Crypto 24 / 7 News

Firefox Configuration Guide for Privacy Freaks and Performance Buffs Contents
See the revision history at the end of this document for a list of changes. Introduction
Many of us are aware of the immense threats to our privacy and security posed by a plethora of technology corporations, governments and malicious hackers, some of which often go to great lengths to monitor our communications and web browsing habits. Governments and their “intelligence” apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of many mega-corporations to do so, including Google , Facebook , Verizon , Comcast , Amdocs and countless others, many of which most of us have probably never heard of. While this data may be used for relatively benign purposes, such as displaying ads on web pages, all too often the intentions are far more sinister and invasive.

Much of what Edward Snowden has brought to the table is not new at all, but it seems the information has been presented in a way that has captured the attention of much of the public, prompting those who value their privacy to seek ways to mitigate the threats. The goal of this guide is to help the reader to thwart some of the efforts to track and profile us as we surf our way around the World Wide Web. Notice i intentionally use the word “some” for several reasons; 1) because there are too many variables and vectors for attack and 2) because i am in no way an expert on computer security or privacy. If you want to go further than this guide will carry you, check the resources section which includes this fine article, Improve Your Privacy in the Age of Mass Surveillance .

Here’s a personal experience that may interest you…
I once sold a PC to a guy and we got to talking about the government. He said he had worked for the government either directly or as a contractor. I don’t recall which. He said he had a security clearance and i believe it was a crypto clearance. Our time together was limited, but he touched upon some very interesting topics that i wanted to know more about and so i suggested we continue our conversation through encrypted email. He looked at me and said, “encryption is useless”.

Obviously encryption is not entirely useless, but i think what he meant is that, if it is certain government agencies that are targeting you, then indeed it is useless. The point is that one should never make the mistake of assuming that their privacy is guaranteed, no matter what precautions have been taken.

For many of us, our web browser is the primary interface we use to explore the digital world and it is therefore necessary for any privacy conscious individual to consider what information our web browsers are sending and receiving and how that information can be used to track our on-line activities and profile us. Only then can we take action to circumvent some of these threats.
Contrary to the statements made in The Mozilla Manifesto , it is my opinion that, while its flagship product, the Firefox web browser, may be more privacy-centric than the other mainstream web browsers, securing the privacy of its audience is but an afterthought for the non-profit, multi-million dollar Mozilla Foundation . This is readily apparent when one considers the array of ethically challenged multinationals which Mozilla has chosen to hop in bed with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Even the now defunct Firefox Pocket service was tied to a 3rd party company and it seems more unnecessary and unwanted “features” are being added with each iteration of the browser.

And then there’s the ‘Looking Glass’ fiasco which you can read about in a post titled Looking Glass: The next ‘bright idea’ from Mozilla . Google Chrome is no better and Internet Explorer isn’t worth the effort required to express an opinion as far as i’m concerned.
That being said, i think Firefox is still a viable product in many ways and it is still one of the most hackable mainstream web browsers out there. Because it is open source and open to customization, i believe the Gecko family of browsers are good candidates for those who wish to reduce their exposure to privacy and security threats. The folks behind the Tor Project seem to think so as well since Firefox is included in their Tor Browser Bundle , though i suspect possibly not for much longer .
This guide covers primarily the configuration of Firefox and the add-ons we will be deploying and ends there. For additional privacy you may wish to consider using a VPN .

Personally i use and recommend AirVPN due to their privacy policy, ethics, price and good service, as well as the fact that they run a lot of servers all around the globe and do not restrict any protocol, including BitTorrent traffic. A special note about cryptocurrency miners
People are now creating scripts to mine cryptocurrencies which run in your web browser and use your CPU power to mine virtual currencies for them while you visit websites which employ these scripts.

I first learned about this when The Pirate Bay used such a script in certain sections of its website.
This is a very interesting development and it will be equally interesting to see how wide-spread this becomes.

Just days after TPB was found running its Monero mining script, a cryptocurrency mining plug-in for WordPress was published on wordpress.org.
At first i saw these mining scripts as pure malware and, in fact, i would say it was indeed highly unethical when The Pirate Bay introduced it secretively and forced it upon its visitors who had JavaScript enabled without making it opt-in. Soon after, ad-blockers, including uBlock Origin, as well as anti-virus software vendors, started targeting these mining scripts .

After giving it some thought however, this seems like it might be an excellent way for independent journalists and others to generate some “cash” to support their work without having to annoy visitors with obtrusive ads.
In the “ uBlock Origin configuration ” section below, you will find that i have included a filter list to block these cryptocurrency scripts from running, at least for now. Hopefully this will change in the near future. Audience
This guide is intended for those who are somewhat technically inclined, or are at least willing to learn, and who wish to reduce the threats to their privacy while enhancing browser security and performance. We will attempt to accomplish these goals while maintaining a reasonably carefree web browsing experience which means there will be some trade-offs between security and privacy for ease of use, but you can always adjust to suit your particular needs. This guide is not intended as a complete solution for those whose well-being depends on anonymity (whistle-blowers, investigative journalists, etc.

), though it may be a worthy supplement to more specific information. This guide is, a), a work in progress and b), not authoritative since i do not claim to be an authority on Firefox, internet security or digital privacy. There are simply too many technologies, options and attack vectors for me to comprehend in something as incredibly complex as the modern web browser.
Though this guide is centered around Firefox, it should also be useful for users of other Gecko-based programs, including the SeaMonkey and Iceweasel browsers, as well as the Mozilla Thunderbird email client and perhaps any others who value their privacy.
The Mozilla Firefox browser is based on the Gecko layout engine and, as with any mainstream browser, it is a very complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, obscure, or even hidden. Change a few settings without knowing what you’re doing and things can go south pretty quick.

Poorly coded add-ons can compound the problem, especially when they conflict with one another. Here we will attempt to accomplish our goals in an efficient manner with a minimal dependency upon 3rd party browser add-ons.
There is a huge selection of Firefox add-ons for tweaking privacy and security, some of the most popular of which are Adblock Plus and it’s many derivatives, NoScript, Flashblock, Ghostery, Web of Trust, BetterPrivacy, Lightbeam, Disconnect, Self-Destructing Cookies, Cookies Manager+, Request Policy, Policeman, Bluhell Firewall, RefControl, Smart Referer, HTTPS Everywhere and many, many others. With some possible exceptions, we won’t be using any of these, yet will retain much of the most important functionality offered by most of them with just a few add-ons, along with a plethora of changes to our Firefox configuration.
A bit of a trade-off should be expected as we tighten up on security and privacy insomuch as some websites will cease to function properly until the settings for the affected sites are adjusted. Anyone who has used a content filter such as NoScript will understand that certain resources must be allowed for many websites to function in a way that is acceptable to us.

As with NoScript however, the process of allowing these resources with the add-ons suggested herein, usually requires little more than a mouse click or two and a page refresh. Furthermore, once we have visited all of our favorite websites and made the necessary adjustments, our workload will be greatly reduced.

Nevertheless, you should be prepared to put a little more effort into your web browsing experience in general and expect the occasional hard-case which will require more fiddling than usual to get a particular site to function properly. The pay-off however is a much cleaner, faster, garbage-free web that is less able to track and profile us as well as a hardened Firefox that is more resistant to attack . Terminology
AMO : The Mozilla add-ons website.
Browser fingerprinting : A method whereby a web server attempts to uniquely identify your configuration (browser, operating system, etc.

) using various methods, including information contained in the HTTP headers , information collected with JavaScript , querying cached data, enumerating installed plug-ins, visited websites, installed languages and more. For more information, see A Primer on Information Theory and Privacy .
Browser storage (web storage: cache, cookies, etc.

): The modern web browser is a far more sophisticated tool than most people probably realize. In addition to HTTP cookies and web caching , any modern web browser also allows a web server to store data using local and session storage , indexedDB storage , window.name storage , Etag cache storage and whatever other methods i may not be aware of. If you are concerned about preserving your inherent right to privacy, you have far more to worry about than so-called “cookies” which were once just simple text files.
Crapware : For the purpose of this document, crapware is considered to be code that is included in a browser or browser extension which is not relevant to the functionality users expect. For me, the term crapware encompasses adware, tracking mechanisms and malicious code. Crapware is often added to browser extensions (add-ons) by a marketing company or solo developer for the purpose of monetizing the extension.

Crapware can present a significant threat to user privacy and browser security.
CDN : A Content Delivery Network is a service that often hosts reusable content, such as graphics and scripts, which website authors can leverage to make pages load faster.

CDNs can also present a threat to our privacy by tracking our web activities.
CSS : Cascading Style Sheets are used to format and beautify website content. CSS itself presents little or no risk to privacy or security so far as i am aware since it is used primarily to apply visual styling to HTML elements, however it can be used for nefarious purposes when combined with a scripting language such as JavaScript.
Domain / Sub-domain / Hostname / TLD : For the purposes of this document a domain name and a hostname are interchangeable, both being human-friendly names for a website, such as example.com .

A 1st party domain is the website you are currently viewing, ( 12bytes.org at the moment) while a 3rd party domain could be a web server which supplies content to the 1st party domain. For example, the web page https://www.google.com/url?q=https://www.mozilla.org/en-US/firefox/new/&sa=U&ved=0ahUKEwj5z9u1kYLYAhXp1IMKHUvdDb4QFggUMAA&usg=AOvVaw3p80z20jidbJ4GWjzLC0Hq to this: