New laptop at the office... These settings reflect my own compromise between usability, security and privacy. I’ll try to comment my choices, though.
Add-Ons:
I use uBlock Origin in Advanced mode with 3rd party scripts and 3rd party frames disabled. This replaces “uMatrix”, an extension I used to list.
Essentially: when a site breaks, open it up, think about the red stuff you want to enable and do that by clicking into the *top half* of the squares to allow stuff; click into the *bottom half* to disallow stuff. Reload every now and then until you’re happy. If you want to keep these settings, click on the lock. If you want to revert it all, click on the two arrows going in a circle.
I used to list “HTTPS by default” but it’s no longer necessary.
The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes. – EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous
EFF to deprecate HTTPS Everywhere extension as HTTPS is becoming ubiquitous
This seems to be the new default, so just check:
media.autoplay.default = 1
(1 means always block, 2 means you want to be prompted for every site that tries to autoplay...)
If all the text seems too small to read comfortably, use the following instead of zooming every page to 150%:
layout.css.devPixelsPerPx = 1.5
Remember that you can import your bookmarks from an old profile via the library / bookmark manager.
The rest of this page is about your preferences. Depending on your version, the exact labels might differ.
This is from the preferences in search (the looking glass icon).
This is from the preferences in privacy/security (the padlock icon).
Choose *custom*.
Probably useless but maybe legally relevant for the big companies... check the following:
Further down:
Revocation checking and Chrome's CRL
Disable all.
Disable all.
I don't want to use Google’s Safe Browsing service. I also think I know what I'm downloading. I hope.
So I disable it all.
Tricky. I want to know about all the invalid certificates, but I also don't want to query OCSP reponder services for all the HTTPS sites I visit. Perhaps it is better to rely on quick certificate rotation like what Let's Encrypt is doing?
I disable it all.
There still are HTTP sites out there. This site also serves HTTP.
Don’t enable HTTPS-Only Mode.
I trust my ISP, I guess, so it remains off. But one day?
Enable DNS over HTTPS using: Off.
Before switching it on, you need to find a provider. Here in Switzerland, Digitale Gesellschaft offers it.
Digitale Gesellschaft offers it
#Firefox
@sohkamyung says:
@fitheach says:
@BartG95 notes:
@chozron says:
@silkevicious recommends:
@maiki mentions Customizing Firefox using auto config:
Customizing Firefox using auto config
The AutoConfig file can be managed centrally. To do so, the location of a secondary AutoConfig file in the primary AutoConfig file:
pref(”autoadmin.global_config_url”, “http://yourdomain.com/autoconfigfile.js”);
http://yourdomain.com/autoconfigfile.js
@fitheach has a customised version of this and says: “Some settings can be quite restrictive and I’ve disabled them. Best thing is to install as is, if a site doesn’t work disable some likely settings.”
@RedLore recommends an article on Restore Privacy which gives you a list of all the about:config changes to make to increase privacy on Firefox.
@steven also recommends https://privacytools.io and says it “is a great reference for privacy in general, and it recommends add-ons and about:config tweaks. Although it’s a website, it’s also an open source project, so you can look at the bug and feature requests to see the rationale behind their recommendations.”
layout.css.devPixelsPerPx = 1.5
😭
@ashwinvis tells me they gave up on uMatrix and just use Origins advanced mode instead. This sounds like a good idea and I will try it.
use Origins advanced mode instead
Disabled:
Let’s see how it goes!
Disable clipboard events override in Firefox
`dom.event.clipboardevents.enabled` → false
Now websites can’t override any clipboard events! That is,they can not prevent you from pasting passwords, for example.
`browser.newtabpage.activity-stream.showSponsoredTopSites` → false
browser.cache.disk.capacity → reset to default (256000) browser.cache.disk.smart_size_enabled → false
If you don’t disable smart sizing, the cache capacity you set gets overwritten. What would be a good size? I don’t know.
browser.backspace_action → 2
pdfjs.enableScripting → false
datareporting.policy.dataSubmissionEnabled → false toolkit.telemetry.archive.enabled → false toolkit.telemetry.server → <clear value> toolkit.telemetry.unified → false
Basically I search for `telemetry*enabled` and switch it all to false, because I don’t understand why we need a bewildering plethora of options when almost all people will be either “I don’t care” or “fuck this shit”. This is false choice designed to confuse the unwary, if you ask me.
telemetry*enabled → false
The following should be the default already:
datareporting.healthreport.uploadEnabled → false
Im Rahmen der Artikelserie »Browser-Check« werden diverse Browser auf ihr Datensendeverhalten geprüft. Mittels eines Intercepting-Proxys wird das Verhalten der Browser beim Start und auch während der Nutzung analysiert. Es wird geprüft, wohin ein Browser eine Verbindung aufbaut und welche Daten dabei übermittelt werden. Die Ergebnisse sollen Aufschluss darüber geben, wie datenschutzfreundlich ein Browser in der Standardkonfiguration ist und Tipps ableiten, wie sich das »Nach-Hause-Telefonieren« einschränken oder sogar vollständig abschalten lässt. – Mozilla Firefox: Datensendeverhalten Desktop-Version – Browser-Check Teil20
Mozilla Firefox: Datensendeverhalten Desktop-Version – Browser-Check Teil20
Don’t check for captive portals.
network.captive-portal-service.enabled → false
Updating block lists (Shavar, Tracking Protection): no solution.
Don’t do the location lookup.
geo.enabled → false
Disable telemetry: Preferences → Privacy & Security → Firefox Data Collection and Use → disable all
Disable top sites:
browser.topsites.contile.enabled → false
Remote settings download: no solution.
Initial home page: Preferences → Home → New Windows and Tabs → set both to Blank Page
Content signatures: must remain.
Disable pocket:
extensions.pocket.enabled → false
Disable push stuff:
dom.push.serverURL → empty
Firefox settings attachments: no solution.
Firefox updates for components: no solution.
Firefox updates for add-ons: no solution.
Disable Google Safe browsing (many?):
browser.safebrowsing*enabled → false
browser.safebrowsing.downloads.remote.block_ → false
More safe browsing: Preferences → Privacy & Security → Deceptive Content and Dangerous Software Protection → disable all
Search engine: switch from Google to something else
Don’t submit every keypress to search engines: Preferences → Search → Search Suggestions → disable all
The list keeps growing longer and longer.
https://github.com/arkenfox/user.js/
https://www.privacy-handbuch.de/handbuch_21u.htm
https://github.com/pyllyukko/user.js
https://www.kuketz-blog.de/firefox-aboutconfig-user-js-firefox-kompendium-teil10/
Take this guide as a starting point and learn about the meaning of the various options, configuring Firefox parameters is a fairly complex topic. Although I do my best so that there are not, there may be errors or inaccuracies in this guide, so don’t blindly copy/paste, and if you find something wrong I invite you to contact me to fix the problem. Your security depends not only on technical countermeasures, but also on how you behave online, so search for information, compare them, and *think with you head.* – Firefox Hardening Guide
Scrollbars? I want scrollbars!
widget.non-native-theme.scrollbar.size.override → 10 widget.non-native-theme.scrollbar.style → 4
In settings:
“Always show scrollbars” → check
With Firefox 115 I noticed that the toolbar was huge. I'm assuming that now `layout.css.devPixelsPerPx` applies to the UI as well as the page content? It's set to 1.5 on my system. Based on userChrome.org I created a `chrome/userChrome.css` file in my profile folder, containing the following:
@-moz-document url(chrome://browser/content/browser.xul),
url(chrome://browser/content/browser.xhtml) {
* { font-size: 10pt }
/*** Tighten up drop-down/context/popup menu spacing (8 Sep 2021) ***/
menupopup:not(.in-menulist) > menuitem,
menupopup:not(.in-menulist) > menu {
padding-block: 4px !important; /* reduce to 3px, 2px, 1px or 0px as needed */
min-height: unset !important; /* v92.0 - for padding below 4px */
}
:root {
--arrowpanel-menuitem-padding: 4px 8px !important;
}
}
Enable it by going to `about:config` and set `toolkit.legacyUserProfileCustomizations.stylesheets` to `true`.
This appears to scale the UI font-size back while leaving the web content scaled up.
Something that I didn't use but which I find interesting:
You can find the skeleton of the menu system by pasting `view-source:chrome://browser/content/browser.xhtml` into the address bar and pressing Enter/Return to load it. – What is userChrome.css? What can it do?
What is userChrome.css? What can it do?
I like to think that maybe I could use my own fonts: Settings → search for "font", click on the Advanced link:
Fonts for Latin:
`browser.preferences.moreFromMozilla` → false
I don't want a "new page on about:preferences to suggest more Mozilla products".
dom.event.clipboardevents.enabled → false
network.security.ports.banned.override → a comma-delimited list of ports