Return to Level1Techs.com

Firefox Hardening Tips 2019

We care about privacy here on this forum. Though we lack a simple way to harden firefox without going through a complicated series of steps.

Well @MisteryAngel first mentioned it. So instead of making some elaborate guide how about we start with something called user.js. Its located in /home/USRNAME/.mozilla/random.default.

This is a very easy way to set preferences before you even start firefox. I have gone ahead and donated my user.js to the cause. Remember how you used to have to set all those in about:config . Yeah lets just skip over that and batch set it by creating a file.

If you are going to copy my user.js DO NOT do it while firefox is open. Close firefox, create the file, open firefox. The settings should all be good to go!

User.js commented (no comments in actual file)

// Heimdallr -- Added -- Privacy Enhanced
// Disable Telemetry
user_pref("browser.urlbar.trimURLs","false");  
user_pref("browser.newtabpage.activity-stream.feeds.telemetry browser.newtabpage.activity-stream.telemetry","false");
user_pref("browser.pingcentre.telemetry","false");
user_pref("devtools.onboarding.telemetry-logged","false");
user_pref("media.wmf.deblacklisting-for-telemetry-in-gpu-process","false");
user_pref("toolkit.telemetry.archive.enabled","false");
user_pref("toolkit.telemetry.bhrping.enabled","false");
user_pref("toolkit.telemetry.firstshutdownping.enabled","false");
user_pref("toolkit.telemetry.hybridcontent.enabled","false");
user_pref("toolkit.telemetry.newprofileping.enabled","false");
user_pref("toolkit.telemetry.unified","false");
user_pref("toolkit.telemetry.updateping.enabled","false");
user_pref("toolkit.telemetry.shutdownpingsender.enabled","false");

// Disable Plugin Scanning
user_pref("plugin.scan.plid.all","false");

// Disable Geolocation
user_pref("geo.enabled","false");

// Disable all disk caching PERIOD
user_pref("browser.cache.disk.enable","false");
user_pref("browser.cache.disk_cache_ssl","false");
user_pref("browser.cache.memory.enable","false");
user_pref("browser.cache.offline.enable","false");
user_pref("browser.cache.insecure.enable","false");

// Disable formfill
user_pref("browser.formfill.enable","false");

// Disable Zero Round Trip Time Resumption
user_pref("security.tls.enable_0rtt_data","false");

// Use only TLS 1.2 and 1.3
user_pref("security.tls.version.min","3");

// Disable Triple DES cipher
user_pref("security.ssl3.rsa_des_ede3_sha","false");

// Use strongest cipher
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_gcm_sha256", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.rsa_aes_128_sha", false);

// Evade Finger printing
user_pref("privacy.resistfingerprinting","true");

// Disable the HORRIBLE webRTC
user_pref("media.peerconnection.enabled","false");

// Disable Prefetching
user_pref("network.dns.disablePrefetch","true");
user_pref("network.prefetch-next","false");

// Disable Referrer Headers (WHY is this is a thing)
user_pref("network.http.sendRefererHeader","0");

// Disable direct GPU access (WEBGL)
user_pref("webgl.disabled","true");

// Disable battery life check
user_pref("dom.battery.enabled","false");

// Disable session identifier
user_pref("security.ssl.disable_session_identifiers","true")

// Make requests only to site being visited
user_pref("privacy.firstparty.isolate","true")

// Disable auth fast starts 
user_pref("security.ssl.enable_false_start","false")

// Disable new tab privacy concerns
user_pref("accessibility.force_disabled", 1);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories.rec.impressions", "{\"50465\":1576448311544,\"50504\":1576448311544,\"50513\":1576448311544}");
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories.spoc.impressions", "{\"2323\":[1576448311615,1576448311641,1576448317243]}");
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
user_pref("browser.newtabpage.activity-stream.impressionId", "{bc349b2a-4696-4afa-bf4f-48d1fd919fe0}");
user_pref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", "google,amazon");
user_pref("browser.newtabpage.activity-stream.prerender", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
user_pref("browser.newtabpage.activity-stream.showSearch", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.storageVersion", 1);

// Disable spell check and enable clear on shutdown
user_pref("layout.spellcheckDefault", 0);
user_pref("network.cookie.cookieBehavior", 4);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.trr.mode", 2);
user_pref("pdfjs.enabledCache.state", true);
user_pref("pdfjs.migrationVersion", 2);

// Correct Permissions
user_pref("permissions.default.camera", 2);
user_pref("permissions.default.desktop-notification", 2);
user_pref("permissions.default.geo", 2);
user_pref("permissions.default.microphone", 2);

// Enable privacy sanitization and disable PDF full page
user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf");
user_pref("pref.privacy.disable_button.cookie_exceptions", false);
user_pref("privacy.clearOnShutdown.downloads", false);
user_pref("privacy.clearOnShutdown.formdata", false);
user_pref("privacy.clearOnShutdown.history", false);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.sessions", false);
user_pref("privacy.clearOnShutdown.siteSettings", true);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.history.custom", true);
user_pref("privacy.sanitize.pending", "[]");
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("toolkit.telemetry.reportingpolicy.firstRun", false);
user_pref("trailhead.firstrun.didSeeAboutWelcome", true);

Android Users Location:

You will find it in internal storage. You should not need root to modify it. If you do, you are in the wrong location.
/data/data/org.mozilla.firefox/files/mozilla/xxxxxxxx.default/

Simple as that create the user.js there and if it doesnt set, modify prefs.js after force closing firefox and put it in there. That should make sure the values stick! Also if this isnt the case like on a hardened lineage OS or graphene OS… See this guide to do so:
https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.6-Firefox-Android

This will disable a WHOLE ton of features one largely doesnt need to browse the web. It does remove convenience but it doesnt BREAK the web.

Extensions I have running:

Configure them as you want but this is what I have found works for me and doesnt out right break the web. Excluding uMatrix (YMMV configure as you go).

Decentraleyes:

image

Blocking requests for non locals breaks all streaming services.

HTTPS Everywhere is good on defaults

image

Privacy Badger

I would recommend checking the lower three options

uBlock

Dont enable block remote fonts. I know theres a fingerprinting chance but for the love of god it breaks too much stuff

Filters, I just enable all of them except languages and countries I dont visit websites of. Im down to hear others. If there are filters missing from the lists you think are useful, please dont hesitate to throw them in below

FlagFox and TinyEye are great and pose no real risk.

Other than that this is all I do. You dont need much more. Also you can set all of these on android as well. Same way

Proof it took

about:support
See user.js section and modified values :wink:

11 Likes

Edit: I’ve enjoyed Noscript for years, but will give this umatrix a whirl!

1 Like

uMatrix is superior to noscript

Please check the documentation

https://www.electricmonk.nl/docs/umatrix_tutorial/umatrix_tutorial.html

2 Likes

I find uMatrix confusing and frustrating to use, and I’m a professional Unix person.

I couldn’t in good faith recommend it to a friend. I know they’d get annoyed and disable it. I would recommend noscript to some of my patient friends.

It can be. I posted the guide there. The manual should help.

Also be aware I disable 128bit ciphers as in I prefer 256. Setting false doesnt force just prefers

1 Like

There’s a nice little site that incorporates some of these tweaks: https://ffprofile.com/#start

1 Like

Oh cool. Did not even know of this one. I suppose its a worthy mention

1 Like

I truly appreciate these tips because I learn something new to improve my online privacy game. I particularly like the Flagfox to see where the server resides (If it is one of the Fourteen Eyes country).

I am curious if you have tested your particular setup against EFF’s Panopticlick. I am not aware of any metric that rates a browser’s privacy/security into a number you can test against. Its far from perfect but please do share if you know a better way.

I still think Tor Browser is still the gold standard for privacy/hardening but it runs the problem of being too hardened and it breaks a lot if not all of the normie websites. How is your setup faring in those privacy invading pages, if you go there at all?

Also curious about your default search engine. I’ve pretty much given up in that front and I’ve continued to use Startpage despite its recent debacle (yes I feel dirty).

1 Like

Wow. Thanks a lot, this was very informative!

BTW, what’s your opinion on Nano Adblocker vs. Ublock?

1 Like

Ublock is superior is very many ways

May I ask… Why?

Its considered the gold standard all things considered if they both do lists and webrtc protection its fine but ublock gives more granular control etc.

Understood. What’s your opinion on Disconnect and Privacy Possum?

1 Like

All good extensions in my opinions. Of course YMMV

Never used disconnect

Indeed, YMMV is what gives spice to life on the Internet :smiley:

Here are some other extensions I use for Privacy reasons. I’d love to hear you opinion about them!

AdNauseam is a browser extension designed to obfuscate browsing data and protect users from tracking by advertising networks. Like an ad-blocker, AdNauseam blocks malware and hides ads on the pages you visit. But AdNauseam does more, collecting each ad in its AdVault for you to interactively explore. AdNauseam can also be configured to automatically click each blocked ad in the background, polluting your data profile and frustrating the trackers who violate your privacy and facilitate bulk-surveillance agendas.

Blends in OS-related values in User-Agent HTTP request header & a number of JS properties, so that Firefox (Thunderbird) appears to sites visited as running on the OS being used the most in the world. Thunderbird can also be blended in as Firefox.

At the Google Search engine, search results are converted to an ugly link upon click. This link enables tracking for Google.

For example, the search entry

http://www.google.com/
(when searching for “Google”) will be replaced with:
https://encrypted.google.com/url?sa=t&rct=j&q=Google&source=web&cd=8&sqi=2&ved=0CFgQFjAH&url=http%3A%2F%2Fwww.google.com%2F&ei=Ej__TrCkJo2bOrSs2aIE&usg=AFQjCNG5-9Jej-ukVeakTgwonqt2narbYg&sig2=f9f1dWcZoj6ZUC2Zxy9y2g

This addon removes Google’s link-conversion/tracking feature. This speeds up loading search results and allows you to normally copy links.

Clean URLs that are about to be visited:
- removes utm_ parameters*
- on item pages of aliexpress and amazon, removes tracking parameters
- skip redirect pages of facebook, steam and reddit

Neat URL cleans URLs, removing parameters such as Google Analytics’ utm parameters.

Edit: I also use Google NCR to prevent Google from reddirecting me to its Localized non-International English Version (google.es) since I live in Spain

2 Likes

Have fun please note your discontent in a seperate post or blog as it will be considered off topic here.

I agree, umatrix is powerful, but user unfriendly to almost a silly extent. It basically has to be learned from scratch.

Instead I just put ublock on all my coworkers computers. It’s easy to disable and takes care of most of the internet’s garbage.

2 Likes

Add ons for chrome or firefox:
————Firefox————


————Chrome————

1 Like