I love Firefox.
The sheer number of customisations it offers is more than enough to keep me jumping ship; being a security and privacy freak, it allows me to control exactly what it’s doing and how, enough so to put my paranoia of entering the deep, dark web to a slight ease.
This is what this post is here to offer: ways to configure Firefox through about:config, and using extensions to increase the privacy and security aspects. It is mainly for my future reference for when I’m re-installing Firefox so my choices my not suite everyone, but hopefully others may find it useful.
Any input or extra tips are greatly appreciated.
As I said I’m quite paranoid, even though my HDD is encrypted and I have multiple passwords in place to log into my system, I don’t like my browser caching any files to my drive, instead I do it all to RAM: the following about:config entries disables disk caching, and adjusts the maximum size of temporary files stored in RAM:
browser.cache.disk.enable = false
browser.cache.offline.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.disk.capacity = 0
browser.cache.memory.capacity = 30720 [size in KB, thus 30MB]
I often route my network traffic through an SSH tunnel, but Firefox won’t perform DNS requests through a proxy unless specified, the following entry ensures it will:
network.proxy.socks_remote_dns = true
Referrer headers allow websites to track how you’ve reached them, say for example you did a search and clicked a link on Google, the website you land on will know that you’ve come from Google and, if you’re not using the SSL version of the search engine, the search terms also.
This entry disables sending these referrers:
network.http.sendRefererHeader = 0
Many modern browsers now come equipped with geo location, allowing a website to get a pretty accurate reading of where in the world you are if you accept a request.
I’ve never had the need for it, and it is not the sort of information I would want to pass on; this option will prevent it outright:
geo.enabled = false
In case Firefox crashes it can restore the tabs you previously had opened, disabling disk caching (as above) prevents this, but there is also an option to prevent it:
browser.sessionstore.enabled = false
You can also control how many websites Firefox keeps track of, for when using the back and forward buttons (5 in my case):
browser.sessionhistory.max_entries = 5
To speed up browsing, Firefox can prefetch links and images on a website that a webmaster sets to be prefetched; it means you’ download the content even if you never actually visit the intended prefetched link. This entry disabled this:
network.prefetch-next = false
Tweaking Firefox preferences
Under the General tab I set the download location to either a separate, encrypted partition (where all my other downloads go: e.g. BitTorrent), or I set it to a memory only based location, such as /tmp.
My homepage is set to about:blank. It means I don’t have to wait for a page to load on startup, plus, as mentioned above, I only want my browser to initiate requests when I say so.
Within Privacy I enable “Do not track” and set Firefox to always use private browsing mode, and disable those pesky third-party cookies.
I also disable the location bar suggestions, it prevents search terms being sent off as being typed. I use an extension called Pentdactly which not only makes this feature useless, I also don’t like any data being sent off before I’m ready for it to do so.
Firefox comes with phishing and malware protection enabled known as safe-browsing.
It works by downloading a list of bad websites every 30 minutes, which is then checked against sites you visit.
Even though the sites you visit aren’t sent off to Mozilla’s partners (except when a double check is needed), I prefer not to have this option enabled: I’m cautious with every website I visit, hardly every download content, rarely give out my true personal information, and never allow scripts or other content to run without my permission, so for me it’s a network transaction that I don’t want. My browser should only make connections when I explicitly request it to do so.
Unchecking the two options under the security tab disables it.
I also delete all references to Google in about:config that come up when filtering for:
Over the top, I know.
I also make sure that Firefox never stores and saves any of my passwords.
Does as the name says: block adverts.
I understand the need for many webmasters to include adverts on their sites, but right now there is too little regulation on the tracking and behaviour analysis they perform for me to disable it. Not only that, many websites go over the top with them, causing my laptop to have a seizure.
I do, however, disable it for websites I trust and want to support, and recommend others to do so.
I make a few adjustments to the NoScript settings:
- I turn off automatic reloading of pages when permissions change – it’s quite annoying.
- I remove all entries in the whitelist, and determine for myself what is ok when I’m surfing the web. It takes a bit of time and patience, but once the list is set up I rarely need to touch it.
- Under the embeddings tab, I forbid everything, and I apply this setting to sites in the whitelist too. The reason so is I prefer not to have, say, Flash loading and playing automatically as in the case of YouTube.
It requires me to click once on the object to load it, and significantly increases page load times.
- Under the HTTPS section of the Advanced tab, I enable the secure cookie management, and list it with domains that should always mark cookies as being secure, so they are not sent in plaintext.
Many SSL secured websites, when setting cookies, enable this option their end, but listing those sites which absolutely must send them (banks, Facebook, etc.) is a backup just incase they forget.
This addon basically tries to connect to an SSL enabled version of a website when ever possible. It can (but not always) give some protection to Man in the Middle based attacks which use SSL Stripping techniques.
The Ghostery website gives a great overview of this addon:
Ghostery™ sees the invisible web – tags, web bugs, pixels and beacons. Ghostery tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity.
Spare change? 🙂