Firefox/Privacy
This article overviews how to configure Firefox to enhance security and privacy.
Contents
-
1 Configuration
- 1.1 Anti-fingerprinting
- 1.2 Tracking protection
- 1.3 Change browser time zone
- 1.4 Change user agent and platform
- 1.5 WebRTC exposes LAN IP address
- 1.6 Disable telemetry
- 1.7 Enable Do Not Track Header (DNT)
- 1.8 Disable/Enforce Trusted Recursive Resolver
- 1.9 Disable geolocation
- 1.10 Disable Safe Browsing service
- 1.11 Disable WebGL
- 2 Extensions
- 3 Remove system-wide hidden extensions
- 4 Hardened user.js templates
- 5 See also
Configuration
The following are privacy-focused configuration tweaks to prevent browser fingerprinting and tracking.
Anti-fingerprinting
Mozilla has started an anti-fingerprinting project in Firefox, as part of a project to upstream features from Tor Browser. Many of these anti-fingerprinting features are enabled by setting about:config
:
-
privacy.resistFingerprinting
true
There is no user-facing documentation about this flag, and Mozilla does not recommend users enable it, since it will break a few websites (it exists mostly to make life easier for the Tor Browser developers). But it does automatically enable many of the features listed below (such as changing your reported timezone and user agent), as well as protection against other, lesser-known fingerprinting techniques. See the tracking bug that lists many of these features.
Tracking protection
Firefox gained an option for tracking protection. It can be enabled by setting about:config
:
-
privacy.trackingprotection.enabled
true
Apart from privacy benefits, enabling tracking protection may also reduce load time by 44%.
Note that this is not a replacement for ad blocking extensions such as uBlock Origin and it may or may not work with Firefox forks. If you are already running such an ad blocker with the correct lists, tracking protection might be redundant.
Change browser time zone
The time zone of your system can be used in browser fingerprinting. To set Firefox's time zone to UTC launch it as:
$ TZ=UTC firefox
Or, set a script to launch the above (for example, at /usr/local/bin/firefox
).
Change user agent and platform
You can override Firefox's user agent with the general.useragent.override
preference in about:config
.
The value for the key is your browser's user agent. Select a known common one.
- The value
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
is used as the user agent for the Tor browser, thus being very common. - The #Anti-fingerprinting option also enables the Tor browser user agent and changes your browser platform automatically.
To change the platform for firefox, add the following string
key in about:config
:
general.platform.override
Select a known common platform that corresponds with your user agent.
Win32
is used as the platform for the Tor browser, corresponding with the user agent provided above.WebRTC exposes LAN IP address
To prevent websites from getting your local IP address via WebRTC's peer-to-peer (and JavaScript), open about:config
and set:
-
media.peerconnection.ice.default_address_only
totrue
-
media.peerconnection.enabled
tofalse
. (only if you want to completely disable WebRTC)
You can use this WebRTC test page and WebRTC IP Leak VPN / Tor IP Test to confirm that your internal/external IP address is no longer leaked.
Disable telemetry
Set toolkit.telemetry.enabled
to false
and/or disable it under Preferences > Privacy & Security > Firefox Data Collection and Use.
Enable Do Not Track Header (DNT)
Set privacy.donottrackheader.enabled
to true
or toggle it in Preferences > Privacy & Security > Tracking Protection
Disable/Enforce Trusted Recursive Resolver
Firefox 60 introduced a feature called Trusted Recursive Resolver (TRR). It circumvents DNS servers configured in your system, instead sending all DNS requests over HTTPS to Cloudflare servers. While this is significantly more secure (as "classic" DNS requests are sent in plain text over the network, and everyone along the way can snoop on these), this also makes all your DNS requests readable by Cloudflare, providing TRR servers.
- If you trust DNS servers you've configured yourself more than Cloudflare's, you can disable TRR in
about:config
by settingnetwork.trr.mode
(integer, create it it it doesn't exist) to5
. (A value of 0 means disabled by default, and might be overridden by future updates - a value of 5 is disabled by choice and will not be overridden.) - If you trust Cloudflare DNS servers and would prefer extra privacy (thanks to encrypted DNS requests), you can enforce TRR by setting
network.trr.mode
to3
(which completely disables classic DNS requests) or2
(uses TRR by default, falls back to classic DNS requests if that fails). Keep in mind that if you're using any intranet websites or trying to access computers in your local networks by their hostnames, enabling TRR may break name resolving in such cases. - If you want to encrypt your DNS requests but not use Cloudflare servers, you can point to a new DNS over HTTPS server by setting
network.trr.uri
to your resolver URL. A list of currently available resolvers can be found in the curl wiki, along with other configuration options for TRR.
Disable geolocation
Set geo.enabled
to false
in about:config
.
Disable Safe Browsing service
Safe Browsing offers phishing protection and malware checks, however it may send user information (e.g. URL, file hashes, etc.) to third parties like Google.
To disable the Safe Browsing service, in about:config
set:
-
browser.safebrowsing.malware.enabled
tofalse
-
browser.safebrowsing.phishing.enabled
tofalse
In addition disable download checking, by setting browser.safebrowsing.downloads.enabled
to false
.
Disable WebGL
WebGL is a potential security risk.[1] Set webgl.disabled
to true
in about:config
if you want to disable it.
Extensions
See Browser extensions#Privacy.
Several extensions, hidden to the user, are installed by default in /usr/lib/firefox/browser/features
. Many can be safely removed via rm extension-name.xpi
in order to completely remove unwanted features. Many of these extensions are not enabled by default and have a menu option for enabling or disabling. Note that any files removed will return upon update of the firefox package. To keep these extensions removed, consider adding the directories to NoExtract=
in pacman.conf
, see Pacman#Skip files from being installed to system. Below are a few examples of these extensions and their features.
-
activity-stream@mozilla.org.xpi
- "Activity Stream" which replaces the new tab page. See [2]
-
firefox@getpocket.com.xpi
- Pocket
-
followonsearch@mozilla.com.xpi
- Search telemetry. See also #Disable telemetry.
-
shield-recipe-client@mozilla.org.xpi
SHIELD studies
See also [3] for a full list of system extensions including README files describing their functions.
Hardened user.js templates
Several active projects maintain comprehensive hardened Firefox configurations in the form of a user.js
config that can be dropped to Firefox profile directory:
- pyllyukko/user.js
- ghacksuserjs/ghacks-user.js
- ffprofile.com (github) - online user.js generator. You select which features you want to enable and disable and in the end you get a download link for a zip-file with your profile template. You can for example disable some functions, which send data to Mozilla and Google, or disable several annoying Firefox functions like Mozilla Hello or the Pocket integration.
See also
- privacytools.io Firefox Privacy Add-ons
- prism-break.org Web Browser Addons
- MozillaWiki:Privacy/Privacy Task Force/firefox about config privacy tweeks - a wiki page maintained by Mozilla with descriptions of privacy specific settings.
- How to stop Firefox from making automatic connections - Is an annotated list of corresponding Firefox functionality and settings to disable it case-by-case.