IMPROVING FIREFOX PRIVACY & SECURITY ▀ TWEAKS [PART II]

IMPROVING FIREFOX PRIVACY & SECURITY ▀ TWEAKS [PART II]
Page content

UPDATED ON: 2023-08-04

IMPROVING FIREFOX PRIVACY & SECURITY FIREFOX ADDONS [Part I]

Finally I’ve managed to finish this part of the FAQ.
Note is a loooong-read, so mistakes can occur » please [report them to me] .

One of the most distinctive features of FireFox was customization. With each new version it becomes less customizable, thanks to marketing people at mozilla corp. They do everything to make Firefox look like google chrome.
But despite their fruitless efforts there are alternatives, yet.

WINDOWS: [IceWeasel]
ANDROID: [Mull] + [IceRaven]


To enter hidden configuration menu type the following in address bar:

about:config

Here you can do magic in terms of security and privacy. But beware that you can easily break things apart, so be reasonable.
Tweak stuff with responsibility and full understanding of what you are doing!

!INTERESTED IN PRIVACY? Check out FAQ on [how to remove telemetry bloat] from Firefox.

► DISCLAIMER

CHANGING DEFAULT SETTINGS WILL VOID YOUR WARRANTY!
IF IT WORKS FOR ME IT DOESN’T MEAN THAT IT WILL WORKS FOR YOU.


► BASIC PRIVACY SETTINGS

privacy.trackingprotection.enabled = TRUE

Enable Mozilla’s new built in tracking protection.

webgl.disabled = TRUE

WebGL provides a Javascript API for rendering 3D graphics in a canvas element. It may be used to fingerprint performance of your computer graphics.

browser.display.use_document_fonts = 0

Under certain circumstances number and type of fonts installed on your system may contribute to your de-anonymization.

dom.storage.enabled = FALSE

When enabled it is possible to save up to 5 MB large super-cookies in your browser using the local storage. This setting is independent of your cookie management. Setting to FALSE may prevent login process to password protected sites. If such thing happens change it to TRUE.

browser.sessionhistory.max_entries = 2

Using the attribute “history.length”, this web site can see how many pages you have visited before. Minimizing the risk of privacy exposure.

browser.cache.disk.enable = FALSE

Disable harddisk swapping.

browser.cache.memory.enable = FALSE

Disable ram swapping. Pretty paranoid to say the least.

Considering caching: your browser should not cache any third party content at all, or should at least delete them upon moving to another site.

geo.enabled = FALSE

Disables your geolocation.

geo.security.allowinsecure = FALSE

Disables geolocation for insecure non-https sites [option available in latest versions of FireFox]

browser.safebrowsing.phishing.enabled = FALSE

Disable google “Safe Browsing” and phishing protection. Prevents your browser to dial-back to google.

browser.safebrowsing.malware.enabled = FALSE

Disable google “Safe Browsing” malware checks. Prevents your browser to dial-back to google. Privacy improvement.

dom.event.clipboardevents.enabled = FALSE

Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

network.cookie.cookieBehavior = 1

Disable cookies
0 = Accept all cookies by default
1 = Only accept from the originating site [block third party cookies]
2 = Block all cookies by default

network.cookie.lifetimePolicy = 2

Cookies are deleted at the end of the session
0 = Accept cookies normally
1 = Prompt for each cookie
2 = Accept for current session only
3 = Accept for N days

network.http.sendRefererHeader = 0

Disable sending of referer header. In some cases this could prevent login process to password protected sites. If so change it to 2.

browser.cache.offline.enable = FALSE

Disables offline cache.

browser.send_pings = FALSE

The attribute would be useful for letting websites track visitors’ clicks.

dom.battery.enabled = FALSE

Disables access to your laptop battery status information.

media.peerconnection.enabled = FALSE

Disables media peer connection

media.peerconnection.turn.disable = TRUE
media.peerconnection.use_document_iceservers = FALSE
media.peerconnection.video.enabled = FALSE
media.peerconnection.identity.timeout = 1

If you want to make sure every single WebRTC related setting is really disabled change these settings.

security.nocertdb = TRUE

Prevent fingerprinting through intermediate CA caching

► MORE ADVANCED STUFF

toolkit.telemetry.server

Delete server URL and leave it empty!

devtools.onboarding.telemetry.logged = FALSE
toolkit.telemetry.updatePing.enabled = FALSE
browser.newtabpage.activity-stream.feeds.telemetry = FALSE
browser.newtabpage.activity-stream.telemetry = FALSE
browser.ping-centre.telemetry = FALSE
browser.tabs.crashReporting.sendReport = FALSE
toolkit.telemetry.bhrPing.enabled = FALSE
toolkit.telemetry.enabled = FALSE
toolkit.telemetry.firstShutdownPing.enabled = FALSE
toolkit.telemetry.hybridContent.enabled = FALSE
toolkit.telemetry.newProfilePing.enabled = FALSE
toolkit.telemetry.reportingpolicy.firstRun = FALSE
toolkit.telemetry.shutdownPingSender.enabled = FALSE
toolkit.telemetry.unified = FALSE
toolkit.telemetry.archive.enabled = FALSE
datareporting.healthreport.uploadEnabled = FALSE
datareporting.policy.dataSubmissionEnabled = FALSE
datareporting.sessions.current.clean = TRUE

Don’t have time to explain the meaning of all options. Just [search yourself] if you are interested and want to know more.

► DESPYING PALEMOON

By default, Pale Moon’s home page is set to https://palemoon.start.me , and it will automatically make a connection to it upon its first run. Some parts of this page connect to google analytics, which can fingerprint and track you across the internet. The first thing to do, after you have downloaded Pale Moon, is to turn off your internet connection. Then install the browser and change the homepage to something more useful.

Don’t forget to disable update checking in browser settings.

Finally, these settings should be changed in

about:config 
extensions.blocklist.enabled = FALSE
services.sync.prefs.sync.security.OCSP.enabled = FALSE
security.OCSP.GET.enabled = FALSE
security.OCSP.require = FALSE
security.OCSP.enabled = 0

I recommend not to use versions above 29.1.1. Comprehensive explanation is [here] .

► CUSTOM CONFIGURED USER.JS

To improve your Firefox security to unprecedented level download custom [configured user profile] . I am warning you, that appointed configuration is very paranoid and somewhat obsolete and outdated, but it is definitely worth of getting acquaintance.

► SOME WORDS ABOUT JAVA & FLASH

I advice you to stay away from these insecure technologies. Both of them have very many-many backdoors and privacy leaks. Java used in less then 5% of sites so you can safely forget about it. I recommend uninstalling both of technologies from your computer. As for Flash, it is already in EOL status. The latest version is 32.0.0.465.

But for some reason if you’re up to using Flash here are some tips, to prevent privacy leaks. You need to modify mms.cfg in the following directories:

Windows (32Bit): Windows\System32\Macromed\Flash\
Windows (64Bit): Windows\SysWOW64\Macromed\Flash\
Linux: /etc/adobe/

Configuration file mms.cfg must include the following settings:

DisableSockets ► 1

Disable socket connections to avoid circumvention of proxy settings and deanonymization.

AVHardwareDisable ► 1
DisableDeviceFontEnumeration ► 1

Disable speakers, microphone and enumeration of installed fonts to reduce the quality of browser fingerprinting.

ThirdPartyStorage ► 0
LocalStorageLimit ► 1
AssetCacheSize ► 0

Blocking cookies and third party content to avoid tracking.

FileDownloadDisable ► 1
FileUploadDisable ► 1
LocalFileReadDisable ► 1

Disable uploads and downloads of files by scripting API.

LegacyDomainMatching ► 1

Enforcing of exact domain matching for SWF files in the same sandbox.



This article is a part of comprehensive Windows 7 FAQ, which will be released in the upcoming future. Check my blog for precise release date.