This article about enhanced privacy and security in Firefox was initially written back in April 2017. Now in October 2018, we gave it a new look and updated the list of add-ons to keep this post up to date.
Firefox is an open source browser developed by the Mozilla Foundation. It’s a very popular browser and due to its open source nature a very trusted browser, as (theoretically) anyone could check what the code does. However, Firefox alone isn’t going to make a change concerning your privacy. Although Firefox offers a function called Private Browsing, this will not really protect your privacy. What it does is just deleting your cookies, cache and history when you close the browser. While this surely is a good start it’s not enough to protect your privacy. Below I will tell you how you can make your Firefox instance more secure and your privacy protection much better.
While the default setup of Firefox isn’t enough to protect your privacy, there’s an easy way to improve this. You can do this by installing add-ons to your browser. Add-ons are programs that run in your browser and give it additional functionalities. Add-ons can have a very broad range of functionalities and not all of them are good or useful in terms of security and privacy. Some add-ons are even created for the only purpose of tracking users. It is advisable to stay away from those and to be considerate about which add-ons to install. Tracking through add-ons can be extremely powerful and harmful. There’s a list below of a number of add-ons I would recommend installing.
AdBlocker Ultimate
An ad blocker is a must have. First, ads can be really annoying. Therefore, many people would like to block them automatically. This is a controversial subject as many websites offer their services for free, but then in turn rely on advertising as income. When blocking all of these ads you will of course make it impossible for these websites to get the revenue they need with ads. If you think you would like to support a certain website you always have the possibility to make an exception and thus allowing ads on this website.
Another issue with online ads is that they often contain tracking code. Since many websites use the same few large advertising networks, these can track you throughout the web. Unless you block their ads.
NoScript
This add-on protects you from any unwanted script. It does this very reliable because NoScript will block every script. At first this is pretty annoying because it will break many websites. You will have to manually allow the scripts that caused your website to break. In the beginning this is very time consuming and it needs trial and error to figure out what exactly breaks the site. However, once your personal whitelist of scripts gets larger you will be able to surf the internet more easily, but it still requires some technical knowledge to tweak it to work the way you want it to
This is a good article on how to deal with NoScript.
NoScript can be downloaded here:
User-agent-switcher
The user agent is a string that your browser sends to the server when it requests a website. The user agent contains information about your system and helps with loading the correct page. The user agent will for example tell the website server the version of the browser you have. Therefore, the server can display you a page that your browser will support. User agents often contain so detailed information about your system that it is unlikely that identical user agent exists.
This poses the problem that somebody can identify you by your user agent. Of course, this is only possible as long as the user agent stays the same. Furthermore, it is still possible that other internet users have the same user agent as you do. So absolute tracking is not easily possible with the user agent only. Coupled with other tracking techniques, however, the user agent can be used for very powerful tracking. Luckily, there’s an easy way to protect you against this. What you can do is installing an add-on that lets you choose your user agent. This way you can still include all the necessary information in your user agent, so that the website loads correctly, but without having an identifying user agent. There are many different user agent from which you can choose and you can customize it easily in your menu bar. You can do all this with the user-agent-switcher add-on for Firefox, which you can download here:
Click on the icon in the menu bar to open the dashboard and customize your user agent from there. It should look something like this:
Alternatively, you can change your user agent without any add-on by following this guide on setting user agent in Firefox. In this case the user agent will remain static, i.e. it will not change.
Canvas blocker
When a website provides you with online drawing tools, the website probably uses the canvas element. However, the website can also use it to let your browser “draw” something and give it back to the website. Now, because of differences in computer setup, there can be small differences in the same picture drawn on different devices. The website will now store your image and as soon as you return to this website, you will be asked to calculate this picture again. The website will then compare this picture to the ones it already has and can identify you this way. This is a very powerful form of fingerprinting. You can easily avoid this by using a canvas blocker like this one:
Referer control
A HTTP referer is a line of text that your browser sends to every website you are visiting. With this referrer, your browser tells the website which website you just came from. This reveals a lot of information about you and how you move around the web. You can control your HTTP referer with the following add-on:
After installation, click on the icon in the menu bar on the top right and change the following options on the setting page: Block Javascript Referer to active and default referer for all other sites to Block. See the examples below:
HTTPS Everywhere
HTTPS is the encrypted protocol that a browser uses to communicate with the server of a website. If you don’t use HTTPS your entire communication will not be encrypted nor authenticated and left visible for anybody to see, including any passwords or similarly confidential things submitted. It is therefore highly suggested force HTTPS connections and to use HTTPS on sites that are known to support it. This is where this add-on comes in handy because that’s what it does. You can download this add-on under the following link:
Disconnect
Disconnect visualizes and blocks websites that track your search and browsing history. By blocking all these trackers you actually save a lot of loading time and bandwidth. Disconnect is very practical in combination with NoScript, as it still gives protection when you chose to allow scripts with NoScript. You can download this add-on under the following link:
What else can I do?
By now, your menu bar should look like the one shown below:
While you will have quite a good protection with the add-ons I presented above, which should be enough for most everyday users, you still won’t be perfectly protected. The problem is that you can be identified by the add-ons you installed. Unfortunately, there is no easy solution to this problem. It depends on personal choice whether you want to install the add-ons mentioned above or if you would rather want to use the standard setup of Firefox to avoid the possible fingerprinting. You can also use the Tor browser or SnowHaze, which are both not vulnerable to fingerprinting through add-ons while still offering great protection. Also check out this article about the Tor browser
Another big issue that remains is your IP address. While the IP address (depending on your setup) won’t let a website identify your device, it still reveals a lot about you. If your Internet provider doesn’t change your IP address regularly (there is no simple way to influence this) then a website can easily identify you by your IP address. The best way to get around this is to use a VPN service. A VPN service lets you redirect your requests over their server(s). This way the website doesn’t see your IP address, but the address of the VPN server instead. While there are some free VPN services available, I wouldn’t recommend using them since you can’t be sure if you can trust them. You can find a big list of VPN services here or subscribe to our own SnowHaze VPN within the SnowHaze app.
Originally written on April 7th, 2017
Revision October 15th, 2018
Related Posts
Download SnowHaze
