←back to thread

Hardening Firefox – a checklist for improved browser privacy

(andrewmarder.net)
263 points amarder | 10 comments | 30 Aug 25 11:26 UTC | HN request time: 0.833s | source | bottom
1. cookiengineer ◴[31 Aug 25 04:49 UTC] No.45080461[source]
This is kind of a stupid ChatGPT article.

No, this will not effectively help to reduce the fingerprint of your Browser.

A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).

I wrote a more detailed article about this, and got an "as good as possible" as a result.

But yeah, please please start to use a Host Firewall where you can block on a per-domain and per-port and per-process basis (like LittleSnitch, OpenSnitch etc) to validate your assumptions. UIs will always lie to you, including the one from Firefox.

[1] https://cookie.engineer/weblog/articles/firefox-privacy-guid...

replies(6): >>45082458 #>>45082927 #>>45083160 #>>45083737 #>>45084270 #>>45085747 #
2. mahoro ◴[31 Aug 25 11:50 UTC] No.45082458[source]
Neat article.

I would add `layout.css.font-visibility=1` to hide all non-default fonts (makes a canvas font rendering test less useful).

3. binaryturtle ◴[31 Aug 25 13:16 UTC] No.45082927[source]
Yes, sadly Little Snitch (or a similar app) is required to tame Firefox. It's a real shame since they use "Privacy" as selling point, but for me that starts with being transparent about what they do behind the users' backs with very clear ways to disable any nonsense (no about:config or policy BS, but proper GUI exposed options), or even better with a proper opt-in to those "security" and comfort features.

It pretty much eroded any trust I had in this browser and Mozilla (they are no more better than Google, Meta, Apple in that regard.) If it wasn't for uBlock Origin and availability for older OSX versions I would ditch it (the Dynasty build is the only option I have for a recent browser on my old Mac.)

4. gruez ◴[31 Aug 25 13:53 UTC] No.45083160[source]
>No, this will not effectively help to reduce the fingerprint of your Browser.

Ironically many of your fingerprinting tweaks in your article make your more fingerprintable, because disabling random web APIs makes you stick out like a sore thumb (think https://xkcd.com/1105/). Besides, most of the configs you're modifying for anti-fingerprinting purposes are already covered by RFP.

>A LOT more tracking services are integrated into the Firefox browser in various places (like New Tab page, Sync, Pocket, Shavar, Google Safebrowsing, OSCP, etc pp).

Can you elaborate on how these services are "tracking"? Except for maybe safebrowsing, and OSCP, none of these services actually send information on what sites you visit. Unless you mean "tracking" to mean "make connections to the internet".

replies(1): >>45086817 #
5. wackget ◴[31 Aug 25 15:06 UTC] No.45083737[source]
My dream is a user-friendly network-level firewall of some kind which can selectively block requests to domains on the entire network level. Something like uMatrix but for your entire network.

Imagine being able to block `ads.google.com` or whatever from all of your devices at once but without having to rely on local DNS. Or being able to block `pornhub.com` from just some of your devices but not all of them.

I assume the technology to do this is readily available in the form of parental control software or enterprise/office firewalls. However on the consumer level I don't know of anything which does this effectively.

replies(1): >>45086835 #
6. ◴[31 Aug 25 16:11 UTC] No.45084270[source]
7. schiffern ◴[31 Aug 25 18:39 UTC] No.45085747[source]
Is this available as pastable text, ideally with the explanation parts as comment blocks?

Happy to see you recommend uBlock Origin and LocalCDN. I would humbly suggest ClearURLs might belong. Another excellent "set it and forget it" extension that skips common tracking redirects.

https://addons.mozilla.org/firefox/addon/clearurls/

https://github.com/ClearURLs/Addon

replies(1): >>45086944 #
8. cookiengineer ◴[31 Aug 25 20:33 UTC] No.45086817[source]
The real question is on what OSI layer are you willing to die.

TCP fingerprinting is a real threat and most surveillance systems can identify your unique connection pretty easily, thanks to the quantum surveillance technique where closer surrounding and compromised hops will send you packets faster than the actual endpoint because they are geographically closer to you.

A real privacy aware browser caches everything, and scatters requests as much as possible through different network paths, and farbles Web APIs of the most common system and browser combination (which is Microsoft Edge or Google Chrome on Windows/Android).

I tried to implement all that, but I gave up working on that after I've been targeted in 2021. Maybe I have the time to get back to it after I am done with my current mission.

9. ◴[31 Aug 25 20:36 UTC] No.45086835[source]
10. cookiengineer ◴[31 Aug 25 20:48 UTC] No.45086944[source]
Funny that you mention ClearURLs.

I was actually reading its codebase and wasn't happy with it due to potential sanitization problems with its regex usage and other things. So I kind of wrote it from scratch and it got to be something different.

But as always with my projects, nothing is ever really finished or usable.

[1] https://github.com/cookiengineer/defiant