a very unique screen resolution, but could be configured to change it periodically. How much does that fool fingerprinting algorithms?
This is kind of a stupid ChatGPT article.

No, this will not effectively help to reduce the fingerprint of your Browser.

A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).

I wrote a more detailed article about this, and got an "as good as possible" as a result.

But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.

[1] https://cookie.engineer/weblog/articles/firefox-privacy-guid...

Neat article.

I would add `layout.css.font-visibility=1` to hide all non-default fonts (makes a canvas font rendering test less useful).

Yes, sadly Little Snitch (or a similar app) is required to tame Firefox. It's a real shame since they use "Privacy" as selling point, but for me that starts with being transparent about what they do behind the users' backs with very clear ways to disable any nonsense (no about:config or policy BS, but proper GUI exposed options), or even better with a proper opt-in to those "security" and comfort features.

It pretty much eroded any trust I had in this browser and Mozilla (they are no more better than Google, Meta, Apple in that regard.) If it wasn't for uBlock Origin and availability for older OSX versions I would ditch it (the Dynasty build is the only option I have for a recent browser on my old Mac.)

>No, this will not effectively help to reduce the fingerprint of your Browser.

Ironically many of your fingerprinting tweaks in your article make your more fingerprintable, because disabling random web APIs makes you stick out like a sore thumb (think https://xkcd.com/1105/). Besides, most of the configs you're modifying for anti-fingerprinting purposes are already covered by RFP.

>A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).

Can you elaborate on how these services are "tracking"? Except for maybe safebrowsing, and OSCP, none of these services actually send information on what sites you visit. Unless you mean "tracking" to mean "make connections to the internet".

My dream is a user-friendly network-level firewall of some kind which can selectively block requests to domains on the entire network level. Something like uMatrix but for your entire network.

Imagine being able to block `ads.google.com` or whatever from all of your devices at once but without having to rely on local DNS. Or being able to block `pornhub.com` from just some of your devices but not all of them.

I assume the technology to do this is readily available in the form of parental control software or enterprise/office firewalls. However on the consumer level I don't know of anything which does this effectively.

(comment deleted)
If you want a hardened version of Firefox, download LibreWolf.
Yeah, librewolf does a lot of the article's suggested things by default and is less likely to introduce new misfeatures to opt out from
My entire feeling about privacy is that, while surveillance economy tends to amplify the worst parts, ultimately, Richard Thieme's presentation is right: https://www.youtube.com/watch?v=atDgnkvzD8I

Thought experiment: in 100 years or even ten, can you imagine that there will not be tiny little camera robots that can get into the home of every person alive? Wouldn't every single living person be prone to having nude and unflattering, private moments leaked all over the internet?

Socially, if privacy is a construct, then so is the fallout we expect others and ourselves to feel when privacy is violated. To some extent, not all, this is self-inflicted Victorian thinking. To the extent that it's true, part of the answer is, in the words of the brave (lol) Michael Cohen, "So what?" Really, so what? I hope we can get to that kind of reaction to adults having their privacy upended because it just takes so much of the bite out of the problem, the shame that relatively innocent people would experience for something completely out of their control.

As far as the getting it back under control thing, we may also be coming to a point that more technologies are so dangerous or impactful that there becomes a need for more strict control so that powerful tech like miniaturization produces paper trails and the use of such technology comes with an implicit requirement for openness. I don't really care that people can use miniaturization, but I care if they can anonymize it to the extent that we create a lawless society with no remaining means of accountability.

What *will* Russia and North Korea do when it becomes plausible to unleash little robot assassins either in small numbers to target individuals or mass numbers to carry out what is essentially nuclear scale death without nuclear scale fallout and destruction? It is plausible that this is a new facet of WMDs and MAD-based deterrence.

Privacy, robots, and the inevitable slide into world war 3.

Firefox doesn't "help your privacy" and make promises just because it's developed by Mozilla, and Chromium doesn't become worse than Firefox just because it's developed by Google. As others have said, this article feels like it was written in LLM.
Basic things that browsers lack:

  - hooks between network steps
  - hooks between steps while rendering/interacting with a website
Things that I want to do but I can't:

  - catch a request and modify it, e.g. when a webpage tells my browser to visit ajax.googleapis.com/jquery.js then my browser SHOULD NOT DO IT. Seriously, just don't start running shit on my computer when I click something. Noone wants that, apart from Google. Not the users. I should be able to modify that request, and serve jquery from somewhere else. 
  - stop the browser's javascript execution
  - run my own javascript (these two are currently unavailable together, if you don't allow javascript on a webpage, then you can't run your own) (or modify HTML/DOM in some other language)
I don't think Firefox is worth supporting, I believe it is a Trojan Horse of Google (or at least a Useful Idiot), and its existence is the main reason we have exactly 0 browsers (open source or proprietary) right now. It should die, so something else might flourish.
Privacy Possum is better than Privacy Badger imho
Good luck remembering to do that every time Firefox updates. Hopefully, that's the only time it changes settings, right? Right...?

Go for a Firefox fork and jump ship to Ladybird once it comes out. Forks wouldn't exist if it was trivial to revert Mozilla's mistakes.

The paradox being that every thing you customize about your browser config becomes another thing that can potentially be fingerprinted and makes you stand out as one of the 1% who has ever looked in about:config.