Chrome is an awesome browser that has been lauded for its exemplary security model. However, as we have become painfully aware of, privacy and security are not equivalent. Traditionally, Mozilla’s Firefox has been a champion of users’ rights, but, by default, it is likely not the most secure browser.
Lately, there have been several, excellent resources geared towards hardening Firefox, and I want to condense and share what I have learned. Aside from making your browsing experience more secure and respectful of your privacy, you will see performance gains, as well.
I have been utilizing these customizations for several months, and have been very happy with the results. So, without further ado, let us get to it!
First up, open Firefox and go to its Preferences (Command+,). Select the Privacy tab. Check off Tell sites that I do not want to be tracked.
Depending on what you are comfortable with, you can configure the settings under History as you like, but make sure that Accept third-party cookies is set to Never.
Note: If the thought of fiddling with Firefox’s user preferences makes you queasy, there is an excellent Firefox Add-on that lets you make many of the same changes in a nice graphical interface.
Now, we need to do some serious tweaking of Firefox’s user preferences. Open up a new tab and type about:config. Press Enter and click through any warnings.
In the search box at the top of the page, we are going to be entering several preference entries and modifying their values. After we restart Firefox, our new changes will become effective.
- Set to true
- Determines when to send the Referer HTTP header; set to 1 (Send only on clicked links)
- Set to true (spoof referer)
- Set to 2 (scheme+host+port)
- Set to http://127.0.0.1
- Set to false
- Set to false
- Set to false
- Set to false
- Set to 0
- Set to 0
One nice feature of Firefox is that it makes it easy to activate plugins on a case-by-case basis. By default, the plugin will not load, giving you a performance and security benefit. However, if you need to load a piece of content that relies on the plugin, you can click on the message Firefox provides in the browser page to load the plugin and associated content.
Before we move on to the next section, head to Tools > Add-ons > Plugins and make sure that the plugins listed there are set to Ask to Activate. Also, you might just want to uninstall Flash altogether. Good riddance!
Next, we are going to install some add-ons. Most will require an initial configuration, but after that you will be good to go.
This bad boy is wonderful, as it lets you create a whitelist of cookies that your browser will retain. Everything else will be expunged. Better yet, the add-on does not even wait until the browser closes to remove the cookies. A few moments after you close the tab for a site you have not whitelisted, the add-on deletes the site’s cookies!
After you have the add-on installed, head to the add-on’s Preferences (Tools > Add-ons > Extensions > Preferences). Uncheck Notifications (this gets annoying very fast). Make sure that Include LocalStorage is checked and that Clear Browser Cache when Idle is set to 0.
If you have not done so already, wipe all of your browser’s cookies via Firefox’s Preferences (Privacy > Show Cookies… > Remove All). Now, one-by-one, visit and log into all the sites you want to whitelist. After you log in, click on the add-on’s icon in Firefox and click never. You have just instructed the add-on to indefinitely retain the site’s cookies and, thereby, whitelisted the site.
Rinse and repeat.
This little guy is a creation from the good folks at the Electronic Frontier Foundation (EFF). It ensures that your connections to a web server are secured over HTTPS, provided that the server supports it. If the server does not support HTTPS, content will be sent over HTTP, in the clear, but if this bothers you, you can instruct the add-on to Block all HTTP requests.
Go into the add-on’s Preferences. Here, you will find a feature called the SSL Observatory. If you want, you can send HTTPS certificates that your browser accesses to the EFF, so that they can help detect things like man-in-the-middle attacks. I recommend utilizing the service. If you do, make sure that Show a warning when the Observatory detects a revoked certificate not caught by your browser is checked.
This is another delicious add-on from the EFF. It monitors sites you visit for behavior that indicates the collection of tracking data, and blocks it. Every once in a while, this may block a resource that you need in order to view critical content, but it is easy to undue the block with the add-on’s well-designed interface.
To see what is going on, select the add-on’s icon. Most likely, you will see a variety of entries that are marked either red, yellow, or green.
Red means that the third-party tracker is blocked. Yellow means that the third-party resource appears to be trying to track you, but is most likely required for site functionality. Green means the third-party domain does not appear to be trying to track you.
If you ever visit a site and you cannot access required information, try moving a blocked resource to yellow on a case-by-case basis. If you reload the page and still cannot access the required resource, reset the setting for the entry and move on down the list.
Also, if you ever want to reset a setting you manually changed, you can easily do so. Select the add-on’s icon and click the Gear icon. If you have changed a setting, you will see an arrow icon next to it. Click the arrow to reset the setting.
Steve Gibson describes this add-on as an HTML Firewall, and I do not think there is a better way of characterizing it. The settings for this add-on are immense, and its advanced features are beyond the scope of this post. Regardless, simply installing the add-on, as is, is fine to get you started. If you want to dig deeper, check out the Security Now! episode I linked to above, or head here.
After you install the add-on, head to its Dashboard via the add-on’s Preferences. See what I mean? You can do some serious tweaking, if you are so inclined.
Except for the checkboxes under the Regions, languages section, check off all the checkboxes. Then, select Purge all caches and click Update now.
This add-on is designed to help protect your privacy, which inevitably means that many, if not most, ads will be blocked. This is a sensitive issue, as many of the best sites and services on the Web are ad-supported, and blocking this content will have a negative effect on their ability to continue doing what they do.
However, there is no doubt that the online advertising space has grown out-of-control, and malicious, opaque advertising has now become the norm. Tools like uBlock Origin help put control back in users’ hands. To me, this is an absolute good. I simply advise that you use the power responsibly.
If there is a site you frequently benefit from and you want to ensure that the creators receive your ad views, you can easily whitelist the site. To disable/enable uBlock Origin for a specific site, click the add-on’s icon and select the Power button. If you only want to disable/enable uBlock Origin for a specific page, hold down Control as you select the Power button.
As previously mentioned, I have been running Firefox with these modifications for a few months, and the change has been dramatic. Firefox is a tasty beast and browsing the Web has never been faster, safer, and more privacy-focused. Take the time to make these changes and help spread the word on living a better online life.