Any tips on LibreWolf?

I recently made a bit of a change to my setup, dividing up my browsing between Firefox for work, Librewolf for personal stuff, with Ungoogled Chromium sitting there for those times that I need that engine.

I’ve been a Firefox loyalist for years, seeing the support of Gecko as a thing which gives some hope for the future, but I know that this is likely pollyannaish given the fact that Mozilla is pretty heavily dependent upon Google.

I’m especially interested, as I’ve only recently divided up my browsing like this, in anything that anyone has to say about LibreWolf best practices. I’ve already followed @bbbhltz’s suggestion below.

Cookie clearing on close has already thrown me for a loop when it comes to my home server, but I’ve opted for keeping it on and just whitelisting cookies from certain destinations. All and any tips are appreciated.

If nothing turns up here, LibreWolf.net has some social links in their banner.

One thing which might be helpful are Discourse bookmarks. If you bookmark one of the posts from this thread, you will have the option of setting a reminder. That way, if you want to revisit this topic in the future to post an update, you can get a notification from the system in a month or so.

For LibreWolf, as for many other Firefox forks, and any browser, less is more.

Loading up tonnes of extensions might seem like a great idea, but will only help with fingerprinting. My knowledge on that subject is quite basic.

When I first went down the rabbit hole, I came across a guide that makes lots of suggestions. It is quite opinionated, and looking at other articles on the site, it is clear that the author has lots of opinions. I cannot hold that against them. I followed the suggestions at Firefox Extensions – My Picks – 12Bytes.org and I still use many of them.

For example, I still use:

• Privacy-Oriented Origin Policy
• RSSPreview

And I use many of the suggestions made here: uBlock Origin Suggested Settings – 12Bytes.org. With the addition of a custom host list found here GitHub - d3ward/toolz: A set of web tools to check, verify, and test.

Finally, I play around with different settings with the hopes of getting better results on some of these tests:

• Ad Blocker Test
• AdBlock Tester: test your AdBlock extensions
• Cover Your Tracks
• BrowserLeaks - Web Browser Fingerprinting - Browsing Privacy
• CreepJS
• No-JavaScript fingerprinting

Fingerprinting, as I mentioned before, is something that I find hard to avoid. At some point, usability is lost, and I haven’t ever tried Tor Browser because my threat model doesn’t call for it.

I don’t know if those are the types of tips you were hoping to find, but I was in a sharing mood. I am always looking for the same types of tips, and I try to keep my Low Friction Introduction to Digital Privacy up to date, so I too would like some more tips.

Fantastic @bbbhltz, thanks for sharing. Not looked at all of this, but your Low Friction Introduction to Digital Privacy is superb. Since you might not see it, I’ll mention that we’ve put it out on Twitter.

Thanks, I wouldn’t have noticed that at all.

Very easy to see that you teach there, @bbbhltz from the quantity of citations. I very much appreciate the thoroughness of this and will be digging into it deeply on the weekend.

I will ensure that I see what I think could be added to this; from also a quick scan I accord with @Colin here. In particular, as people tend to position themselves as experts, I rarely see links in these kinds of things to ways that people can check their working. Teach a person to fish, and all that…

I liked the Humane Tech link near the bottom.

You might also like to know that Fastmail offers Masked Email. And those addresses can be automatically generated by the 1Password extension.

• Use 1Password to create and manage Masked Emails in Fastmail | 1Password
• Masked Email | Fastmail

At home, you might try Firefox Relay. If you sign up for the Premium version, you can improvise an e-mail address at the cash register and it will just work without being set up in advance. And those Firefox addresses do not look like they are tied to a main e-mail username.

• Firefox Relay | Firefox Addons

Mike

hi @Josh

just as an FYI, LibreWolf uses a modified version of the arkenfox user.js, which is a good thing

i’ve been watching the project but haven’t used LW yet - it looks like they’re just applying a bunch of patches to Firefox and that’s probably just fine, but i don;t think there’s anything they’re doing that can’t be done with Firefox proper

that said, i think LW may be the better way to go for those that want to keep things simple, otherwise we get into arkenfox and updater and pref cleaner scripts and keeping all of that updated, which is actually quite easy, but there’s a little setup involved

one important item is to remember to keep LW updated because there is no auto-update/notification functionality far as i know, though if you’re on Linux you might find LW in your repo (it’s in the AUR i know)

if you have trouble with a site you can, if you wish, create a new profile instead of using another browser, but consider enabling ETP in that profile

i’m sure LW enables RFP (anti-fingerprinting) and ETP by default, but it’s worth double checking that Enhanced Tracking Protection is enabled ( about:preferences#privacy ) - make sure that’s set to ‘Strict’ - this enables dFPI/net partitioning which is super-important for anyone that cares about privacy

@bbbhltz already kindly mentioned some of my stuff, but there’s more here…

lastly, know that i am NOT a Firefox fanboy - i do not approve of Mozilla as a company, however in my personal opinion, Firefox is better suited to privacy enhancements that any other mainstream browser i’m aware of, including un-googled Chromium

I gathered that! I do check out your tech articles from time to time because your guides on Firefox are what made me realise that what I was doing in terms of protection was overkill — at least for my threat model. Very proactive of you to chime in like this.

yeah, the threat profile is a very personal thing and in that vein let me disclose the fact that i am not a Firefox, privacy, security or technical expert by any stretch - i don’t really feel qualified to be writing guides on Firefox privacy, however i’ve never found a comprehensive, step-by-step guide that covers configuration, add-ons, add-on configuration, profiles, search engines, etc., and so i wrote one, really more for me to refer to than anything else, but it grew from there

the arkenfox crew has been invaluable to my learning - there’s some very smart people involved in the project

anyway, anyone that really depends on security/privacy (journalists, whistleblowers, etc.) needs to look well beyond anything i can offer - my stuff i think fits the average Joe who wants to greatly reduce, but not necessarily eliminate, risks to privacy while still being able to browse the web without a ton of hassle

Well, that tweet lead to a fix ha #1 - Pull Requests are disabled / found via link fix in article - bbbhltz/pages - Codeberg.org

It’s a very good point and thanks, I’ll make sure I keep on top of them.

Done and done, protected as expected, but I had not checked that out.

Bookmarked the link also, on:

My current stack is Firefox / LibreWolf and then Un-googled Chromium for when I find there’s some need for their engine. Fully with you on Mozilla.

Definitely could’ve fooled me

FWIW, all major browsers use partitioned cookies and cache, rendering LocalCDN useless.

Always avoid addons that inject content into the page since they are trivially fingerprintable. Seriously, I honestly think Mozilla should de-list addons like Canvas Fingerprint Defender; they basically broadcast their use.

When you use an adblocker, stay away from third party filters that include advanced filters containing scriptlets. You have to trust all your filter lists to not contain any vulnerabilities or malware. Many filter lists compile resources from other lists with minimal oversight given limited resources.

If you can get by without an addon, then do so. If you only want to use an enabled-everywhere addon on a handful of sites, your only option is Chromium since that allows selectively enabling addons on select sites and one-off enablement on a single tab on-click.

I’d reconsider Ungoogled-Chromium; if you turn off all the telemetry and safe-browsing in regular chromium, the only automatic connections it makes are for:

• component updates
• extension updates
• langpack updates
• Opensearch updates (I think they stopped this).

Don’t take my word; use a packet sniffer with key logs for traffic decryption.

Ungoogled Chromium builds typically significantly weaken upstream’s hardening flags (esp. CFI, let alone their work on shadow call stacks) and hardened libs like ffmpeg, so if you run complex web apps and play media in the browser that might be relevant. I’d also double check to make sure extensions can be updated; they might have stubbed out the URL for extension updates.

I personally split my browsing between Firefox with Arkenfox and Chromium. Firefox for websites and Chromium for webapps. I disable JS by default and also disable JIT compilation (at least, until the V8 team lands the virtual memory cage for some more advanced JITsploitation mitigations).

I’d also think twice about LibreWolf’s fingerprinting defenses. The “resistfingerprinting” setting is an all-or-nothing game; turning it on makes you look like all other RFP users. Librewolf allows changing the color scheme to dark with RFP enabled; this makes you look identical to other LibreWolf users who have RFP and dark mode enabled, which is a population way smaller than regular RFP users; RFP is easily detectable, so this arguably makes users easier to identify. LW devs on GitHub seemed aware of this but haven’t rolled it back. I’d much rather stick with Arkenfox.

i may be very wrong since i haven’t used other browsers, but far as i know Firefox takes partitioning to a new level - much of the privacy stuff in FF is a result of the Tor Uplift Project which i think is unique to Firefox

LocalCDN is still useful for decreasing page load time, but yeah, it’s not needed from a privacy POV - also it’s my understanding that Firefox messes with these headers to increase privacy a bit - personally i no longer use it either

this is a problem with allot of privacy add-ons such as user-agent spoofers, etc. - they are not good for privacy if one has RFP enabled (many are not good for privacy, period) - as you mentioned, less is more regarding add-ons

yeah, this is a problem - i suppose the easiest way to check for this is to diff the page source with the ext. loaded and unloaded - another way, but i’m not sure how accurate it is, is to check the add-on manifest for web accessible resources - Extension source viewer makes this really easy to do

absolutely - this is a must for anyone that cares about privacy/security - JS must be disabled globally, then enabled on a site-by-site basis only where it’s really needed

many sites are using these annoying loader div’s to hide all content until the page is fully loaded and this depends on JS - in most cases you can circumvent this without enabling JS by using something like Stylus to inject some CSS - this is very easy to do, see: Display website content hidden by JavaScript

many sites are using these annoying loader div’s to hide all content until the page is fully loaded and this depends on JS - in most cases you can circumvent this without enabling JS by using something like Stylus to inject some CSS - this is very easy to do, see: https://12bytes.org/articles/tech/firefox/firefox-tweaks-and-fixes-and-things/#Display_website_content_hidden_by_JavaScript

Thanks for this! However, if you’re using Firefox, you can probably accomplish this with your userContent.css file: UserContent.css - MozillaZine Knowledge Base

I noticed you actually talk about userContent.css and have some recommendations on the page you’ve linked, but when you say:

however i would recommend using the Stylus add-on instead because it makes working with CSS much easier.

Is this because you have many different stylesheets that you want to manage in separate files?

As you say, you’ll have to enable it in about:config for modern builds of Firefox; it seems like Mozilla wants to get rid of it and userChrome eventually: Firefox 69: userChrome.css and userContent.css disabled by default - gHacks Tech News

I use userContent.css to block annoying cosmetic content for specific sites (with some tweaks for all sites). For example, Syosetu has a lot of annoying elements that get in the way of reading, so I have set them to display: none. So as of yet, I haven’t found a use for Stylus and don’t have it installed.

hi gnome - yes, i use Stylus because i’m injecting many CSS snippets in many different sites and Stylus makes this extremely easy and quick to do (assuming a basic knowledge of CSS of course)

it also does word completion, syntax highlighting, auto-indentation and error checking

it can also work in real-time (WYSIWUG) and it makes it super easy to disable and debug styles per-domain or globally without having to restart the browser

one can certainly get by without it, especially if you’re only injecting a few styles, but for me its a super valuable extension by an ethical developer

lastly, i recommend Stylus specifically - there are a few other CSS injection add-ons that collect data - from the Stylus AMO page…

Unlike other similar extensions, we don’t find you to be all that interesting. Your questionable browsing history should remain between you and the NSA. Stylus collects nothing. Period.