I recently made a bit of a change to my setup, dividing up my browsing between Firefox for work, Librewolf for personal stuff, with Ungoogled Chromium sitting there for those times that I need that engine.
I’m especially interested, as I’ve only recently divided up my browsing like this, in anything that anyone has to say about LibreWolf best practices. I’ve already followed @bbbhltz’s suggestion below.
Cookie clearing on close has already thrown me for a loop when it comes to my home server, but I’ve opted for keeping it on and just whitelisting cookies from certain destinations. All and any tips are appreciated.
If nothing turns up here, LibreWolf.net has some social links in their banner.
One thing which might be helpful are Discourse bookmarks. If you bookmark one of the posts from this thread, you will have the option of setting a reminder. That way, if you want to revisit this topic in the future to post an update, you can get a notification from the system in a month or so.
For LibreWolf, as for many other Firefox forks, and any browser, less is more.
Loading up tonnes of extensions might seem like a great idea, but will only help with fingerprinting. My knowledge on that subject is quite basic.
When I first went down the rabbit hole, I came across a guide that makes lots of suggestions. It is quite opinionated, and looking at other articles on the site, it is clear that the author has lots of opinions. I cannot hold that against them. I followed the suggestions at Firefox Extensions – My Picks – 12Bytes.org and I still use many of them.
Fingerprinting, as I mentioned before, is something that I find hard to avoid. At some point, usability is lost, and I haven’t ever tried Tor Browser because my threat model doesn’t call for it.
I don’t know if those are the types of tips you were hoping to find, but I was in a sharing mood. I am always looking for the same types of tips, and I try to keep my Low Friction Introduction to Digital Privacy up to date, so I too would like some more tips.
Very easy to see that you teach there, @bbbhltz from the quantity of citations. I very much appreciate the thoroughness of this and will be digging into it deeply on the weekend.
I will ensure that I see what I think could be added to this; from also a quick scan I accord with @Colin here. In particular, as people tend to position themselves as experts, I rarely see links in these kinds of things to ways that people can check their working. Teach a person to fish, and all that…
At home, you might try Firefox Relay. If you sign up for the Premium version, you can improvise an e-mail address at the cash register and it will just work without being set up in advance. And those Firefox addresses do not look like they are tied to a main e-mail username.
just as an FYI, LibreWolf uses a modified version of the arkenfox user.js, which is a good thing
i’ve been watching the project but haven’t used LW yet - it looks like they’re just applying a bunch of patches to Firefox and that’s probably just fine, but i don;t think there’s anything they’re doing that can’t be done with Firefox proper
that said, i think LW may be the better way to go for those that want to keep things simple, otherwise we get into arkenfox and updater and pref cleaner scripts and keeping all of that updated, which is actually quite easy, but there’s a little setup involved
one important item is to remember to keep LW updated because there is no auto-update/notification functionality far as i know, though if you’re on Linux you might find LW in your repo (it’s in the AUR i know)
if you have trouble with a site you can, if you wish, create a new profile instead of using another browser, but consider enabling ETP in that profile
i’m sure LW enables RFP (anti-fingerprinting) and ETP by default, but it’s worth double checking that Enhanced Tracking Protection is enabled ( about:preferences#privacy ) - make sure that’s set to ‘Strict’ - this enables dFPI/net partitioning which is super-important for anyone that cares about privacy
@bbbhltz already kindly mentioned some of my stuff, but there’s more here…
lastly, know that i am NOT a Firefox fanboy - i do not approve of Mozilla as a company, however in my personal opinion, Firefox is better suited to privacy enhancements that any other mainstream browser i’m aware of, including un-googled Chromium
I gathered that! I do check out your tech articles from time to time because your guides on Firefox are what made me realise that what I was doing in terms of protection was overkill — at least for my threat model. Very proactive of you to chime in like this.
yeah, the threat profile is a very personal thing and in that vein let me disclose the fact that i am not a Firefox, privacy, security or technical expert by any stretch - i don’t really feel qualified to be writing guides on Firefox privacy, however i’ve never found a comprehensive, step-by-step guide that covers configuration, add-ons, add-on configuration, profiles, search engines, etc., and so i wrote one, really more for me to refer to than anything else, but it grew from there
the arkenfox crew has been invaluable to my learning - there’s some very smart people involved in the project
anyway, anyone that really depends on security/privacy (journalists, whistleblowers, etc.) needs to look well beyond anything i can offer - my stuff i think fits the average Joe who wants to greatly reduce, but not necessarily eliminate, risks to privacy while still being able to browse the web without a ton of hassle
FWIW, all major browsers use partitioned cookies and cache, rendering LocalCDN useless.
Always avoid addons that inject content into the page since they are trivially fingerprintable. Seriously, I honestly think Mozilla should de-list addons like Canvas Fingerprint Defender; they basically broadcast their use.
When you use an adblocker, stay away from third party filters that include advanced filters containing scriptlets. You have to trust all your filter lists to not contain any vulnerabilities or malware. Many filter lists compile resources from other lists with minimal oversight given limited resources.
If you can get by without an addon, then do so. If you only want to use an enabled-everywhere addon on a handful of sites, your only option is Chromium since that allows selectively enabling addons on select sites and one-off enablement on a single tab on-click.
I’d reconsider Ungoogled-Chromium; if you turn off all the telemetry and safe-browsing in regular chromium, the only automatic connections it makes are for:
Opensearch updates (I think they stopped this).
Don’t take my word; use a packet sniffer with key logs for traffic decryption.
Ungoogled Chromium builds typically significantly weaken upstream’s hardening flags (esp. CFI, let alone their work on shadow call stacks) and hardened libs like ffmpeg, so if you run complex web apps and play media in the browser that might be relevant. I’d also double check to make sure extensions can be updated; they might have stubbed out the URL for extension updates.
I personally split my browsing between Firefox with Arkenfox and Chromium. Firefox for websites and Chromium for webapps. I disable JS by default and also disable JIT compilation (at least, until the V8 team lands the virtual memory cage for some more advanced JITsploitation mitigations).
I’d also think twice about LibreWolf’s fingerprinting defenses. The “resistfingerprinting” setting is an all-or-nothing game; turning it on makes you look like all other RFP users. Librewolf allows changing the color scheme to dark with RFP enabled; this makes you look identical to other LibreWolf users who have RFP and dark mode enabled, which is a population way smaller than regular RFP users; RFP is easily detectable, so this arguably makes users easier to identify. LW devs on GitHub seemed aware of this but haven’t rolled it back. I’d much rather stick with Arkenfox.
i may be very wrong since i haven’t used other browsers, but far as i know Firefox takes partitioning to a new level - much of the privacy stuff in FF is a result of the Tor Uplift Project which i think is unique to Firefox
LocalCDN is still useful for decreasing page load time, but yeah, it’s not needed from a privacy POV - also it’s my understanding that Firefox messes with these headers to increase privacy a bit - personally i no longer use it either
this is a problem with allot of privacy add-ons such as user-agent spoofers, etc. - they are not good for privacy if one has RFP enabled (many are not good for privacy, period) - as you mentioned, less is more regarding add-ons
yeah, this is a problem - i suppose the easiest way to check for this is to diff the page source with the ext. loaded and unloaded - another way, but i’m not sure how accurate it is, is to check the add-on manifest for web accessible resources - Extension source viewer makes this really easy to do
absolutely - this is a must for anyone that cares about privacy/security - JS must be disabled globally, then enabled on a site-by-site basis only where it’s really needed
I use userContent.css to block annoying cosmetic content for specific sites (with some tweaks for all sites). For example, Syosetu has a lot of annoying elements that get in the way of reading, so I have set them to display: none. So as of yet, I haven’t found a use for Stylus and don’t have it installed.