Danschmid

In this tutorial, I explain how to install the Firefox browser under FreeBSD and also set it up with privacy.

Mozilla Firefox is a free, open-source web browser. It's small, fast, and easy to use, and has many advanced features:

• Pop-up blockers
• extensions
• customizable appearance
• improved security

We can installthe Firefox browser with the following command:

$: doas pkg install firefox

Improve privacy

The Firefox browser is inherently privacy-conscious. But I'll show you how to get even more security and privacy out of Firefox.

about:preferences

First, we enter “about:preferences” in the address line, and this brings us to the settings.

Generally

In the general settings, we will deactivate the following options:

• Recommend extensions while browsing
• Recommend functions while browsing

Home

Here, we will disable the following options:

• Important pages
• Recommended by Pocket
• overview
• Brief information

search

We will remove all existing search engines and use Searx as the only standard search engine.

But what is SearXNG? It is a free metasearch engine that protects users' privacy. To complete this, Searx does not share users' IP addresses or search history with the search engines from which it collects results. Here; you can find more information about SearXNG.

To add Searx as a search engine, we search here, an instance that we want to use and open it.

Then, we click with the right click in the address bar, and we select the Add Search Engine option from the menu.

Now, we can set SearXNG as the default search engine in the search settings.

Another great alternative are:

• Qwant is a search engine with no user tracking and no filter bubble
• Startpage is a search engine that provides Google search results with complete privacy protection

Privacy

Under the item improved protection against activity tracking, we will select the Custom option and set the following settings.

• Cookies: all third-party cookies (some websites may no longer work)
• Activity tracking content: in all windows
• Secret digital currency calculator (crypto miner)
• Identifier (fingerprint)

When websites send “Do Not Track” information that their activities should not be tracked, we always set this option.

Under Cookies and website data, we will activate the following:

• Delete cookies and website data when you quit Firefox

In the next step, we will deactivate the option to save access data and passwords.

And finally, we will deactivate the following options under Data collection by Firefox and its use:

• Allow Firefox to send data on technical details and interactions to Mozilla
• Allow personalized extension recommendations through Firefox
• Allow Firefox to install and run studies

about:config

Next, we go to the about:config page, then we can set further security-relevant options.

We type “about:config” in the Firefox address bar and press Enter. Then we press the “Accept risk and continue” button.

To change settings here, we copy the following settings (e.g., “webgl.disabled”), paste them into the search bar and set them to the specified value (e.g., “true”).

Disable telemetry

With the following changes, we will disable the Firefox telemetry:

• browser.newtabpage.activity-stream.feeds.telemetry = false
• browser.ping-centre.telemetry = false
• browser.tabs.crashReporting.sendReport = false
• devtools.onboarding.telemetry.logged = false
• toolkit.telemetry.enabled = false
• Delete the URL for toolkit.telemetry.server, and leave it empty
• toolkit.telemetry.unified = false

Disable Pocket

If we don't use Pocket, or we don't want Firefox's Pocket integration, make the following changes:

• browser.newtabpage.activity-stream.section.highlights.includePocket = false
• extensions.pocket.enabled = false

Disable JavaScript in PDF

While there are legitimate uses for JavaScript in PDF (such as form validation), such uses are not very common. In addition, it could be used for malicious purposes, so it's generally a good idea to disable this feature.

pdfjs.enableScripting = false.

security.ssl.requiresafenegotiation = true

Making these changes will disable insecure SSL ciphers and force safe negotiation:

privacy.trackingprotection.fingerprinting.enabled = true

This option has been available since Firefox version 67, and it blocks fingerprinting.

privacy.trackingprotection.cryptomining.enabled = true

This option has been available since Firefox version 67 and this blocks CryptoMining.

privacy.trackingprotection.enabled = true

This is Mozilla's new built-in tracking protection. One of the benefits is to block tracking (i.e., Google Analytics) on privileged pages that have add-ons that normally do this disabled.

Privileged pages are those web pages that browser developers consider legitimate web pages, on which extensions tasked not to work / whose functionality has been completely stopped.

In Firefox, for example:

• accounts-static.cdn.mozilla.net
• accounts.firefox.com
• addons.cdn.mozilla.net
• addons.mozilla.org
• api.accounts.firefox.com
• content.cdn.mozilla.net
• content.cdn.mozilla.net
• discovery.addons.mozilla.org
• input.mozilla.org
• install.mozilla.org
• oauth.accounts.firefox.com
• profile.accounts.firefox.com
• support.mozilla.org
• sync.services.mozilla.com
• testpilot.firefox.com

browser.send_pings = false

The attribute is useful for websites to keep track of visitor clicks.

browser.urlbar.speculativeConnect.enabled = false

By doing this, we disable the preloading of autocomplete URLs. Firefox preloads URLs that are autocomplete when a user types in the address bar. This is a problem when suggesting URLs that we don't want to connect too.

dom.event.clipboardevents.enabled = false

We disable that websites can receive notifications when we copy, paste or cut something from a website. This will tell you which part of the page has selected.

media.eme.enabled = false

Disables playback of DRM-controlled HTML5 content. When this option enabled, the Widevine Content Decryption Module provided by Google Inc. will be downloaded automatically.

media.navigator.enabled = false

Websites can track the microphone and camera status of our device.

network.cookie.cookieBehavior = 1

Disable cookies

• 0 = Accept all cookies by default
• 1 = only accept from the original website (block third-party cookies)
• 2 = Block all cookies by default

network.http.referer.XOriginPolicy = 2

We only send the referer header if the full host names match. (Note: if we notice a significant fraction, we can try 1 with a XOriginTrimmingPolicy optimization below.)

• 0 = send referrer in all cases
• 1 = send referrer to the same eTLD sites
• 2 = only send referrer if full host names match

network.http.referer.XOriginTrimmingPolicy = 2

When we send the referrer across origins, we only send the schema, host, and port in the referer header of cross origins requests.

• 0 = send complete URL in the referrer
• 1 = send URL without query string in referrer
• 2 = Send only the scheme, host, and port in the referrer

webgl.disabled = true

WebGL is a potential security risk.

browser.sessionstore.privacy_level = 2

This setting controls when to save additional information about a session: form, content, scrollbar positions, cookies, and POST data.

• 0 = save additional session data for any site. (Standard from Firefox 4.)
• 1 = save additional session data only for unencrypted (not HTTPS) sites. (Default before Firefox 4.)
• 2 = never save additional session data.

beacon.enabled = false

Disabled sending additional analysis to web servers.

browser.safebrowsing.downloads.remote.enabled = false

Prevents Firefox from sending information about downloaded executables to Google Safe Browsing to see if they should be blocked for security reasons.

We're turning off the Firefox prefetch pages, which we expect to visit next:

Even though prefetching may speed things up a bit, it may connect to servers without user intervention (which can be a privacy issue) and its performance benefits are minimal. Making these changes will disable prefetching:

• network.dns.disablePrefetch = true
• network.dns.disablePrefetchFromHTTPS = true
• network.predictor.enabled = false
• network.predictor.enable-prefetch = false
• network.prefetch-next = false

network.IDNshowpunycode = true

Unless we render IDNs as punycode equivalent, we are open to phishing attacks, which are very difficult to detect.

extensions.pocket.enabled = false

This deactivates the Pocket Service.

identity.fxaccounts.enabled = false

We will disable the Firefox Sync Service. I will introduce you to better alternatives. We could also use a self-hosted sync server—the code is available on
GitHub. But the service is currently still using outdated Python 2.7 code, and the service has ported to Rust meanwhile. And the other problem is that the self-hosted service does not currently work with mobile Firefox.

identity.fxaccounts.toolbar.enabled = false

We're removing the Firefox Accounts icon from the toolbar.

disable WebRTC

WebRTC can potentially expose your real IP address, changing the following disables it

We can change the following value to be sure that every WebRTC-related are really disabled.

• media.peerconnection.turn.disable = true
• media.peerconnection.usedocumenticeservers = false
• media.peerconnection.video.enabled = false
• media.peerconnection.identity.timeout = 1

Hint: This will break any site that uses real-time audio/video communication, which includes almost all real-time chat and conferencing apps.

Add-ons

In this section, I would like to introduce you to a few useful add-ons for Firefox.

uBlock Origin

An efficient blocker: low memory footprint and low CPU load, yet thousands more filters applied than other popular blockers.

xBrowserSync

xBrowserSync synchronizes bookmarks between devices and browsers with end-to-end encryption. Data encrypted and decrypted on the device—nobody but us can read it. No registrationrequired. We just enter a randomly generated ID or QR code on all of our devices. There are different servers available, which can also be self-hosted.

CanvasBlocker

This add-on enables us to prevent websites from identifying us via Javascript APIs. We can choose whether the APIs completely blocked on certain or all pages (this will impair the functionality of some pages) or to fake wrong values for the identification-friendly readout functions.

Chameleon

With this add-on, we falsify our browser profile. It includes some privacy enhancement options.~~~~

LocalCDN

This add-on emulates external frameworks (e.g., jQuery, Bootstrap, AngularJS) and makes them available as a local resource. It prevents unnecessary third-party requests like Google, StackPath, MaxCDN, and more. It contains prepared rules for uBlock Origin / uMatrix.

Redirect AMP to HTML

Automatically redirects all AMP (Accelerated Mobile Page) pages to their regular HTML equivalent.

When we see an AMP page, we are likely seeing a page served directly by Bing or Google that can pull up information about what we're doing on that page. We keep the web decentralized, and we say, “No!” to search engines that want to take control of the web.

AMP pages designed for devices with a small screen and often do not translate well to larger screens. The extension can be especially useful
when we receive links from people who are on their mobile devices while we are on our desktop computer.

AdBlocker for YouTube

This add-on removes all annoying ads from YouTube.

Important functions:

• Removes video and display ads from YouTube
• Loads the YouTube website and videos faster
• Supports both Firefox desktop and mobile (Android)

YouTube NonStop

Tired of seeing the “Video paused. Continue watching?” Confirmation dialog? This extension will automatically click it, so you can listen to your favorite music without interruption.

The add-on works with YouTube and YouTube Music!

Discuss...