[4/11/17] Welcome to our 2016 guide for hardening Firefox against security and privacy threats. This guide is intended to show users how to modify Firefox settings to resist surveillance by governments and corporations, to increase the strength of the encryption while browsing and to reduce the amount of data leaking from your browser.
Important changes since the 2014 edition:
-The recommendation for Adblock Plus has been changed to µBlock. This is because Adblock Plus is whitelisting ad domains and not blocking all ads. Adblock Edge, an alternative, is also being discontinued. µBlock also uses less resources than Adblock Plus.
-We have dropped the recommendation for CipherFox as Firefox has improved the browser to allow similar functionality without the add-on.
-The recommendation for Ghostery has been changed to Disconnect. This is because Ghostery has poor default settings and because it is maintained by a web marketing company.
-We have added a method for disabling WebRTC.
-We have added two new add-ons for User Agent Switching to protect users from browser profiling.
-We have added the recommendation for the EFF’s Privacy Badger.
-We have added the recommendation for Mozilla’s Lightbeam.
-We have added a segment on managing trusted CAs to reduce the risks of Man In The Middle attacks.
This guide is effective. You can see the results in a separate article here:
This guide assumes that you have already installed Firefox and are using it as your primary browser. Following this entire guide should take 25 to 40 minutes.
Step 1: Install the Best Firefox Extensions for Privacy and Security.
We recommend uBlock, NoScript, Disconnect, HTTPS Everywhere, Privacy Badger, and Lightbeam.
Why we recommend uBlock: It is an up and coming ad-blocker with the same types of functionality as Adblock Plus, but doesn’t have exceptions. It blocks all ads indiscriminately.
Why we recommend NoScript: It is a powerful script blocking tool that disables all kinds of complex web code that can be used to exploit browser vulnerabilities. It also blocks a lot of advanced tracking technologies. It also allows you to manually enable scripts either by white-listing an entire site, or you can manually allow specific scripts on a page, or even allow scripts temporarily for a one-time use of a site. It is powerful with fantastic granular controls.
Why we recommend Disconnect: Disconnect blocks many kinds of tracking cookies and tokens, and gives you a nice overlay of the blocked content so that you can see how many and what kind of cookies or tracking tokens were going to be loaded into your browser. It also allows granular controls and whitelisting to give sites full functionality when needed.
Why we recommend HTTPS Everywhere: The unencrypted web is dangerous. HTTPS everywhere makes it so that if a secure connection is available, it will be used by your browser by default. This will reduce the amount that you will have to browse websites unprotected automatically.
Why we recommend Privacy Badger: Privacy Badger has functions similar to Ghostery and uBlock, but uses algorithms to detect previously unknown threats like new trackers. Its enhanced protection complements the other privacy extensions and allows greater controls over your privacy.
Why we recommend Lightbeam: Lightbeam allows you to visualize your browsing and see where your data travels, you can visually see the difference between a “safe” site and a “leaky” site and also make judgments about whether your configuration is properly protecting you from unwanted content and trackers.
These extensions combined give you far-reaching and multi-layered protection from privacy and security threats.
Step 2: Configure Firefox for Privacy and Security in the Options Menu
We will start with basic settings and configure Firefox to prevent leaking data when possible and alert you when a site attempts to install add-ons to Firefox.
To reach the basic settings menu in Firefox, click on the menu in the upper right corner of your browser and select “options” as shown below.
Once you open the options menu, you see the small window with a bunch of tabs and options. We are going to disable any options that send data out to third parties, and enable any features that disallow code to be executed without notifying us. The first tab we want to look at is the “search” tab. We are going to disable support for all of the search engines except for the ones we want. In the image shown, we have allowed only the Duck Duck Go search engine that is privacy oriented. Some users will prefer to leave Google Search active for more accurate results. This comes at the cost of privacy because Google uses many intrusive methods to improve their results and target them at you, the user. So the decision is up to you. We highly recommend only using one or two search engines.
Next, we are going to look at the “Privacy” tab. Here we make sure that the “Do Not Track” option is enabled, which flags yourself to reputable websites as not wanting to be tracked. Some websites do not honor this request as it is considered voluntary, our extensions and other privacy and security changes will take care of those less-than-reputable sites. We are also going to set Firefox to “Never remember history” so that it will delete all of your history every time you close Firefox. Finally, we will disable all suggestions in the search bar as the suggestions process can leak excessive data about us.
Next, we have the security tab. This is where we will tell Firefox to warn you when sites try to install add-ons, as well as allow Firefox to block reported attack websites and block reported forgeries, which would be sites that try to impersonate other sites like your bank, paypal, or other sites where you would unknowingly enter credentials to sign in and have them stolen.
We will also instruct Firefox not to remember passwords, which will prevent passwords for your website from being stored anywhere on the computer locally.
Next you’ll click on the advanced tab. This tab has sub-tabs beneath it in the window. In the “Data Choices” sub-tab we will configure Firefox to not share Telemetry, or the Health Reporting, or the Crash Reporter. This is because this data being transmitted from your PC to outside servers can allow an attacker to get insight into how to break into your computer. For example, they can know that you have a vulnerable plugin installed that they can exploit, or that you have a particular feature of Windows enabled that is vulnerable. Similarly the crash reporter function can give an attacker insight into areas of your computer that may be malfunctioning and vulnerable.
Next in the advanced tab is the “Network” sub-tab. Here we will make sure that you are warned when a website tries to save data to your PC that will be used offline and not in the current session. This is to advise you on whether the website may be trying to plant data on your PC that can track you or act maliciously.
Finally on the advanced tab, we want to look at the “certificates” sub-tab. Make sure that it is configured as pictured. This allows Firefox to best judge whether the security certificates presented by the website are valid, and it warns you every time a site tries to query your personal certificate (which identifies you personally to the website with a unique identifier). This will allow you to block unwanted attempts to identify you, while strengthening your ability to trust genuine websites.
When you have made all of these changes, hit “OK” at the bottom of the window and all changes will be saved.
Next, we have the section on advanced blocking of unsafe encryption, and advanced settings to block new methods of identifying users who have already set up private browsers using their basic security settings in the menu.
Step 3: Advanced configuration of Firefox to block WebRTC, bad cipher suites, and more.
Here, were are going to access the not-so-secret advanced options menu in Firefox to further harden our browser against known threats. To access the options you type “about:config” in your URL bar at the top of the browser, and it will open up a huge set of advanced options to configure your browser in hundreds of ways. Some of these options just change the way the browser looks or behaves. Some others dramatically change the security and privacy of your browser. When you type in the about:config in the URL bar, you will be met with a warning that you can really screw things up if you do the wrong thing. We recommending heeding this warning and not changing any settings if you do not know precisely what they do.