One distinctive feature of Firefox where it shines above other browsers is the amount of control the user has over the system. Even though Web Extension Add-ons are not as powerful as they used to be after the demise of XUL, and even though Mozilla has been taking some questionable decisions this past few years, still to this day Firefox always offers the possibility of enabling, disabling and controlling every single aspect of the browser through their preferences system.
The elephant in the room is that only a few people will be patient enough to actually go though all those settings, try to figure out what they do them and apply them so this benefit doesn’t seem too practical.
Fortunately we are not alone. The folks at ghacks were the first ones to document and share a hardened set of preferences that get updated in a Github repository. This became really popular and others have followed, but the important thing here is that by effect of the community helping each other now it is much more accessible to browse the web safely.
The user.js file contains informative comments and it is a great starting point to tweak to our own convenience. We can consider this to the equivalent of the way package maintainers are a trusted third party that audits and in some cases patches code from upstream so the user doesn’t have to worry about that. I highly recommend this article on the topic.
Another benefit of user.js is that it helps us retain our configuration under version control and quickly apply our settings on a new machine or profile.
Is it that bad that I want to go through this?
Well, this will be according to your own criteria, but let’s start by listing some of the things that Mozilla signs you up by default.
We don’t want our browser to connect to sites unless we command it to do so. Firefox connects to its own servers for a variety of purposes
- Health report
- Crash report
Other than calling home for diagnostics, there are other ways in which Firefox will automatically connect to sites, like for prefetching content, prefetching DNS or captive portal detection, or calling Google for its location services. It can even speculatively load the contents of the links on a website in case you decide to click on them (!!!).
Then we have search suggestions, which make queries as we type. We could even paste the wrong thing by mistake, like a password, and it would be sent directly to the search engine before we press enter.
If someone is determined to track us, fingerprinting is considered by many as to be a lost battle, but that doesn’t mean that we just give in and give away our privacy carelessly. There is a scary number of leaks, tracking and fingerprinting opportunities that Firefox offers by default, like WebRTC leaks covered here before, inexperienced Tor users tending to forget to use SOCKS for DNS queries, or other straightforward ways to track users such as cookies or ETags.
Realize what we are dealing with already? This is just an overview to make people understand what we are dealing with, not a comprehensive list. You can look at the comments in user.js for good details on what each setting protects us from.
The beauty of user.js is that you are protected from most of this things by default.
You absolutely must read the official documentation because there are several things to look out for, but as an overview you have to copy user.js to your profile folder while Firefox is not running and that’s it. Of course, always back up your ~/.mozilla folder first.
Beware that you might lose data, and some websites might not work. Again, read the documentation on how to backup your profile, or even better, try things out in a new profile first.
Over time, we will have to perform some maintenance as some preferences might disappear, or we might need to clean them to defaults. For this, ghacks provides the Prefs Cleaner script. In order to upgrade, they also provide an updater script. Check their site for details.
My own user.js
The user.js file from ghacks, while great, is using very restrictive settings. It is awesome to deploy in a not too trusted system so you won’t leave any information behind such as cached files or history, but I find that too restrictive for my main machine.
Security is always a matter of compromise between protection and convenience. Many of these settings affect usability or have a noticeable performance impact, such as disabling HTTP2, caching, or prefetching. This is why everyone should tweak user.js tailored to their own use case.
In my case, I keep most of the preferences that protect me from leaks and fingerprinting but leave some things that really hurt performance and usability enabled. You are welcome to have my version as a reference or use it directly.
In order to install the Own Your Bits version (Github), we have two options
Easy way: user-overrides.js
We can use the ghacks update script updater.sh, do the following while Firefox is not running.
# you have backed up ~/.mozilla by now right?
git clone https://github.com/nachoparker/firefox-ownyourbits-user.js.git
cp updater.sh user-overrides.js ~/.mozilla/<profilename>/
This means blindly applying the changes, so I recommend the second way.
Recommended way: user.js
This is a bit more advanced but also more recommendable. Just clone the repo, and pull the changes. You can use git to analyze what has changed, both from ghacks side and from the Own Your Bits side. Then, just copy user.js to your mozilla profile folder. Again backup first, and remember that Firefox must not be running.
Firefox is the best browser we have, but they don’t want to lose market share so in the end they sacrifice privacy for usability. If you have really strict privacy requirements and are willing to sacrifice performance and convenience you are better off using the Tor Browser, otherwise a curated user.js is a great option.