The Complete Firefox Privacy and Security Guide

Douglas Crawford

Douglas Crawford

November 8, 2017

Firefox Security and Privacy“Out of the box,” Mozilla’s Firefox browser is widely regarded as the most privacy-friendly mainstream browser available.

However, there are still some Firefox security and privacy concerns to be had.

In this guide, I’ll show you how you can make Firefox more secure with a few simple steps.

Firefox’s privacy-friendly status comes down to the fact that Firefox is a fully audited open source software and that, unlike proprietary browsers such Google Chrome, Microsoft Edge, Internet Explorer, and Apple Safari, it does not track what you get up to on the internet.

Another reason for its popularity among privacy-heads is the large number of add-ons available that can greatly improve the privacy and security of your browsing. In addition to this, it is possible to access Firefox’s deep configuration settings in order to tweak its privacy and security parameters.

Sign up to our newsletter

Receive the best guides and privacy news weekly.

Newsletter sign up

Sign up to our newsletter

Receive the best guides and privacy news weekly.

We promise never to share your email address, ever.

WebExtensions

Firefox is currently transitioning away from its old add-ons framework to WebExtensions. At time of writing, the latest stable release of Firefox is version 56.0.1, which can run both older add-ons and WebExtensions ones. As of Firefox 57, it will only be possible to use WebExtensions add-ons.

Most of the add-ons listed below have been transitioned to WebExtensions. Please see Are we WebExtensions yet? for the latest news about which add-ons have been updated to the new platform.
Back to top


Browser Fingerprinting

The way in which your browser is configured (especially the browser plugins used), together with details of your Operating System, allows you to be uniquely identified and tracked with a worryingly high degree of accuracy.

A particularly insidious (and ironic) aspect of this is that the more measures you take to avoid tracking (for example by using the plugins listed below), the more unique your browser fingerprint becomes.

The best defense against browser fingerprinting is to use as common and plain vanilla an OS and browser as possible. The hardened Tor browser with Tor disabled is the usual recommendation here.

Unfortunately, this leaves you open to other forms of attack. It also reduces the day-to-day functionality of your computer to such an extent that most of us will find the idea impractical.

Panopticlick

The more browser add-ons you use, the more unique your browser is. Drat!

I discuss browser fingerprinting in detail in this article.
Back to top


All Firefox add-ons are free and open source software (FOSS).

uBlock Origin

uBlock Origin LogouBlock Origin is a lightweight but powerful ad-blocker that pulls double duty as an anti-tracking add-on. It uses a number of blocking lists to filter unwanted content from appearing in your browser. The lists it comes with are pretty good, but I recommend also adding those compiled by EasyList and Fanboy.

Blocking ads and tracking scripts can break some web pages, making uBlock Origin’s on-the-fly whitelisting feature very handy. You can also toggle which types of elements are blocked (pop-ups, large media elements, cosmetic elements and remote fonts), or use the Element picker and Element Zapper modes to customise what is permitted to run on a web page.

uBlock Origin works very well in tandem with  Privacy Badger, and I recommend using both together. It is also worth noting to avoid confusion, that uBlock Origin is recommended over the very similar uBlock add-on.

Privacy Badger

Privacy Badger LogoDeveloped by the Electronic Frontier Foundation (EFF), this is a excellent anti-tracking add-on that does double-duty as an ad-blocker. Although there is some overlap in function, Privacy Badger and uBlock Origin complement each other and are best run together.

Rather than using blocklists, Privacy Badger keeps track of scripts that are embedded in web pages. If it detects that a source is tracking you, it “springs into action, telling your browser not to load any more content from that source.”

Privacy Badger allows you see which tracking scripts are present on a web page and which ones are actually tracking you. You can then decide how to deal with them (block, block cookies, or allow), or let Privacy Badger decide.

HTTPS Everywhere

HTTPS Everywhere LogoAn essential tool. HTTPS Everywhere was developed by the Electronic Frontier Foundation and tries to ensure that you always connect to websites using a secure HTTPS connection –  if one is available.

It works because many websites can accept HTTPS connections, but use regular insecure HTTP ones by default.  Just be aware that if no HTTPS connection is possible, HTTPS Everywhere will default to an insecure HTTP connection (although this can be changed in its settings).

It is, therefore, a good idea to keep an eye on the padlock icon in the URL that shows whether you are using an HTTPS connection.

NoScript

NoScript LogoNoScript is a potent tool that gives you unparalleled control over what scripts are run on your browser. However, many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to.

It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web-savvy power-users, NoScript is challenging to beat.

Note that if you use NoScript, you do not also need to use uBlock Origin + privacy Badger or uMatrix.

See here for some tips on getting the best out of NoScript. The last one is particularly worth paying attention to. It is worth keeping NoScript installed even if you “Allow Scripts Globally,” as this still protects against nasty things such as cross-site scripting and clickjacking

uMatrix

uMatrix LogoDeveloped by the team behind uBlock Origin, uMatrix is something of a half-way house between that and NoScript. It provides a great deal of customizable protection but requires a fair bit of work and know-how to set up correctly.

uMatrix is not as hard to configure as NoScript and does not break as many sites. But neither is it as comprehensive.

Note that if you use uMatrix, then it is not necessary to also use uBlock Origin + Privacy Badger or NoScript.

Self-Destructing Cookies

Self-Destructing Cookies LogoThis add-on automatically deletes HTTP (regular) cookies when you close the browser tab that set them. This provides a high level of protection from tracking via cookies without “breaking” websites.

Self-destructing cookies also provides some protection against Flash/zombie cookies and ETags, and cleans DOM storage. Note that Self-Destructing Cookies and BetterPrivacy complement each other, and I recommend running them both together.

BetterPrivacy

Better Privacy LogoThis add-on controls Flash cookies. It should be configured to remove these automatically on a regular basis.

There is an argument that BetterPrivacy is now redundant as Flash is used much less by websites than it used to be. Personally, I think it is still worth running. It is recommended to run this add-on and Self-Destructing Cookies together.

Note that at time of writing BetterPrivacy has been removed by its author from official Firefox Add-on website. The WebExtensions version is in beta, however, so we should hopefully see it reappear soon.

Random Agent Spoofer

Random Agent Spoofer LogoA web browser user agent tells website what type of computer, what OS, and what browser you are using. Many sites use this information to optimize their pages to improve user experience, but this information can be used for browser fingerprinting.

Random Agent Spoofer randomly changes what user agent information is given to a website. For example, it can tell a website that you are accessing it on an iPhone using Safari, rather than on a PC using Firefox.

Note that there is some debate on how effective Random Agent Spoofer and similar add-ons are at preventing Browser Fingerprinting.  It is true that using an unmodified generic browser such as the Tor Browser is almost certainly better in this regard. But if you are using other add-ons which make your browser more unique, changing your user agent is probably useful.

Decentraleyes

Decentraleyes LogoThis add- aims to improve your privacy while browsing by hosting CND resources locally. When your browser requests one of these CDN resources, the application is blocked, and you are served up a local version instead.

If the above just sounds like techno-babble to you, please check out my Decentraleyes Review for a full explanation.

Bloody Vikings!

Bloody Vikings LogoBloody Vikings is an easy-peasy way to create temporary email addresses.

Just right-click in an email registration field, select ‘Bloody Vikings’ (or expand to see a choice of services), and a newly generated email address will be inserted into the field while a new browser tab opens to the temporary mailbox.

Mailvelope

Mailvelope LogoPGP is by far the most secure way to send private emails. But it is a pain in the butt to use. Such a significant pain, in fact, that few people bother. Mailvelope is a browser add-on that allows end-to-end PGP encryption within Firefox.

It works with popular browser-based webmail services such as Gmail, Hotmail, Yahoo!, and GMX. It makes using PGP about as painless as it gets. However, it is not as secure as using PGP with a dedicated email client. Check out my detailed look at Mailvelope here.

PassIFox

PassIFox LogoKeePass is a fantastic open source password manager. PasIFox is a Firefox add-on that brings full browser integration to KeePass.

Please check out my KeePass Review for full details.

 Privacy Settings

Privacy Settings LogoFirefox allows quite fine-grained control of its privacy settings, but to do this requires accessing its advanced configuration settings using about:config. I describe how to do this, plus provide an extensive list of privacy-related settings below.

Privacy Settings, however, allows you easy ‘one-click’ control of many of these settings using a simple GUI interface. Because it merely flips configuration settings, you can install the add-on, disable whichever settings you prefer, and then uninstall Privacy Settings to save browser resources.
Back to top


How to make Firefox More Secure Using about:config

Built into Firefox are a number of “under the hood” settings. These can be changed to improve your privacy and security when browsing.

To access Firefox’s advanced configuration settings, type about:config into the search bar, and hit enter.

Firefox about:config Settings

While it might be possible to do some damage, this warning seems a bit strong to us! Click “I accept the risk!” if you are feeling brave enough.

You will now see the configuration screen, with Preference Name’s listed in alphabetical order (by default).

Firefox about:config example

To change a boolean entry (i.e. it has a true/false value), simply double-click anywhere on the entry line. To change an integer (i.e. numeric value), double-click the entry and enter a numeric value.

about:config change

To change a string value, double-click the entry and enter the required text.

about:config change 2

When you see an option in bold in the about:config pane, it has been changed from its default value.

Where an entry is marked with an asterisk*, I strongly suggest that you follow my advice.

Warning: Some websites rely on features we discuss disabling for security reasons below. Disabling these features will therefore “break” some websites (causing problems when using them, or even causing them to refuse to load altogether).

The good news is that simply re-enabling the relevant features will un-break the affected websites, so you may require some trial-and-error to find the right balance between maximum security and accessing the services you use.

browser.privatebrowsing.autostart

The Private Browsing mode was introduced to stop you leaving any embarrassing trails of what you have been up to for other users of your browser to find. Most importantly it stops (most) cookies and does not record any History of websites you have visited or forms you have filled in.

The critical thing to remember is that Private Browsing is excellent for protecting your privacy from others using the same computer, but does little to protect someone from the outside seeing what you get up to (e.g. your ISP).

Even if you are the sole user of a computer, it is still a good idea to always surf the internet in Private Browsing mode, thanks to its cookie blocking features in particular.

By setting this Preference to true you will automatically start Firefox in Private Browsing mode, so you will never forget to turn it on. Click here for the Mozilla help entry.

browser.safebrowsing.enabled*

Firefox ships with the Google Safe Browsing extension built-in and enabled by default. Designed to prevent phishing, it compares the websites you visit to a Google-run blacklist. This means that Google is constantly able to track you.

If you have installed our recommended Firefox extensions (see above) then you will gain no additional protection from Google Safe Browsing, while telling Google a great deal about your browsing history. I therefore strongly recommend that you turn it off by setting the value to false. Click here for the Mozilla help entry.

browser.safebrowsing.malware.enabled*

Safe Browsing (now renamed Phishing Protection) is basically a version of Google Safe Browsing licensed to Mozilla (but which still reports to Google). I, therefore, recommend that you set it to false, for the same reasons as above. Click here for the Mozilla help entry.

browser.startup.homepage

By default, Firefox will start on the Mozilla Firefox Start Page, displaying a Google search box. Google (along with most major commercial search engines such as Bing! and Yahoo!) stores a great deal of information about you, including a record of the searches you make.

To start on a different page, simply enter the website address of your preferred choice. I use the anonymous no logs search engine DuckDuckGo (https://duckduckgo.com/), but Start Page may be an even better choice (https://startpage.com/). Click here for the Mozilla help entry.

browser.startup.page

If you prefer to start Firefox on a blank page, change this setting to ‘0’. Click here for the Mozilla help entry.

datareporting.healthreport.uploadEnabled

You can see details about your Firefox browser’s performance and stability any time by reviewing the Firefox Health Report (Firefox tab -> Help -> Firefox Health Report). By default, this report is periodically sent to Mozilla (in anonymous aggregate form) to help it understand problems and plan future developments.

For maximum security, you should prevent this by setting this entry to false (you will still be able to see your report, it just won’t be sent to Mozilla). Click here for the Mozilla help entry.

dom.event.clipboardevents.enabled*

If you cut, copy or paste something from a website, then the website owners can get notified of exactly which part of a webpage you have cut, copied or pasted. If they wish, they can then record or modify the text, or prevent you from copying (etc.). They can also prevent you from pasting text into online forms.

By setting this entry to false you prevent websites knowing where you pasted their text, and as a side-benefit will be able to bypass restrictions on cutting and pasting). Click here for the Mozilla help entry.

dom.storage.enabled*

I discuss the dangers of DOM storage (also known as web storage) in “More things that go bump in the night: HTTP ETags, Web Storage, and ‘history stealing”. Basically, this way of storing information within web browsers is one of the most pernicious methods used by commercial internet companies to track you across the web and is growing in popularity as netizens become more aware of the danger of ‘regular’ cookies.

Fortunately, DOM storage is easy to turn off by setting this entry to false. Click here for the Mozilla help entry. Update: Thanks to feedback from readers, it is clear that setting dom.storage.enabled to false can “break” some website. Changing this setting should, therefore, be done with caution.

geo.enabled*

When you visit a “location-aware” website you will be asked if you want to share your location. If you answer yes then Firefox will send information about nearby wireless access points and your computer’s IP address to Google Location Service, and then pass that information on to the website (a random client identifier is also assigned by Google, which expires every 2 weeks).

Although you should be asked every time this happens, and need to give your explicit consent, you can prevent giving consent accidentally or through carelessness by turning this feature off (set the value to false). Click here for the Mozilla help entry.

geo.wifi.uri

This setting determines the geolocation service used (Google Location Service by default). If you set geo.enabled (above) to false, then this setting shouldn’t matter. If it makes you feel better, however, then you can change it to 127.0.0.1 (also known as localhost or the ‘loopback address’).

In theory, this setting could point to an alternative service, but none such really exist at the moment. Click here for the Mozilla help entry.

media.peerconnection.enabled

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on or configure any new settings.

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN. Some modern VPN clients will block WebRCT leaks, but it is safest to disable in your browser entirely. To do so, change this value to false.

If you use a good cookie manager such as Self-Destructing Cookies  (recommended), then you will not need to touch this preference. If not, then it is probably a good idea to set it to ‘1’ (only cookies from the originating server are allowed). Click here for the Mozilla help entry.

Again, using the Self-Destructing Cookies add-on is probably the best policy, but if you prefer not to, then you can control when cookies expire by setting this setting to ‘2’ (the cookie expires at the end of the session (when the browser closes)). Click here for the Mozilla help entry.

network.dns.disablePrefetch

Firefox improves page load times by resolving domain names ‘proactively and in parallel’ (i.e. it pre-fetches the information).  In their paper ‘DNS Prefetching and Its Privacy Implications: When Good Things Go Bad’, Srinivas Krishnan and Fabian Monrose argue that this practice can lead to “privacy threats that are ripe for abuse. More specifically… where it is possible to infer the likely search terms issued by clients using a given DNS resolver.”

DNS prefetching can be turned off by setting this value to true. If you can’t find this setting then you will have to add it manually by right-clicking on the about:config screen, selecting ‘New’ -> ‘Boolean’ and entering ‘network.dns.disablePrefetch’ into the dialog box. Click here for the Mozilla help entry.

network.http.sendRefererHeader

When you click on a hyperlink, the page you go to can request information about the page you clicked the link from. This information is contained in the ‘referer header’, and can be used to track you across a website.

Furthermore, Javascript scripts can “see” and reference the referrer header if this setting is turned on. Although Mozilla cautions that disabling referrer headings may cause problems with some websites, we advise changing the setting to ‘0’ (never send the referer header or set ‘document.referrer’). Click here for the Mozilla help entry.

network.http.sendSecureXSiteReferrer*

More or less the same as the entry above, except that it allows you to be tracked across websites. You can disable this setting by changing the value to false. Click here for the Mozilla help entry.

network.prefetch-next*

Firefox speeds up the browsing process by scanning links on a webpage, and pre-downloading linked-to webpages when idle. Although disabling this preference will slow down browsing somewhat, from a privacy perspective you really should set it to false. Click here for the Mozilla help entry.

privacy.donottrackheader.enabled*

Most modern browsers now support a “Do not track’ feature, which asks websites not to track you, and Firefox is no exception. While this should most certainly be turned on (set to true), you should be aware that compliance from websites is entirely voluntary. So the protection it affords can be considered fairly minimal. Click here for the Mozilla help entry.

privacy.donottrackheader.value*

While the privacy.donottrackheader.enabled (above) setting determines whether a ‘Do not track’ instruction is sent to a website, this setting determines what that instruction actually says.

You should, therefore, set it to 1 to request that websites do not track you (a header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True). Click here for the Mozilla help entry.

privacy.trackingprotection.enabled

This enables a blocklist based on Disconnect’s blocklist, to help prevent cross-site tracking. Once Tracking Protection is activated, you will see a shield in your address bar whenever Firefox is blocking either tracking domains or mixed content.

As a side-benefit, this setting also causes pages to load 44 percent quicker on average, data usage drops by 29 percent when connecting to the top 200 Alexa websites, and the number of HTTP cookies stored by the browser falls by 67.5%. Click here for the Mozilla help entry.

toolkit.telemetry.enabled

Telemetry covers all sorts of statistical data related to your browser’s performance, usage, and responsiveness. Firefox can send anonymous reports with this data to Mozilla, which is of great assistance to developers, and for this reason, you may consider turning it on, but for maximum privacy, you should check that it is false (it is usually false by default). Click here for the Mozilla help entry.
Back to top


Firefox Privacy Recap

Firefox is an excellent browser for privacy and security, but there are lots of things you can do make it even more so! The elephant in the room is that modifying your Firefox browser in many ways makes you more unique, and therefore more susceptible to browser fingerprinting techniques. Unfortunately there is currently no way to square this circle.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
SAVE 49% TODAY
WITH OUR
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for BestVPN.com Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
$3.25/mo
Exclusive Offer
SAVE 72% TODAY
LIMITED TIME OFFER
Get NordVPN for only
$3.29/month