Skip navigation

Creative Commons License

I love Firefox.
The sheer number of customisations it offers is more than enough to keep me jumping ship; being a security and privacy freak, it allows me to control exactly what it’s doing and how, enough so to put my paranoia of entering the deep, dark web to a slight ease.

This is what this post is here to offer: ways to configure Firefox through about:config, and using extensions to increase the privacy and security aspects. It is mainly for my future reference for when I’m re-installing Firefox so my choices my not suite everyone, but hopefully others may find it useful.
Any input or extra tips are greatly appreciated.

tweaking about:config

As I said I’m quite paranoid, even though my HDD is encrypted and I have multiple passwords in place to log into my system, I don’t like my browser caching any files to my drive, instead I do it all to RAM: the following about:config entries disables disk caching, and adjusts the maximum size of temporary files stored in RAM:

browser.cache.disk.enable = false
browser.cache.offline.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.disk.capacity  = 0
browser.cache.memory.capacity = 30720 [size in KB, thus 30MB]

I often route my network traffic through an SSH tunnel, but Firefox won’t perform DNS requests through a proxy unless specified, the following entry ensures it will:
network.proxy.socks_remote_dns = true

Referrer headers allow websites to track how you’ve reached them, say for example you did a search and clicked a link on Google, the website you land on will know that you’ve come from Google and, if you’re not using the SSL version of the search engine, the search terms also.
This entry disables sending these referrers:
network.http.sendRefererHeader = 0

Many modern browsers now come equipped with geo location, allowing a website to get a pretty accurate reading of where in the world you are if you accept a request.
I’ve never had the need for it, and it is not the sort of information I would want to pass on; this option will prevent it outright:
geo.enabled = false

In case Firefox crashes it can restore the tabs you previously had opened, disabling disk caching (as above) prevents this, but there is also an option to prevent it:
browser.sessionstore.enabled = false
You can also control how many websites Firefox keeps track of, for when using the back and forward buttons (5 in my case):
browser.sessionhistory.max_entries = 5

To speed up browsing, Firefox can prefetch links and images on a website that a webmaster sets to be prefetched; it means you’ download the content even if you never actually visit the intended prefetched link. This entry disabled this:
network.prefetch-next = false

Tweaking Firefox preferences

General tab

Under the General tab I set the download location to either  a separate, encrypted partition (where all my other downloads go: e.g. BitTorrent), or I set it to a memory only based location, such as /tmp.

My homepage is set to about:blank. It means I don’t have to wait for a page to load on startup, plus, as mentioned above, I only want my browser to initiate requests when I say so.

Privacy tab

Within Privacy I enable “Do not track” and set Firefox to always use private browsing mode, and disable those pesky third-party cookies.
I also disable the location bar suggestions, it prevents search terms being sent off as being typed. I use an extension called Pentdactly which not only makes this feature useless, I also don’t like any data being sent off before I’m ready for it to do so.

Security tab

Firefox comes with phishing and malware protection enabled known as safe-browsing.
It works by downloading a list of bad websites every 30 minutes, which is then checked against sites you visit.
Even though the sites you visit aren’t sent off to Mozilla’s partners (except when a double check is needed), I prefer not to have this option enabled: I’m cautious with every website I visit, hardly every download content, rarely give out my true personal information, and never allow scripts or other content to run without my permission, so for me it’s a network transaction that I don’t want. My browser should only make connections when I explicitly request it to do so.
Unchecking the two options under the security tab disables it.
I also delete all references to Google in about:config that come up when filtering for:
browser.safebrowsing.provider
Over the top, I know.

I also make sure that Firefox never stores and saves any of my passwords.

Extensions

AdBlock

Does as the name says: block adverts.
I understand the need for many webmasters to include adverts on their sites, but right now there is too little regulation on the tracking and behaviour analysis they perform for me to disable it. Not only that, many websites go over the top with them, causing my laptop to have a seizure.
I do, however, disable it for websites I trust and want to support, and recommend others to do so.

NoScript

To those in the know, this addon needs no introduction. JavaScript is a vital to the correct usage of many websites, however it can be quite dangerous to let sites run whatever scripts they like.
One of my University web development lecturers once said that those who believe JavaScript can be dangerous are naive. How he justified this I don’t know, but I’d be quite willing to set up a special website and invite him to visit it.

I make a few adjustments to the NoScript settings:

  • I turn off automatic reloading of pages when permissions change – it’s quite annoying.
  • I remove all entries in the whitelist, and determine for myself what is ok when I’m surfing the web. It takes a bit of time and patience, but once the list is set up I rarely need to touch it.
  • Under the embeddings tab, I forbid everything, and I apply this setting to sites in the whitelist too. The reason so is I prefer not to have, say, Flash loading and playing automatically as in the case of YouTube.
    It requires me to click once on the object to load it, and significantly increases page load times.
  • Under the HTTPS section of the Advanced tab, I enable the secure cookie management, and list it with domains that should always mark cookies as being secure, so they are not sent in plaintext.
    Many SSL secured websites, when setting cookies, enable this option their end, but listing those sites which absolutely must send them (banks, Facebook, etc.) is a backup just incase they forget.

HTTPS-Everywhere

This addon basically tries to connect to an SSL enabled version of a website when ever possible. It can (but not always) give some protection to Man in the Middle based attacks which use SSL Stripping techniques.

Ghostery

The Ghostery website gives a great overview of this addon:

Ghostery™ sees the invisible web – tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.

References:

confidentialresource
proxyswitcher
Mozilla
tweakguides

Spare change? 🙂
BTC: 122tLuUjCE945nLbcSwM2ZtKXxpYgWAfke
LTC: LVkMvyn8qdnjqxci65gkjUf6LJhAeumq29

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: