We have written a lengthy article discussing Firefox Add-ons, listing our favorite extensions for improving privacy while browsing. We have also talked about browser fingerprinting and history stealing, which will defeat most measures to enhance privacy, but as there is only a very limited amount that can be done to protect yourself against these pernicious tracking methods, we’ll ignore them for now.
Built into Firefox are a number of ‘under the hood’ settings, which can be changed to improve your privacy and anonymity when browsing.
To access Firefox’s advanced configuration settings, type about:config into the search bar, and hit enter.
You will now see the configuration screen, with Preference Name’s listed in alphabetical order (by default). We will now go through each Preference that has a privacy implication, explain what it does, and what we recommend you do with it.
To change a boolean entry (i.e. it has a true / false value), simply double-click anywhere on the entry line. To change an integer (i.e. numeric value), double-click the entry and enter a numeric value.
To change a string value, double-click the entry and enter the required text.
When you see an option in bold in the about:config pane, it has been changed from its default value.
Where an entry is marked with an asterisk*, we strongly suggest that you follow our advice.
Warning: Some websites rely on features we discuss disabling for security reasons below. Disabling these features will therefore ‘break’ some websites (causing problems when using them, or even causing them to refuse to load altogether). The good news is that simply re-enabling the relevant features will un-break the effected websites, so you may require some trial-and-error to find the right balance between maximum security and accessing the services you use.
The Private Browsing mode was introduced to stop you leaving any embarrassing trails of what you have been up to for other users of your browser to find. Most importantly it stops (most) cookies and does not record any History of websites you have visited or forms you have filled in. The important thing to remember is that Private Browsing is great for protecting your privacy from others using the same computer, but does little to protect someone from the outside seeing what you get up to (e.g. your ISP).
Even if you are the sole user of a computer, it is still a good idea to always surf the internet in Private Browsing mode, thanks to its cookie blocking features in particular. By setting this Preference to true you will automatically start Firefox in Private Browsing mode, so you will never forget to turn it on. Click here for the Mozilla help entry.
Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you. If you have installed our recommended Firefox extensions then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. We therefore strongly recommend that you turn it off by setting the value to false. Click here for the Mozilla help entry.
Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licenced to Mozilla (but which still reports to Google). We therefore recommend that you set it to false, for the same reasons as above. Click here for the Mozilla help entry.
By default, Firefox will start on the Mozilla Firefox Start Page, displaying a Google search box. Google (along with most major commercial search engines such as Bing! and Yahoo!) stores a great deal of information about you, including a record of the searches you make. To start on a different page, simply enter the website address of your preferred choice. We use the anonymous no logs search engine DuckDuckGo (https://duckduckgo.com/), but Start Page may be an even better choice (https://startpage.com/). Click here for the Mozilla help entry.
If you prefer to start Firefox on a blank page, change this setting to ‘0’. Click here for the Mozilla help entry.
You can see details about your Firefox browser’s performance and stability any time by reviewing the Firefox Health Report (Firefox tab -> Help -> Firefox Health Report). By default this report is periodically send to Mozilla (in anonymous aggregate form) to help it understand problems and plan future developments. For maximum security you should prevent this by setting this entry to false (you will still be able to see your report, it just won’t be sent to Mozilla). Click here for the Mozilla help entry.
If you cut, copy or paste something from a website, then the website owners can get notified of exactly which part of a webpage you have cut, copied or pasted. If they wish, they can then record or modify the text, or prevent you from copying (etc.). They can also prevent you from pasting text into online forms. By setting this entry to false you prevent websites knowing where you pasted their text, and as a side-benefit will be able to bypass restrictions on cutting and pasting). Click here for the Mozilla help entry.
We discuss the dangers of DOM storage (also known as web storage) in our article ‘More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing’. Basically, this way of storing information within web browsers is one of the most pernicious methods used by commercial internet companies to track you across the web, and is growing in popularity as netizens become more aware of the danger of ‘regular’ cookies. Fortunately DOM storage is easy to turn off by setting this entry to false. Click here for the Mozilla help entry. Update: Thanks to feedback from readers, it is clear that setting dom.storage.enabled to false can “break” some website. Changing this setting should therefore be done with caution.
When you visit a ‘location aware’ website you will be asked if you want to share your location. If you answer yes then Firefox will send information about nearby wireless access points and your computer’s IP address to Google Location Service, and then pass that information on to the website (a random client identifier is also assigned by Google, which expires every 2 weeks). Although you should be asked every time this happens, and need to give your explicit consent, you can prevent giving consent accidentally or through carelessness by turning this feature off (set the value to false). Click here for the Mozilla help entry.
If you set geo.enabled (above) to false, then this setting, which determines the geolocation service used (Google Location Service by default) shouldn’t matter. If it makes you feel better however, then you can change this to 127.0.0.1 (also known as localhost or the ‘loopback address’). In theory this setting could point to an alternative service, but none such really exist at the moment. Click here for the Mozilla help entry.
If you use a good cookie manager such as Cookie Monster (recommended), then you will not need to touch this preference. If not then it is probably a good idea to set it to ‘1’ (only cookies from the originating server are allowed). Click here for the Mozilla help entry.
Again, using the Cookie Monster add-on is probably the best policy, but if you prefer not to then you can control when cookies expire by setting this setting to ‘2’ (the cookie expires at the end of the session (when the browser closes)). Click here for the Mozilla help entry.
Firefox improves page load times by resolving domain names ‘proactively and in parallel’ (i.e. it pre-fetches the information). In their paper ‘DNS Prefetching and Its Privacy Implications: When Good Things Go Bad’, Srinivas Krishnan and Fabian Monrose argue that this practice can lead to ‘privacy threats that are ripe for abuse. More specifically… where it is possible to infer the likely search terms issued by clients using a given DNS resolver.’ DNS prefetching can be turned off by setting this value to true. If you can’t find this setting then you will have to add it manually by right-clicking on the about:config screen, selecting ‘New’ -> ‘Boolean’ and entering ‘network.dns.disablePrefetch’ into the dialog box. Click here for the Mozilla help entry.
When you click on a hyperlink, the page you go to can request information about the page you clicked the link from. This information is contained in the ‘referer header’, and can be used to track you across a website. Furthermore, Javacript scripts can ‘see’ and reference the refereer header if this setting is turned on. Although Mozilla cautions that disabling refereer headings may cause problems with some websites, we advise changing the setting to ‘0’ (never send the referer header or set ‘
’). Click here for the Mozilla help entry.
More or less the same as the entry above, except that it allows you to be tracked across websites. You can disable this setting by changing the value to false. Click here for the Mozilla help entry.
Firefox speeds up the browsing process by scanning links on a webpage, and pre-downloading linked-to webpages when idle. Although disabling this preference will slow down browsing somewhat, from a privacy perspective you really should set it to false. Click here for the Mozilla help entry.
Most modern browsers now support a ‘Do not track’ feature, which asks websites not to track you, and Firefox is no exception. While this should most certainly be turned on (set to true), you should be aware that compliance from websites is entirely voluntary, so the protection it affords can be considered fairly minimal. Click here for the Mozilla help entry.
While the privacy.donottrackheader.enabled (above) setting determines whether a ‘Do not track’ instruction is sent to a website, this setting determines what that instruction actually says. You should therefore set it to 1 to request a websites do not track you (a header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True). Click here for the Mozilla help entry.
This enables a blocklist based on Disconnect’s blocklist, to help prevent cross-site tracking. Once Tracking Protection is activated, you will see a shield in your address bar whenever Firefox is blocking either tracking domains or mixed content. As a side-benefit, this setting also causes pages to load 44 percent quicker on average, data usage drops by 29 percent when connecting to the top 200 Alexa websites, and the number of HTTP cookies stored by the browser falls by 67.5%. Click here for the Mozilla help entry.
Telemetry covers all sorts of statistical data related to your browser’s performance, usage and responsiveness. Firefox can send anonymous reports with this data to Mozilla, which is of great assistance to developers, and for this reason you may consider turning it on, but for maximum security you should check that it is false (it is usually false by default). Click here for the Mozilla help entry.
Changing these advanced settings in Firefox is a good and fairly easy way to improve your internet security and stop third parties from tracking your movements across the internet. To further improve your browser security we suggest you check out these articles:
- Recommended Firefox security extensions
- Supercookies, Flash cookies, Zombie cookies and things that go bump in the night
- More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing’, and
- Your browser’s fingerprint and how to reduce it.
Update 30 January 2015: we also strongly recommend that readers change the following value, as discussed in this article.
Search for ‘media.peerconnection.enabled’
Double-click on the entry to change the Value to ‘false’.
Update 17 November 2015: A Firefox Add-on called Privacy Settings now allows you easy ‘one-click’ control of many of these settings using a simple GUI interface.