Firefox out of the box is already better at protecting your privacy than using Google Chrome. If you follow these steps, you can configure your Firefox browser for maximum privacy and security. If you just want to use Tor, then stop here and just use Tor. But using a combo of Firefox, Brave, and Tor will keep you steps ahead for protecting your privacy online.
We will also be installing certain add-on extensions and we will be going under the hood to change some settings. These instructions are for your computer/desktop version of Firefox and could take about 15-20 minutes to complete. Be patient and do not feel obligated to do the whole thing. It can get technical at the end and you can always email me for help. I’ve taken these instructions and steps from many different sources and left the links below for you to do your own research, too. So, let’s begin.
Install a fresh copy of Mozilla Firefox. If you have used Firefox before, some of these steps will erase all your history from your browser, so proceed with caution.
Once installed, open the Hamburger menu, the three lines in the top right corner and click on Options.
Scroll all the way down to Network Settings, click the Settings button. Scroll all the way down and click the box to Enable DNS over HTTPS. From the drop down menu select nextDNS and click OK. Learn more. Done.
Click Home on the left side menu. In the New Windows and Taps, select Blank Page from the drop down menus. Under Firefox home content, uncheck ALL the boxes. Done.
Click Search on the left side menu. I choose the Add search bar in toolbar option, so I can add more privacy focus search engines listed in the Bonus section below. Now, under Default Search Engine, we are going to select DuckDuckGo from the drop down menu. Uncheck ALL the boxes under Search Suggestions. Under One Click Search engines, we are going to click on and select Google, then Click Remove. Do the same and remove Bing, Amazon.com, ebay, Twitter, Wikipedia. When done, only DuckDuckGo should be in the list. Bonus: You can add two additional privacy respecting search engines. Go to www.startpage.com and www.qwant.com. When you visit these pages, you’ll notice a green + sign in the magnify glass in the Search box next to the address bar. This will let you add Startpage and Qwant as another search engine. Done.
Click Privacy & Security on the left side menu. Under Enhanced Tracking Protection, click and select Strict. Under Cookies and Site Data, check the box Delete cookies and site data when Firefox is closed. Under Logins and Passwords, uncheck Ask to save logins and passwords for websites. Uncheck Autofill addresses under Forms and autofill. Under History, select Use custom settings for history. Next, check Always use private browsing mode, then click Restart. Go back to the menu > Options > Privacy & Security. Scroll down back to History. Click the History button and check all the boxes. Under Address bar, uncheck all the boxes. For Permissions, we are going to click on Location, Camera, Microphone and Notifications Settings buttons. Toward the bottom, check the box that says Block new requests asking to access your location, camera, microphone, and notifications. Then click Save Changes. By default, Mozilla will collect some information from your Firefox browser. This is not good. But it’s easy to turn it off with a single click. So uncheck all boxes under Firefox Data Collection and Use. Blocking dangerous and deceptive content might be useful for secure browsing, but this service is provided by Google Safe Browsing, which you actually don’t see here. So I choose to not trust Google with my security. Uncheck all boxes under Security. Done.
Now let’s install some extensions! You can click the links below to install these extensions three important extensions. NOTE: After you install and click add, you will be given the option to Allow extension run in private mode. Check that box to allow.
uBlock Origin is an efficient wide-spectrum blocker that is easy on memory, and yet can load and enforce thousands more filters than other popular blockers out there. It has no monetization strategy and is completely open source. Stay tuned for my instructions on how to configure uBlock Origin for even more privacy and security protection!
HTTPS Everywhere enables encryption of your connections to many major websites, making your browsing more secure. It is a collaboration between The Tor Project and the Electronic Frontier Foundation.
Decentraleyes emulates Content Delivery Networks locally by intercepting requests, finding the required resource, and injecting it into the environment. This all happens instantaneously, automatically, and no prior configuration is required.
Cookie AutoDelete automatically removes cookies, lingering sessions, and other information that can be used to spy on you when they are no longer used by open browser tabs.
(Optional) Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. Privacy Badger learns about trackers as you browse.
(Optional) Bitwarden is a free and open-source password manager (which you should be using a password manager!). It aims to solve password management problems for individuals, teams, and business organizations. Bitwarden is among the easiest and safest solutions to store all of your logins and passwords while conveniently keeping them synced between all of your devices.
(Optional) Terms of Service; Didn’t Read is an addon that believes “I have read and agree to the Terms of Service” is the biggest lie on the web, and wants to fix it by grading websites based on their terms of service agreements and privacy policies. It also gives short summaries of those agreements. The analysis and ratings are published transparently by a community of reviewers.
Now, we are going to configure under the hood settings with the recommendations from PrivacyTools.io to really lock down Firefox.
First, we are going to disable WebRTC. WebRTC is a new communication protocol that relies on JavaScript that can leak your actual IP address from behind your VPN. Bad.
To demonstrate this leak, click here to test your browser. In the section Your IP addresses – WebRTC detection you will see an IP address listed in the box. Now let’s get rid of this.
Enter “about:config” in the Firefox address bar and press Enter. Press the button “Accept the Risk and Continue“. Search for “media.peerconnection.enabled“. Double click the entry, the column “Value” should now be “false“. Pretty easy, right? To see if we did this correctly, click here. In the same section, it should now say: No leak, RTCPeerConnection not available. Done.
If you want to make sure every single WebRTC-related setting is really disabled, change these settings and make sure the Value matches what is below:
- media.peerconnection.turn.disable = true
- media.peerconnection.use_document_iceservers = false
- media.peerconnection.video.enabled = false
- media.peerconnection.identity.timeout = 1
The following is a collection of more privacy-related about:config tweaks. This will enhance the privacy of your Firefox browser.
privacy.resistFingerprinting = true
A result of the Tor Uplift effort, this preference makes Firefox more resistant to browser fingerprinting.
privacy.trackingprotection.fingerprinting.enabled = true
Blocks Fingerprinting
privacy.trackingprotection.cryptomining.enabled = true
Blocks CryptoMining
privacy.trackingprotection.enabled = true
This is Mozilla’s new built-in tracking protection. It uses Disconnect.me filter list, which is redundant if you are already using uBlock Origin 3rd party filters, therefore you should set it to false if you are using the add-on functionalities.
browser.send_pings = false
The attribute would be useful for letting websites track visitors’ clicks.
browser.sessionstore.max_tabs_undo = 0
Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
browser.urlbar.speculativeConnect.enabled = false
Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to. Source
dom.event.clipboardevents.enabled = false
Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
media.eme.enabled = false
Disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc. Details
DRM-controlled content that requires the Adobe Flash or Microsoft Silverlight NPAPI plugins will still play, if installed and enabled in Firefox.
media.gmp-widevinecdm.enabled = false
Disables the Widevine Content Decryption Module provided by Google Inc., used for the playback of DRM-controlled HTML5 content. Details
media.navigator.enabled = false
Websites can track the microphone and camera status of your device.
network.cookie.cookieBehavior = 1
Disable cookies
- 0 = Accept all cookies by default
- 1 = Only accept from the originating site (block third-party cookies)
- 2 = Block all cookies by default
network.http.referer.XOriginPolicy = 2
Only send Referer
header when the full hostnames match. (Note: if you notice significant breakage, you might try 1
combined with an XOriginTrimmingPolicy
tweak below.) Source
- 0 = Send
Referer
in all cases - 1 = Send
Referer
to same eTLD sites - 2 = Send
Referer
only when the full hostnames match
network.http.referer.XOriginTrimmingPolicy = 2
When sending Referer
across origins, only send scheme, host, and port in the Referer
header of cross-origin requests. Source
- 0 = Send full url in
Referer
- 1 = Send url without query string in
Referer
- 2 = Only send scheme, host, and port in
Referer
webgl.disabled = true
WebGL is a potential security risk. Source
browser.sessionstore.privacy_level = 2
This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. Details
- 0 = Store extra session data for any site. (Default starting with Firefox 4.)
- 1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
- 2 = Never store extra session data.
network.IDN_show_punycode = true
Not rendering IDNs as their Punycode equivalent leaves you open to phishing attacks that can be very difficult to notice.
And there you have it! You’ve taken a huge step to protecting your online privacy!