This guide is as complete as it can be at the time of writing. These are ever-evolving topics, and threats continue to change. Regardless, this guide will give you a good basis to protect yourself from common threats. You should also be aware that the configurations and add-ons used here will break websites. It’s up to you to go back and disable add-ons on the sites that you trust.
Basic Settings
The best place to start is with Firefox’s main settings menu. Open the menu and click on “Preferences.”
Search
There’s nothing “wrong” with any of the search providers, but some collect data based on your searches. The best option here is DuckDuckGo. If you feel like adding an additional search provider, Startpage is another good choice.
Content
DRM is closed source. Trusting it is up to you, but you have no real way of knowing exactly what it does. If you don’t want to take any chances, uncheck the box. Of course, make sure that the box to block pop-up ads is checked.
Privacy
There are a couple of very important settings here under the Privacy tab. Pay close attention to these options. Tracking First, under the “Tracking” subheading, ensure that the box is checked for tracking protection in private windows. Under that option there’s a link with the text, “manage your Do Not Track settings.” Click that link and check the box in the resulting window. Do Not Track isn’t perfect, but it does help in some cases. Cookies Next, under the “History” subheading you need to manage how Firefox handles cookies. Use the drop-down menu to tell Firefox to use custom settings for your history. This will open a few new options. You can tailor this how you want, but one configuration that offers a good balance between security and usability is to leave “Accept cookies from sites” checked. Then, set “Accept third-party cookies” to “Never” and “Keep until” to “I close Firefox.”
Data Reporting
Head to the “Advanced” tab and click on the “Data Choices” tab there. Uncheck everything.
Advanced Settings
There are more advanced settings in Firefox that you can’t access through the normal menus. These settings can potentially damage Firefox and keep it from running properly. Proceed with caution. In the browser enter about:config into the address bar. Firefox will give you its own warning. Accept it. The window that you’ll see shows a table of different settings and their values. At the top of the window you’ll find a search bar. That’s what you’re going to use to navigate to the settings that you need to change.
WebRTC
WebRTC is a real-time communication protocol that browsers have built in to gain access to microphones and cameras for browser-based communication. Malicious sites can also make requests for that data, so WebRTC is dangerous. It also collects information about your computer and its place on your network. That means it can blow your cover when using a VPN. Search for media.peerconnection.enabled and click on it to set its value to “false.” Do the same with media.navigator.enabled.
There’s no evidence that Pocket’s doing anything nefarious, but it is a proprietary service, and that can’t necessarily be trusted. To disable Pocket, search for extensions.pocket.enabled and set it to “false.”
WebGL
WebGL allows browsers to load a lot of different dynamic content, including animations. Unfortunately, it also reveals information about your browser and can even be used to track a unique fingerprint based on your graphics card. To disable WebGL, search for webgl.disabled and webgl.disable-wgl and set them to “true,” then search for webgl.enable-webgl2 and set it to “false.”
Add-Ons
Extensions bring in way more options for protecting your privacy and security online. They enhance Firefox’s existing capabilities, and many address specific privacy concerns. All of these add-ons are open source and have a solid reputation for protecting their users.
HTTPS Everywhere
HTTPS Everywhere is an add-on developed by the Electronic Frontier Foundation. It forces your browser to connect to the encrypted (HTTPS) version of a site, if it exists. This can help stop unwanted unencrypted data leaking out onto the Internet.
Privacy Badger
Privacy Badger is another great add-on from the EFF. This one aims to augment the existing functionality of Do Not Track by blocking known trackers.
NoScript
NoScript blocks JavaScript, all JavaScript. This is one of the most invasive add-ons available, but it’s also one of the most effective. The best policy with NoScript is to let it block everything and whitelist sites that you trust. If that’s too annoying, just set it to allow JavaScript, and it’ll try to block malicious code and potential attacks.
uBlock Origin
uBlock Origin is more than an ad blocker. It actually blocks all content from certain domains and servers. This way nothing else can slip through from an ad server. It also makes it more difficult to subvert by changing the size of ads or using other common techniques.
Self Destructing Cookies
This one is exactly what it sounds like. It deletes the cookies from the sites that you visit after you leave. You won’t have to worry about the cookies following you around, but you also won’t have to deal with broken sites.
Disconnect
Disconnect is another tracker blocking add-on like Privacy Badger. Using both is sort-of redundant, but it can’t really hurt. Disconnect has its own database of known threats, so it might have some that Privacy Badger doesn’t.
Random Agent Spoofer
Random Agent Spoofer is way more than just an add-on to change the agent data of your requests. Sure, it can and does make it look like you’re using a different browser than you are. This can be useful for preventing browser fingerprinting by either changing periodically or using a more common browser. It also gives you access to other privacy settings that can help cover up personal data. One such option allows you to disable HTML Canvas to stop canvas fingerprinting. To do this go to about:config with the add-on enabled and search for extensions.agentSpoof.canvas. Set it to “true.”
CanvasBlocker
CanvasBlocker is an add-on specifically designed to block canvas fingerprint tracking. It turns off HTML Canvas capabilities. If you’re using Random Agent Spoofer for this, you don’t necessarily need this one.
Decentraleyes
So much of what you see on the web comes from large content delivery networks(CDN). These networks could theoretically track you using the requests that you make for this content. Decentraleyes cuts down on this possibility by serving local versions of the content that you would pull from a CDN.
uMatrix
uMatrix was developed by the same person as uBlock Origin. It provides a convenient grid matrix to manage external content like JavaScript, CSS, and cookies. uMatrix is somewhat redundant with other plugins here, especially NoScript. If you really hate NoScript, consider using uMatrix instead.
Notes On Privacy
Always do your research and keep an ear open for new privacy and security developments. What’s true today may change radically tomorrow. None of the steps or add-ons here hide your identity or location. Consider using a VPN in conjunction with your newly configured browser for more complete protection.
