Practical Privacy Best Practices - Part 1, Firefox

Posted on 18 Nov 2020 by Ray Heffer

I cringe when I see a fellow IT professional use their web browser, only to see the screen is filled with ads. It’s not the content of the ads themselves that I dislike, well actually that too, but it’s the third-party tracking cookies that are part of the payload. Yes, I said payload. Much like the soldiers that hid inside of a wooden horse to enter the city of Troy, tracking cookies are also hiding inside of those ads, and sometimes they contain malware. But why should you care? After all, don’t they just serve up more relevant ads by tracking your interests?

Earlier this year (2020), The New York Times published a series of articles called The Privacy Project, and one such article highlighted this very issue, Why You Should Take a Close Look at What Tracks You. It happens in the physical world as well, with Bluetooth and WiFi beacons in stores and shopping centers, and automatic license-plate readers (ALPR) on our roads, parking lots, venues, and neighborhoods. Yes, you heard that right. Neighborhoods.

I don’t like being tracked, at all. The nothing to hide argument is also ridiculous so I won’t even entertain that here. The fact is that our data is being collected, and the organizations collecting it will invariably suffer a data breach or leak at some point in time, and I don’t want my personal information in the wrong hands. Not to mention that fact that health, home, and auto insurance companies want this data too, and depending on how they profile you, it can increase your insurance premium.

Sorry to drop that bombshell on you, but honestly this is only scratching the surface. Like security, privacy is a sliding scale which at some point tips over the edge of inconvenience that many people are just unwilling to deal with. That’s fine, I get it. This is why I decided to write this multi-part blog series to go over some of the basics that shouldn’t tip the scale into hair loss, but protect you from obvious threats.

Think about it this way, next time you roam around Barcelona staring at your iPhone, expect to be pick-pocketed. I don’t mean to pick on Barcelona, but that’s just a place that many of my friends have fallen victim to. My point is, unless you take some basic and necessary security and privacy measures, then it is just a matter of time before you end up with malware on your computer, or your personal information leaked in some poorly configured cloud database. Take a look at HaveIBeenPwned or DeHashed to see if your own email address is listed in any breaches.

Disclaimer

This blog series is aimed at practical privacy. The kind of privacy measures you’d expect the average internet user to adopt, and not someone in witness protection or fleeing their country in danger of their life. This level of privacy requires more than a VPN and well configured web browser, therefore it’s not in the scope of this article. I recently saw a Reddit post by someone fleeing a sex trafficking situation, in genuine fear for their life. If that is you, then look into using Tails on a bootable USB stick, erase and throw away your phone and SIM card, buy a burner phone with cash, and use a pre-paid SIM card in an alias name. Use cash only, gift Visa cards purchased with cash, or privacy.com. Always use a VPN. That’s just a start, for the rest you should head over to IntelTechniques. I’m not affiliated with any URLs on this page.

Firefox

I’ve been using Firefox as my primary browser for the past 5 years, and while it’s far from perfect, it’s the best option in my opinion. That said, the default installation isn’t adequate so here are my recommendations.

Preferences

1. Downloads (Preferences > General)

Disable automatic downloads by enabling the prompt to ‘Always ask you where to save files’.

2. Home (Preferences > Home)

  • Set the default homepage to https://duckduckgo.com
  • Disable all Firefox Home content by deselecting Web Search, Top Sites, Highlights, and Snippets.
  • Ensure New Tabs is set to ‘Blank Page’

  • Set Default Search Engine to DuckDuckGo
  • Disable Search Suggestions (optional) - I recommend only enabling ‘Show search suggestions in address bar results’
  • Set Search Shortcuts to DuckDuckGo only (deselect or remove the others)

4. Browser Privacy (Preferences > Privacy & Security)

  • Set Enhanced Tracking Protection to Strict

If this breaks too many sites, go ahead and change it back to Standard. Use what works for you.

v

  • Enable ‘Delete cookies and site data when Firefox is closed’
  • Click on Manage Exceptions and add any sites you want to retain cookies for. I do this for sites I use every day, and you can wildcard entire domains (E.g. https://twitter.com)
  • Deselect all items in Login and Passwords. I never use the browser to store these things, instead use KeePassXC or BitWarden.
  • Select ‘Use custom settings for history’ in the History dropdown, and deselect all options. Cookies for sites we enabled in Manage Exceptions will still be kept.

  • Under Address Bar, select only Bookmarks and deselect everything else.
  • For each of the following permissions, click on ‘Settings…’ and then select ‘Block new requests…’ at the bottom of each
    • Location
    • Camera
    • Microphone
  • Finally, deselect all options in Firefox Data Collection and Use.

Note: Don’t enable Sync, or sign into Firefox. I don’t add / change my bookmarks very often, so I simply export them to an HTML file as a backup every now and then. Alternatively you might want to consider a bookmarks sync add-on such as xBrowserSync (see below).

Add-Ons

I don’t like to add too many add-ons, since the more you add will increase the potential of one of them being vulnerable to attack or making your browser more unique for fingerprinting. Panopticlick is a useful tool to see how unique your browser fingerprint is. I’m actually writing this article in VS Code on an Ubuntu virtual machine, and my browser fingerprint actually picks up VMware, Inc.~SVGA3D for the WebGL Vendor. In other words it knows I’m using a virtual machine, and the User Agent reveals I’m using Ubuntu with Firefox v83.0. Scary huh!

Here are the 3 essential add-ons, that I would install without question:

  1. uBlock Origin
  2. HTTPS Everywhere
  3. User Agent Switcher

Optional Add-Ons

I am hesitant to recommend any optional add-ons since I don’t deem them as essential. However, since we don’t use Firefox Sync many folks want a way to sync their bookmarks. In the past I’ve used xBrowserSync, which encrypts / decrypts your bookmarks client-side and it also open-source. Open-source doesn’t equal secure, but if you must use a bookmark sync too, this is my preferred option.

Another add-on worthy of a mention is Multi-Account Containers by Firefox. I have this setup so that Twitter is isolated to one container, so any sites using Twitter embedded code (such as this post for comments at the bottom of the page), will not be signed-in with my Twitter account. I do the same for any sites that require signing into, and it essentially sandboxes each site so there can be no cross-site cookies or tracking. For family members that demand to use Facebook, I do two things. First, I urge them to delete their Facebook account and watch The Social Dilemma. Second, if that fails I install Multi-Account Containers which at least isolates Facebook so it can’t track your other activity.

Final Thoughts

This is the first part of a multi-part series. In part 2, I’ll share how I’ve configured pfSense as my router / firewall running multiple active VPN clients. I’ll share how I use a combination of Windscribe, Mullvad, ProtonVPN, and my own PiVPN clients, with multiple VLANs, separating IoT, WiFi, and other devices on my home network.

Keep the conversation going on Twitter!

Reply with Twitter